Privacy Policy

Last updated: March 20, 2026

1. Introduction

GotIt ("the Service") is a home inventory application operated by GotIt ("we," "us," or "our"). This Privacy Policy describes what information we collect, how we use it, and the choices available to you.

By using the Service, you acknowledge that you have read and understand this Privacy Policy. If you do not agree with these practices, do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Display name
  • Password (stored only as a one-way cryptographic hash; we do not store your plaintext password)
  • Phone number (optional, if you choose to provide it)

2.2 Inventory Data

The core purpose of the Service is to store information about items you own. This includes:

  • Item names, descriptions, brands, models, and serial numbers
  • Photographs you upload
  • Purchase prices, estimated values, and purchase dates
  • Locations, categories, tags, and notes
  • Warranty and insurance information
  • Receipt images and purchase records
  • Estate planning designations: beneficiary names, relationships, contingent beneficiary names and relationships, and special instructions you enter for individual items

You control what inventory data you enter. We do not require any specific fields beyond an item name.

2.3 Usage Data

We record:

  • Login timestamps (date and time of your most recent login)
  • Account creation date
  • AI feature usage counts (number of AI identifications used per billing period)

We do not use third-party analytics services, advertising trackers, or behavioral profiling tools. We do not embed tracking pixels, social media widgets, or fingerprinting scripts.

3. How We Use Your Information

We use the information we collect to:

  • Provide and maintain the Service (inventory storage, search, organization)
  • Authenticate your identity and manage your account
  • Process your photographs through AI identification when you request it
  • Send transactional emails related to your account (such as household invitations)
  • Enforce subscription tier limits
  • Respond to support requests

We do not use your data to build advertising profiles, train AI models, or generate revenue outside of the subscription fees for the Service itself.

4. Third-Party Service Providers

The Service uses the following third-party providers to operate. Each receives only the data necessary for its function:

4.1 Anthropic (AI Processing)

When you use AI-powered identification, your item photographs are transmitted to Anthropic's API for analysis. Anthropic receives the image data and returns structured information (brand, model, estimated value, etc.). Anthropic's use of this data is governed by Anthropic's own policies. We have no control over how Anthropic handles data once it is transmitted to their systems.

Be mindful of what you photograph. Any image you submit for AI identification is transmitted to Anthropic. Do not submit photographs containing sensitive personal information (government IDs, financial documents, medical records) unless you are comfortable with a third party processing that image.

4.2 Resend (Email Delivery)

We use Resend to deliver transactional emails such as household invitations. Resend receives the recipient's email address and the email content. Resend's data practices are governed by their own privacy policy.

4.3 Feedback Analysis

When you submit feedback through the in-app feedback tool, your feedback message, the page you were on, and the time of submission may be analyzed to identify patterns and improve the Service. This analysis may involve third-party AI services. Your name and email address are not included in any analysis — feedback is processed in aggregate form only. Individual feedback items are never shared publicly or attributed to specific users outside of the administrative context in which they were submitted.

4.4 Let's Encrypt (SSL Certificates)

Our web server automatically obtains SSL certificates from Let's Encrypt. This process transmits our domain name to Let's Encrypt but does not involve your personal data.

5. Photographs and Image Processing

When you upload a photograph:

  • The image is re-encoded before storage to remove EXIF metadata (GPS coordinates, device information, timestamps embedded by your camera). This stripping is performed automatically.
  • HEIC/HEIF images (common on iPhones) are converted to JPEG format during this process.
  • The processed image is stored on our infrastructure. It is not stored on third-party cloud services.
  • If you request AI identification, the image is transmitted to Anthropic as described in Section 4.1.

6. Cookies and Authentication

We use two HTTP-only cookies for authentication:

  • Access token — expires after 15 minutes. Used to verify your identity on each request.
  • Refresh token — expires after 7 days. Used to issue new access tokens without requiring you to log in again.

These cookies are marked HTTP-only (not accessible to JavaScript), secure (transmitted only over HTTPS), and SameSite strict (not sent with cross-site requests). They contain authentication tokens, not personal data.

We do not use advertising cookies, analytics cookies, or any other tracking cookies. The only cookies set by the Service are the two authentication cookies described above.

7. Data Storage and Security Measures

Your data is stored on infrastructure we operate. We implement the following security measures:

  • Passwords are hashed using bcrypt with a computational cost factor, making them infeasible to reverse
  • All connections use HTTPS with automatically-renewed SSL certificates
  • Authentication tokens use signed JWTs with short expiration periods
  • Account lockout is enforced after repeated failed login attempts

No system is perfectly secure. While we implement these measures to protect your data, we cannot and do not guarantee that unauthorized access, data loss, or security breaches are impossible. You use the Service with this understanding.

8. Data Retention and Deletion

8.1 While Your Account Is Active

We retain your data for as long as your account exists. Items you delete within the app are soft-deleted (hidden from your view but retained in the database) unless permanently removed by an administrator.

8.2 Account Deletion

When an account is deleted by an administrator:

  • All account data is permanently deleted from the active database, including items, photos, purchase records, locations, categories, and notifications
  • Stored photographs are deleted from our file storage

8.3 Backups

We maintain automated database backups. Deleted data may persist in backup archives for a limited period. Backups are maintained for disaster recovery purposes and are not used to restore individual accounts or data once deleted from the active system.

9. Children

The Service is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information to us, contact us and we will delete it.

10. Your Choices

  • AI identification is optional. You can add items manually without ever using AI features. No photographs are sent to third parties unless you initiate an AI identification.
  • Phone number is optional. You can use the Service without providing one.

11. Data Sharing

We do not sell, rent, or trade your personal information to third parties. Data is shared only with the third-party service providers described in Section 4 and only to the extent necessary for their function.

We may disclose information if required to do so by law or in response to valid legal process (such as a court order or subpoena).

12. Household Sharing

If you participate in a household with other users, all members of that household can view the household's inventory data according to their assigned role. If you add items, photos, or other data to a shared household, other members of that household can access it.

Household owners can invite new members and assign roles. By accepting a household invitation, you acknowledge that your display name and email address are visible to other members of that household.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes are effective when posted on this page with an updated "Last updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

14. Contact

If you have questions about this Privacy Policy or your data, contact us at [email protected].