Privacy Policy

Last updated: March 31, 2026

BuyLegit ("we", "us", or "our") operates buylegit.app. This policy explains what data we collect, how we use it, and your rights.

What we collect

• Account data: When you register, we store your email address and a hashed (bcrypt) version of your password. We never store your password in plain text.
• Scan data: We log the URLs you submit for scanning, the domain, product name, verdict, and score. This helps us monitor abuse and improve accuracy.
• Usage data: We track how many scans you've performed this week to enforce free-tier limits.
• Server logs: Standard web server logs including IP addresses, timestamps, and HTTP request data. These are retained for up to 30 days.

What we do not collect

• We do not use third-party analytics (no Google Analytics, no tracking pixels).
• We do not sell your data to anyone, ever.
• We do not collect payment information directly — if we ever add billing, it will be handled by a certified payment processor.

How we use your data

• To provide and operate the scanning service.
• To enforce per-account usage limits.
• To detect and prevent abuse.
• To send transactional emails (e.g. password reset) if you request them.

Data storage

Your data is stored in a SQLite database on Railway infrastructure hosted in the US. We use reasonable technical measures to protect it, including encrypted connections (TLS) and hashed passwords.

Data retention

We retain your account data for as long as your account exists. Scan cache entries expire after 24 hours. You can request deletion of your account and associated data at any time by emailing hi@buylegit.app.

Cookies

We use localStorage (not cookies) to store your authentication token client-side. No tracking cookies are set.

Third-party services

• Anthropic Claude API: Product page content is sent to Anthropic's API for analysis. See Anthropic's privacy policy.
• Google Fonts: Font files are loaded from Google's CDN. Google may log this request.
• Railway: Our infrastructure provider. See Railway's privacy policy.

Your rights

You have the right to access, correct, or delete your personal data. To exercise these rights, email hi@buylegit.app and we'll respond within 30 days.

Changes to this policy

We may update this policy occasionally. We'll update the "last updated" date at the top. Continued use of the service after changes constitutes acceptance.

Contact

Questions? Email us at hi@buylegit.app.