Privacy Policy

We collect the following categories of information when you use WristRotation:

• Account information — your name and email address, provided during registration.
• Watch collection data — brands, models, reference numbers, serial numbers, specifications, images, and notes you enter about your watches.
• Financial data — purchase prices, currencies, and market valuations you record for your watches.
• Usage data — wear logs, accuracy measurements, and other tracking data you create within the app.
• Analytics data — anonymous, aggregated performance and usage metrics collected automatically by Vercel Analytics and Vercel Speed Insights (e.g., page views, web vitals, country of origin). This data does not include personal identifiers, IP addresses, or any information about your watch collection.

We do not use tracking pixels, fingerprinting technologies, or advertising trackers.

• Password security — passwords are hashed using bcrypt, a one-way irreversible algorithm. We never store or have access to your plain-text password.
• Encryption in transit — all data transmitted between your browser and our servers is encrypted using HTTPS (TLS).
• Encryption at rest — our database provider (Neon) encrypts all stored data at the infrastructure level.
• Data isolation — every database query is scoped to your user account. Users can only access their own data.
• Image metadata — EXIF metadata (which can contain location and device information) is automatically stripped from images before storage.

Your data is used solely to provide the features of WristRotation:

• Displaying and managing your watch collection
• Generating wear statistics, accuracy tracking, and market value analytics
• Enabling data export and account management

We do not:

• Sell your data to third parties
• Share your data with third parties for marketing or profiling
• Use your data for advertising purposes
• Train machine learning models on your data

We may disclose data if required by law (e.g., in response to a valid subpoena or court order).

Under the General Data Protection Regulation (GDPR), we process your data on the following legal bases:

• Performance of a contract (Art. 6(1)(b)) — processing your account information and collection data is necessary to provide the service you signed up for.
• Legitimate interest (Art. 6(1)(f)) — session cookies are necessary for authentication and security of the service.

We use the following third-party infrastructure providers to operate WristRotation. Your data passes through these services as necessary to deliver the app. Each provider has its own privacy policy:

• Vercel — application hosting, server infrastructure, analytics (page views and custom events via Vercel Analytics), and performance monitoring (web vitals via Vercel Speed Insights). Analytics data is anonymous and aggregated. Privacy Policy
• Neon — PostgreSQL database hosting. Stores all user data including account information, collection data, and financial data. Privacy Policy
• Cloudflare R2 — file storage for uploaded watch images. Privacy Policy
• Resend — transactional email delivery for password reset emails (which contain your email address). Privacy Policy

Data is shared with these providers only as necessary to operate the service. None of these providers use your data for their own marketing or profiling purposes.

WristRotation is hosted on infrastructure operated by US-based companies (Vercel, Neon, Cloudflare, and Resend). If you are located in the EU/EEA, your data is transferred to and processed in the United States.

Our infrastructure providers maintain data processing agreements that include Standard Contractual Clauses (SCCs) approved by the European Commission, which provide appropriate safeguards for cross-border data transfers under GDPR.

You have the following rights regarding your personal data:

• Access and portability — export all of your data as JSON at any time from Settings › Data & Privacy.
• Rectification — edit your watch data, account email, and password at any time through the app.
• Erasure — delete specific data categories (wear logs, accuracy measurements, market values) or delete your entire account and all associated data from Settings.
• Restriction and objection — contact us at the email below to request restriction of processing or to object to specific data uses.

These rights are provided under GDPR (Articles 15–20) and CCPA (Cal. Civ. Code §1798.100–125). We will respond to any data rights request within 30 days.

WristRotation uses a single cookie: a session cookie set by our authentication system (Auth.js) to keep you signed in. This cookie is essential for the app to function and is classified as a “strictly necessary” cookie under the ePrivacy Directive.

Vercel Analytics and Speed Insights collect anonymous performance data without using cookies or storing personal identifiers. We do not use tracking cookies, advertising cookies, or any other non-essential cookies.

Your data is retained for as long as your account is active. When you delete data (individual records, data categories, or your entire account), it is permanently and irreversibly removed from our database. We do not use soft-deletion or retain deleted data in backups beyond standard database provider retention windows.

In the event of a data breach that affects your personal data, we will notify affected users without undue delay. Where required by GDPR, we will also notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

For privacy-related questions, data rights requests, or concerns about your personal data, contact us at:

support@wristrotations.com

We may update this Privacy Policy from time to time. If we make material changes, we will notify users via an in-app notification or email. The “Effective date” at the top of this page indicates when the policy was last revised.

Continued use of WristRotation after a policy update constitutes acceptance of the revised terms.