Grail Atlas — Privacy

Last updated: 2026-06-02 (legal hold exceptions, DSAR response language)

What this is

Grail Atlas is a passion project, not a business. It's a watch-research site I run for myself and other enthusiasts who love watches. Nothing here is for sale and there are no "customers" — just fellow enthusiasts.

The legal language below is the absolute minimum needed to be honest about what runs on the site, and to give anyone who's signed up a clean way to see what data is on file and to delete it.

What I collect, and only when you give it

You browse anonymously. Nothing about you is recorded for the public pages — references, the Atlas, the Notebook, guides, and the (currently empty) deal feed don't write a row, don't drop a tracking cookie, and don't fingerprint your browser. A handful of essential cookies handle CSRF protection and your cookie-banner choice; that's it.

Newsletter (the Grail Notebook) — if you sign up, I record:

the email you typed,
the page you signed up from,
the IP address and timestamp at the moment you click the double-opt-in confirmation link.

The IP + timestamp + page is the proof that you really did opt in, not someone else with your email. It's the only thing I'd point at if you ever told me "I never signed up for that." It's not used for anything else and never leaves the database.

Account features — if you create an account to save a Grail List or saved searches, I record your email + a salted password hash + the search constraints and watch ids you choose to save. There is no analytics overlay on logged-in behavior; the saved rows are the only record.

Vercel speed + web analytics — Vercel collects aggregate page performance and visit counts so I can tell if a page is broken. Vercel's analytics is privacy-first by design: no cookies, no fingerprinting, IPs hashed before storage. (Toggle: I can turn this off entirely if you'd rather not be counted; tell me at the address below.)

That's the whole list. No third-party trackers, no ad networks, no data brokers, no Google / Meta / TikTok pixels, no sales of anything to anyone.

What I never collect

Payment information. There's nothing to pay for.
Government ID, real name (unless you put one in your account), date

of birth, phone number, address.

The contents of any link or page you visit on third-party sites.
Microphone, camera, location, contacts. The site doesn't ask the

browser for any of those.

Your data, on your terms

If you've signed up for the newsletter or an account, you can ask me:

What do you have on me? I'll send you a JSON dump of every row

attached to your email — newsletter entry, saved searches, Grail List, account row.

Forget me. I'll delete every row attached to your email and

confirm by email when it's done.

When you submit a privacy request, we will: (1) acknowledge receipt; (2) verify your identity before processing; (3) respond to your confirmed request within the legally required period for your location.

Response timelines depend on your location. Under GDPR (EU/EEA and UK), we respond within one month. Under CCPA and US state privacy laws, we respond within 45 days. Under other applicable laws, we respond within the legally required period. Where complex requests require additional time, we will notify you within the initial response window.

If we are unable to complete a deletion request at this time (for example due to a legal hold), we will write to explain why and confirm your right to raise a complaint with your national data protection authority.

If you are unhappy with how we have handled your request, you have the right to complain to a supervisory authority. In the UK, this is the ICO (ico.org.uk). In the EU, contact your national Data Protection Authority.

Interim, manual flow (today). The automated form isn't wired up yet -- it depends on infrastructure that hasn't shipped. Until it does, the way to make either request is to email privacy@grailatlas.com from the address tied to your signup. I reply from the same address to confirm I got the request, and again when the action is done. The reply with your data or the deletion receipt always goes to the email on file -- nowhere else.

Automated flow (when it lands). The plan is a per-request confirmation pattern: you submit your email through a form on the site; the site emails a single-use confirmation link to that address; you click the link; the action runs and the result is emailed back to the same address. The important property the design preserves: a previously-confirmed signup is not enough. Last week's signup-confirm link cannot authorize today's deletion -- each privacy request gets its own per-request email. Anti-enumeration is built in: the form always replies "if anything is on file, you'll get an email," whether the address exists or not.

There's no formal "Data Protection Officer" -- see "What this is" above. If something feels off, email me directly: privacy@grailatlas.com.

Email communications and unsubscribing

You may unsubscribe from any non-essential email communications (launch notifications, pricing alerts, brand updates) at any time by clicking the unsubscribe link in any email or by visiting grailatlas.com/unsubscribe.

Unsubscribing stops future emails immediately and is recorded in the audit log. It does not delete your data. The record that you signed up -- including the timestamp and source -- is retained as evidence of your consent and for anti-abuse purposes, consistent with the retention schedule below.

If you also wish to delete your data, submit a separate request at grailatlas.com/privacy/request.

Unsubscribe is not erasure

Unsubscribing from emails and requesting deletion of your data are different things. Unsubscribing stops communications. Deletion removes your data from our systems subject to our retention policy. You may do both, either, or neither.

How long we keep your data

Data is held while your account is active and for a reasonable period after deletion to allow for recovery requests, fraud prevention, and legal compliance. Specific retention periods vary by data type and applicable legal requirement.

Account data (email, display name, preferences): retained while your

account is active, plus 30 days after deletion to allow for account recovery. If you submit an erasure request, deleted sooner subject to legal hold exceptions.

Grail list entries (notebook): retained while your account is active.

Deleted on account deletion or erasure request, subject to exceptions.

**Email subscription records (launch list, pricing notifications, brand

alerts):** retained for up to 24 months from your last interaction, or until you unsubscribe and request erasure. The unsubscribe event itself is logged indefinitely as an audit record.

Privacy and consent records: retained for the longer of 3 years or

the period required by applicable law. These records cannot be deleted on erasure request -- they are legal compliance records.

Safety and abuse records: data associated with accounts flagged for

abuse, harassment, or fraud is retained for as long as necessary to protect the safety of other users and the integrity of the service. This period may extend beyond account deletion.

Server logs: anonymized or hashed within 90 days. Never used for

profiling.

When we cannot immediately delete your data

Erasure requests are processed promptly. There are situations where deletion must wait or cannot happen. Under Art. 17(3) GDPR and equivalent law, we may retain data where:

Retention is necessary to establish, exercise, or defend legal claims.
Deletion would prevent us from meeting a legal obligation.
The account was flagged for abuse, harassment, fraud, or other conduct that

harmed other users or the integrity of the service, and the data is needed to document or respond to that conduct.

A hold has been placed at the direction of legal counsel or in response to

a law enforcement request.

In any of these cases, we will acknowledge your request and process it as soon as the retention basis expires or is resolved. Data held under a legal hold is not used for marketing and is kept in restricted access.

Service providers

The full, current list of third parties that process site traffic or data on Grail Atlas's behalf is at /legal/sub-processors. The short version of what's actually running today:

Vercel — hosting + edge runtime; cookieless Web Analytics +

Speed Insights (gated by your consent choice).

Supabase — Postgres database that holds the rows described

above; Supabase Auth handles sign-in sessions.

Upstash — Redis-backed rate limiting (counters keyed by hashed

IP, not by anything tied to you).

Cloudflare — DNS + domain registrar for grailatlas.com.
Resend — transactional

email delivery. Your email address is sent to Resend when the site needs to send you a confirmation, deletion receipt, or digest. No browsing history or saved-list contents are included.

Voyage AI — natural language search. When you type a query into

the search bar, the query text is sent to Voyage AI to generate a search embedding. No account or identity data is included.

Anthropic — blog draft generation (authoring time only, not

runtime). The weekly blog-draft cron job sends editorial prompts drawn from public catalog data to Anthropic. No visitor traffic, email, or account data is ever sent to Anthropic.

Several services are wired into the codebase but not yet receiving any data — Cloudflare R2 for photo storage (currently served from Vercel), Mapbox for a future map UI, DeepL for translation, Railway for any post-launch worker jobs. The sub-processors page flags each one's state ("active" vs "configured, not transmitting") honestly. The privacy policy will be updated the same day any of those starts handling actual data.

Each active service is bound by their own terms (linked from the sub-processors page). None receive a list of your searches or reading history — only the technical traffic each one needs to do its job.

Where the site is hosted

Vercel's network is global; the project's primary database is in their US-East region. If you're in the EU and don't want your data sent to the US, the cleanest answer is to not sign up — every public page works anonymously.

Children

The site isn't aimed at kids and nothing about it requires anyone to read it. If you're under 18, don't create an account; the watches in the catalog are mostly things adults buy with adult-paycheck money anyway.

Changes

If I change anything material here, the "Last updated" date at the top will change and (if you're subscribed) the newsletter will mention it in the next issue. I won't quietly re-scope what the site does with your data.

How to reach me

Privacy questions or requests: privacy@grailatlas.com
Security disclosure: /security
General contact: /legal/contact

This page is what I actually do. It's not what a lawyer told me to write, and there's no fine print under it. If something on this page doesn't match how the site actually behaves, that's a bug — email me.