Privacy Policy

Last updated: 20 May 2026

This page explains in plain English what Spot Bot (the site at spot-bot.co.uk) stores about you, who else might see it, and how to delete it. It applies whether you use Spot Bot anonymously or with a signed-in account.

1. What we store, and when

Without an account (anonymous use)

You can use the Calculator, Charts, Ratios, History, Convert and Portfolio tools without creating an account. In that mode:

• Your portfolio items and view preferences live only in your browser's localStorage — they never reach our server.
• We don't know who you are. We never see your portfolio.
• Server logs (see §6) and ad-related data (see §5) are the only data points we have on you.

With an account (free or Pro)

When you sign up with your email address, we create a row in our database containing:

• Your email address (the only piece of identifying information you give us)
• An internal random ID for your account
• Account creation timestamp
• Your display currency preference (e.g. GBP)
• Your summary-email frequency if set (off / daily / weekly / monthly)
• Your subscription tier and expiry date, if you've upgraded to Pro
• Your Stripe customer ID, if you've made a purchase (so we can let you manage billing)
• Your affiliate code, if you used one — so we can attribute the signup
• Your share-link token, if you've enabled public portfolio sharing
• Hashed magic-link tokens (15-minute lifespan, deleted immediately after use) and hashed session tokens (90-day rolling lifespan, deleted on sign-out)
• IP address & user-agent of each sign-in (for security; tied to that session row only)

Your portfolio (signed-in users)

Once signed in, your portfolio is mirrored from your browser to our database so it syncs across devices. We store, per item, exactly the fields you entered in the Add Item form:

• Metal, purity, weight (and unit), quantity, category, tags
• Optional purchase price, purchase date, storage location, notes
• Any photo you upload (resized to 600px, stored in Cloudflare R2 object storage)
• Internal timestamps for sync (created/updated)

We do not analyse, mine, or otherwise process the contents of these fields. Notes, storage locations and photos sit in our database / object store and are returned only to you (or, for sharing, only the non-private subset — see §4).

Engagement features (Pro)

• Price alerts: the metal, direction, threshold and currency you configured, plus an internal "last fired" timestamp.
• Portfolio summaries: we store the totals from your most recent summary email (melt value, cost basis, premium, per-metal breakdown) so the next email can show period-over-period change. No item-level history is kept beyond what's in your live portfolio.
• Feedback submissions: when you use the in-app feedback form, we store your message, your account email, your user-agent string, and the timestamp.
• Coin-ID corrections: if you submit a correction to an AI coin identification, we store the corrected coin specification (name, metal, purity, weight), the AI's original answer, your account email, and — so an admin can verify it — the coin photo you scanned. Approved corrections feed an anonymous coin-specification catalog (coin type → standard weight/purity) that improves identification accuracy for everyone; that catalog holds no personal data. You can ask us to delete a submitted correction at any time.

2. Who can see your data

You

You can see everything we have on you. Portfolio data, alerts and summary preferences are visible directly in the app. Email [email protected] if you'd like a full data export in a structured format.

Us (the operator of Spot Bot)

The admin panel exposes the user list (email, signup date, item count, tier, affiliate code) to designated admin email addresses listed in our server configuration. We can read item-level data via direct database access if we need to investigate a bug or fulfil a support request, but this is a rare and audited action. We never look at item-level data routinely.

The public — only if you opt in

If you enable a public share link in Settings, the resulting /p/<token> URL becomes readable by anyone who has the link. The shared view shows:

• Per item: metal, purity, weight, quantity, category, current value at spot
• Aggregate: total value, per-metal breakdown
• Only if you tick "Also show cost basis & P&L": total cost, total premium paid, profit/loss

Public share links never expose: your email, your account ID, your photos, your notes, your storage locations, item tags, or purchase dates. You can rotate the token (invalidating the old link) or disable sharing entirely at any time from Settings.

3. Third parties we use to deliver the service

We use a small set of named processors so the site can function. We send each only the minimum data needed, and we don't share data between them for marketing or any other secondary purpose.

Cloudflare (hosting, database, object storage, email-delivery routing)

Operated by Cloudflare, Inc. Stores the site, runs the API, hosts the D1 database (where your account row + portfolio items live) and the R2 object store (where your photos live). All data is encrypted at rest. Cloudflare also keeps short-term request logs (see §6).

Stripe (subscription billing)

Operated by Stripe Payments Europe, Limited. When you upgrade to Pro, we redirect you to Stripe's hosted checkout. We send Stripe: your email, the plan you chose, your internal account ID and any affiliate code, in the checkout session metadata. Stripe collects and stores your payment-method details directly — we never see or store your card number, CVV, billing address, or any other payment information. Stripe returns to us a "customer ID" and the resulting subscription state (active / past due / cancelled). Stripe's privacy policy: stripe.com/privacy.

Resend (transactional email)

Operated by Resend, Inc. We use Resend to deliver: magic-link sign-in emails, price-alert emails, portfolio-summary emails, and feedback notifications to the admin inbox. We send Resend: your email address and the email contents. Resend's privacy policy: resend.com/legal/privacy-policy.

Anthropic (AI document parser — Pro feature only)

Operated by Anthropic, PBC. When a Pro user uses the "Scan / import" feature, we send the uploaded file (image, PDF or text) plus our parsing prompt to Anthropic's Claude API. We do not send your email, account ID, portfolio, or any other identifying information — only the file you uploaded and our generic prompt. Anthropic's API is configured for transactional use (responses are not used to train models). Anthropic's privacy policy: anthropic.com/legal/privacy.

metalpriceapi.com (spot price data)

Our server fetches live spot prices from metalpriceapi.com. Your browser does not contact them directly — our server proxies the request, so they receive only our server identity, not your IP address or any user-specific data.

4. What we don't do

• We never sell, rent or share your data for marketing or any secondary purpose.
• We don't load any analytics until you opt in — see "Marketing & analytics measurement" below. Decline, and no analytics script runs and no analytics cookie is set.
• We don't profile users or build advertising audiences from your portfolio, and we never use the contents of your holdings for marketing.
• We don't analyse the contents of your portfolio, photos, notes or storage-location fields.
• We don't share data between the third-party processors listed in §3 — each only sees what it needs to perform its specific job.

Marketing & analytics measurement (opt-in only)

If you accept the cookie banner that appears on your first visit, we load two third-party measurement scripts: Google Analytics (Google's gtag.js) and the Meta Pixel. Neither script is fetched, no requests are sent to Google or Meta, and no Google or Meta cookies are set, unless you explicitly accept. Declining loads nothing.

Google Analytics helps us understand which pages and tools people use, so we can improve the site. On the pages you view it records the page URL and title, your approximate location (derived from IP by Google — we don't store your IP), device and browser type, and a randomly-generated visitor identifier stored in Google's _ga cookie. We have not linked Google Ads, so it is used for site analytics, not ad targeting.

• Legal basis: your consent (UK GDPR Article 6(1)(a)).
• Where it goes: Google Ireland Ltd. Google's privacy policy is at policies.google.com/privacy.

The Meta Pixel tells Meta (Facebook / Instagram) that you reached our site, so we can measure whether our advertising on those platforms is working.

• What gets sent on every page: the URL you're on, your IP address (as standard with any web request), your browser user-agent, and a single random Meta-set identifier (_fbp cookie) that distinguishes your browser from others.
• What gets sent on conversion events (sign-in completion, checkout start, Pro subscription): the event name plus, for paid events, the currency.
• Advanced matching: When you enter your email into our sign-in form, that email is SHA-256 hashed in your browser and sent alongside the event. The hash is one-way at our end, but Meta can match it against the same hash of an email they already hold — letting them attribute the visit to a Facebook / Instagram account if you have one. We do this so we can measure which of our adverts are driving real sign-ups. No password, code, portfolio data, item details or photos are ever included. Hashing happens before the data leaves your device.
• Legal basis: your consent (UK GDPR Article 6(1)(a)).
• How to withdraw consent: clear your browser's site data for spot-bot.co.uk, or run SpotBotConsent.reset() in the browser console and the banner will reappear on the next page load so you can decline.
• Where it goes: Meta Platforms Ireland Ltd (Dublin) acting as joint controller with us for this single processing activity. Meta's data policy is at facebook.com/policy.php.

Declining the banner permanently disables both Google Analytics and the Meta Pixel on your browser. We will never load either without consent. To change your mind, clear your browser's site data for spot-bot.co.uk (or run SpotBotConsent.reset() in the console) and the banner reappears on the next page load.

5. Cookies & local browser storage

Cookies we set ourselves

• sb_session — an HttpOnly, Secure, SameSite=Lax session cookie set when you sign in. Holds nothing but a random opaque token. 90-day lifespan; deleted on sign-out. Strictly necessary for authentication.

Third-party cookies (opt-in only)

These are set only if you accept the cookie banner. Decline, and none of them are ever created:

• _ga and _ga_<id> — Google Analytics. Distinguish your browser and remember your session for visit measurement. Up to 2-year lifespan (Google's default).
• _fbp — Meta Pixel. A single random identifier that distinguishes your browser, as described in §4 above.

We do not run any other third-party tracking cookies, and we do not run a display-advertising network on this site.

Anonymous live-visitor count

To monitor how many people are using the site at any moment, each open page sends a lightweight "still here" ping to our own server roughly once a minute, carrying a random identifier that exists only in the page's memory and is discarded the instant you close the tab. It is not a cookie, nothing is stored on your device, and it cannot recognise you on a later visit or link to your account. We keep only an aggregate count; individual ping records are deleted within minutes. This needs no consent because nothing is stored on your device.

Local browser storage (signed-out users)

The following preferences live only in your browser's localStorage and never leave the device:

• Your portfolio items, photos (as base64) and view preferences
• Display currency selection
• Chart and history-tab preferences
• Cookie consent decision
• Internal flags (dismissed banners, last-sync timestamps for signed-in users)

When you sign out, we wipe your portfolio cache from localStorage so the next person on the device doesn't see your data. If a different account signs in on the same browser, we wipe local data again before adopting their portfolio.

6. Server & security logs

Cloudflare retains short-term technical logs of incoming requests (IP address, user agent, timestamp, requested URL, HTTP status). These are used only for security monitoring, abuse detection and reliability investigations. We do not link these logs to account data routinely. Typical retention is a few days.

7. Data retention

• Magic-link tokens: 15 minutes, then deleted on use. Hashed in storage.
• Sessions: 90 days rolling, refreshed on use. Deleted on explicit sign-out. Hashed in storage.
• Portfolio items, photos, alerts, preferences: retained for as long as your account exists, then deleted on account erasure (see §9).
• Summary snapshots: we keep only the most recent one per user (overwritten on each summary send).
• Feedback submissions: retained indefinitely for product-improvement purposes unless you ask for them to be deleted.
• Stripe data: handled per Stripe's retention policy. We trigger Stripe customer deletion when you delete your Spot Bot account.
• Cloudflare access logs: short-term (days), controlled by Cloudflare.

8. Security

• The site is served over HTTPS only.
• D1 (database) and R2 (photos) are encrypted at rest by Cloudflare.
• Session cookies are HttpOnly, Secure, SameSite=Lax — not accessible to JavaScript and not sent on cross-site requests.
• Magic-link and session tokens are stored as SHA-256 hashes, never in plaintext.
• Cron-driven endpoints (alerts, summaries) are protected by HMAC-signed secrets.
• All third-party API keys (Stripe, Resend, Anthropic, metalpriceapi) live in server-side environment variables — never exposed to the browser.

If you believe you've found a security issue, please email [email protected] with the details. We'll respond as quickly as we can.

9. Your rights under UK GDPR

As a UK-based service we operate under the UK GDPR and the Data Protection Act 2018. You have the right to:

• Access — request a copy of any personal data we hold on you. For signed-in users, most of this is visible in the app and in Settings already.
• Rectification — correct anything inaccurate. Most fields are user-editable directly.
• Erasure — request that we delete you entirely. The fastest way is the "Delete my account" button in Settings → Danger zone. This wipes your portfolio, every photo, every alert, every preference, your Stripe customer record (cancelling any active subscriptions), and your user row — all within seconds. You can also email us to request manual erasure.
• Portability — request your data in a machine-readable format. CSV / JSON exports are available directly from the Portfolio tab.
• Object — to any processing based on legitimate interests.
• Complain — to the UK Information Commissioner's Office at ico.org.uk if you believe we've handled your data incorrectly.

Email [email protected] to exercise any rights that aren't already available as in-app actions. We aim to respond within one calendar month.

10. Legal bases for processing

Under UK GDPR we rely on the following legal bases:

• Contract — for storing account data, portfolio items, sending Pro feature emails, and processing payments. Without this data we can't deliver the service.
• Legitimate interests — for short-term security logging, abuse detection, and the feedback inbox. You can object at any time.
• Legal obligation — where we're required by law to retain certain records (e.g. transaction records for tax purposes; Stripe handles most of this).

11. International transfers

Our processors operate globally. Cloudflare, Stripe, Resend and Anthropic may process data in the US or other jurisdictions. Each has appropriate safeguards in place (Standard Contractual Clauses and equivalent mechanisms recognised under UK and EU adequacy frameworks). The minimum-necessary data we send to each — listed in §3 — limits exposure.

12. Children

Spot Bot is not directed at children under 13, and we do not knowingly collect data from anyone in that age group. If you believe a child has signed up, email us and we'll delete the account.

13. Updates to this policy

We may update this policy as the service changes (e.g. new features, new processors). Material changes are reflected by an updated "last updated" date at the top of this page. If we add a substantively new use of your data, we'll prompt you for renewed consent where appropriate, and existing-account holders will be notified by email.

14. Contact

Spot Bot is operated by Oliver's Bullion Ltd, CRN 16170646, VAT No. GB 487502663. For any privacy question, data-rights request, VAT invoice request or security issue: [email protected].