Privacy Policy.
This Privacy Policy (“Privacy Policy”) explains how ThisIsDisco Ventures, LLC, a Massachusetts limited liability company (“Ricasso”, “Company”, “we”, “us”, or “our”), collects, uses, discloses, retains, and protects information in connection with the Ricasso mobile application for iOS and Android, the website located at www.ricasso.app, related Ricasso services, features, and content, and the companion merchandise storefront to the limited extent described below (collectively, the “Platform” or “Service”).
This Privacy Policy is intended to be read together with our Terms of Service, Cookie and Tracking Notice, Privacy Rights Summary Notice, Do Not Sell or Share notice, Targeted Ad Preferences notice, Accessibility Statement, and any other privacy or product-specific notices we provide. Capitalized terms not defined in this Privacy Policy have the meanings given in the Terms of Service.
This Privacy Policy is written to reflect Ricasso’s V1 launch posture. At launch, Ricasso is intended for adult United States users only; the app is distributed in the United States only through Apple App Store and Google Play region settings; the website is a landing page and waitlist surface only; and there is no functional web vault or web account login. If those facts change, this Privacy Policy should be updated before the change is released.
IMPORTANT SECURITY TRANSPARENCY. AT LAUNCH, RICASSO USES HTTPS/TLS IN TRANSIT AND FIREBASE/GOOGLE CLOUD ENCRYPTION AT REST WITH GOOGLE-MANAGED KEYS. FIELD-LEVEL ENCRYPTION OR CLIENT-SIDE ENCRYPTION OF SENSITIVE VAULT FIELDS IS NOT LIVE AT LAUNCH. RICASSO PERSONNEL WITH APPROPRIATE ADMINISTRATIVE ACCESS MAY BE TECHNICALLY ABLE TO ACCESS USER VAULT DATA IN PLAINTEXT THROUGH FIREBASE OR ADMINISTRATIVE TOOLS. CLIENT-SIDE OR FIELD-LEVEL ENCRYPTION IS PLANNED FOR A FUTURE VERSION AND SHOULD NOT BE TREATED AS CURRENTLY AVAILABLE UNLESS RICASSO EXPRESSLY CONFIRMS IT IN AN UPDATED POLICY OR IN-APP NOTICE.
1. Scope and Applicability
This Privacy Policy applies to information we collect from or about Users and visitors when they use the Platform, create an Account, join a waitlist, contact us, request support, request deletion, subscribe to paid features, request marketplace comparables, scan or enter UPC codes, upload photos, export data, use account deletion tools, or otherwise interact with Ricasso.
This Privacy Policy does not apply to the practices of third parties that Ricasso does not own or control. For example, Apple, Google, Shopify, Stripe, Printful, eBay, UPC providers, Google Fonts, Firebase/Google Cloud, and other vendors or linked sites may process information under their own privacy policies and terms. Where those parties act as our service providers or processors, we use them to operate the Platform. Where they act as independent platforms or controllers, their own policies govern their practices.
2. Categories of Information We Collect
The categories below describe the information Ricasso collects at launch or may collect as the Platform evolves. We do not collect every item in every category from every User.
2.1. Account Information.
When you create an Account, we collect your email address, display name, password credential handled by Firebase Auth, Firebase UID or similar account identifier, account creation timestamp, authentication status, email verification status, and related Account settings. Ricasso does not collect full legal name, phone number, physical address, date of birth, government identification, profile photo, or payment card information at account creation.
2.2. Authentication and Security Information.
Firebase Auth handles signup, login, password reset, and authentication tokens. Ricasso does not receive or store your plaintext password. We may collect authentication events, failed login events, password-reset metadata, account-deletion records, Terms acceptance records, version acceptance logs, security alerts, and related records necessary to operate and secure the Service.
2.3. Vault and Collection Information.
You may enter or upload information about knives and edged tools, including brand, model, variant, model number, type, blade length, blade material, steel type, handle material, handle color, deployment, lock type, edge type, condition, weight if available, notes, UPC, photo count, timestamps, acquisition source, seller handle, acquisition date, purchase price, proof-of-purchase reference or image, serial number, storage location notes, status, sale price, sale date, buyer handle, disposition notes, event ledger entries, maker submissions, and similar collection records.
2.4. Sensitive Vault Information.
Certain vault fields may be sensitive, including serial numbers, purchase prices, sale prices, storage location notes, buyer or seller handles, proof-of-purchase images, and lost/stolen status. At launch, these fields are not field-level encrypted or client-side encrypted. We process them to provide the Service to you and do not sell, share, license, rent, aggregate, or use them for advertising, market research, AI training, or third-party use at launch.
2.5. Photos and Media.
You may take or upload photos of collection items and proof-of-purchase images. Photos are stored in Firebase Storage under authenticated user paths. Ricasso may compress or resize photos before upload. Ricasso strips EXIF metadata client-side before upload based on the current launch build, including GPS coordinates, camera serial number, timestamp, device model, and lens/camera data. If EXIF stripping fails under the current build, the upload is intended to fail closed rather than upload unstripped metadata.
2.6. Marketplace Comparable Request Data.
When you request marketplace comparable data, Ricasso may send non-identifying product descriptors such as brand, model, and condition through server-side Cloud Functions to eBay APIs. Ricasso does not send your email address, UID, Account credentials, serial number, photos, storage location, purchase price, or direct User identity to eBay in connection with a comparable-data request. eBay may return listing title, price, currency, condition, item URL, image URL, listing ID, category, and, if applicable and authorized, sold-comparable information.
2.7. UPC Lookup Data.
When you scan or manually enter a UPC code, Ricasso may send the UPC code through server-side systems to UPCitemdb or another UPC provider. Ricasso does not send your email address, UID, Account credentials, serial number, photos, storage location, or direct User identity to UPC providers in connection with UPC lookups.
2.8. Bulk Import CSV and Spreadsheet Content.
If you use a bulk-import feature, you may upload CSV files, spreadsheets, or other structured import files containing knife or edged-tool metadata, catalog fields, model information, maker information, condition information, notes, or other importable records. Ricasso may process this content to extract, map, clean, normalize, and format fields for import into your Collection. At launch, AI-assisted bulk import may send bulk-import CSV or spreadsheet content to Anthropic for one-time field extraction. Ricasso does not send photos, proof-of-purchase images, serial numbers, purchase prices, sale prices, storage location notes, or other sensitive vault fields to Anthropic for this feature at launch.
2.9. Subscription and Entitlement Data.
Digital subscriptions and in-app purchases are processed through Apple In-App Purchase or Google Play Billing. Ricasso does not receive your card number, payment account credentials, or billing address from Apple or Google. Ricasso may receive obfuscated platform receipts, transaction identifiers, entitlement status, subscription status, renewal status, refund status, cancellation status, or similar information necessary to provide paid features.
2.10. Waitlist, Referral, and Website Information.
The website at www.ricasso.app is a landing page and waitlist surface at launch. If you submit the waitlist form, we collect your email address, referral code if provided, assigned referral code, source string, timestamp, and user-agent string. The website does not allow Account creation, login, vault access, editing, export, or deletion at launch.
2.11. Operational, Device, and Log Information.
We collect operational data needed to run, secure, debug, and maintain the Platform. This may include IP address for rate limiting, user-agent string, request metadata, date and time of request, URL or route, status codes, Firebase UID on authenticated requests, email address on certain authentication failures, device type, operating system version, browser type, app version, language, region, Cloud Function logs, Firebase audit logs, storage access logs, and error logs. Logs are not intended to include collection data, photos, serial numbers, purchase prices, or user content.
2.12. Support, Privacy, Deletion, Legal, and Accessibility Communications.
If you contact us, we collect the information you provide in emails, forms, attachments, support requests, privacy requests, deletion requests, accessibility requests, legal notices, DMCA notices, trademark complaints, bug reports, and related communications. At launch, emails may be routed through email aliases such as hello@ricasso.app, privacy@ricasso.app, dmca@ricasso.app, accessibility@ricasso.app, and legal@ricasso.app.
2.13. Merchandise Store Information.
The merchandise storefront at shop.ricasso.app is a separate Shopify surface. Shopify may collect name, email, shipping address, billing address, order history, payment details, fulfillment data, and related e-commerce information. Ricasso does not directly see or store full payment card numbers. At launch, the app account system and Shopify merchandise store account system are separate and do not automatically share account data with each other.
3. Information We Do Not Collect or Use at Launch
- No IDFA, AAID, or advertising identifiers.
- No targeted advertising, behavioral advertising, ad networks, ad exchanges, ad SDKs, or retargeting pixels.
- No Google Analytics, Firebase Analytics, Crashlytics, Mixpanel, Amplitude, Segment, Sentry, Datadog, PostHog, Hotjar, FullStory, LogRocket, heatmaps, session replay, screen recording, or cookieless analytics at launch.
- No first-party cookies, third-party cookies, localStorage, sessionStorage, IndexedDB, web beacons, tracking pixels, social widgets, Google Maps embeds, YouTube embeds, Vimeo embeds, chat widgets, or UTM tracking on ricasso.app at launch.
- No GPS collection, no location permission, and no IP-geolocation lookups by Ricasso.
- No contacts, calendar, microphone, health, biometric, Bluetooth, NFC, clipboard, SMS, or background location permissions at launch.
- No sale, sharing, renting, licensing, or aggregation of User collection data for advertising, analytics, market research, AI training, or third-party use.
- No computer vision, OCR, photo-based knife identification, AI-based visual identification, or AI training on User data at launch. Ricasso may use Anthropic for the limited purpose of AI-assisted bulk-import field extraction from user-uploaded CSV or spreadsheet content, as described in this Privacy Policy.
- No public registry, public sharing, maker verification, dealer verification, grading, COA signing, transfer-of-ownership, or marketplace functionality at launch.
4. How We Use Information
We use information for the following purposes, depending on the context:
- to create, authenticate, maintain, secure, and manage Accounts;
- to provide, operate, maintain, and improve the Platform;
- to store, display, edit, sync, cache, export, delete, and otherwise process vault and Collection records as directed by the User;
- to process photos, proof-of-purchase images, and media uploaded by the User;
- to provide UPC lookup, marketplace comparable, event ledger, Bill of Sale, export, bulk import, AI-assisted bulk-import field extraction, and other features;
- to validate subscription entitlements and provide paid-tier features through Apple and Google purchase flows;
- to provide customer support, respond to inquiries, troubleshoot, debug, and resolve technical issues;
- to process privacy, deletion, accessibility, DMCA, trademark, legal, and support requests;
- to detect, prevent, investigate, and respond to fraud, abuse, security incidents, unauthorized access, misuse, law violations, and violations of our Terms;
- to enforce agreements, protect rights, comply with legal obligations, respond to legal process, and maintain records;
- to send transactional emails, service notices, password reset emails, account-related messages, launch announcements, and marketing emails where permitted; and
- to evaluate business performance without selling, sharing, or aggregating User collection data for advertising, market research, AI training, or third-party use at launch.
5. How We Disclose Information
We may disclose information in the following circumstances:
5.1. Service Providers and Processors.
We disclose information to vendors and service providers that help operate the Platform, including Firebase/Google Cloud for hosting, authentication, database, storage, functions, logging, and secrets management; Cloudflare for DNS; Gmail/Google Workspace for communications; app stores for app distribution and subscriptions; Shopify, Stripe, and Printful for merchandise operations; and other vendors we use to operate, maintain, secure, or support the Service.
5.2. Third-Party API Requests Directed by Features.
When you request eBay marketplace comparable data, we send brand, model, and condition strings to eBay through server-side systems. When you request UPC lookup, we send the UPC code to the applicable UPC provider. These requests do not include direct User identity as described above.
5.3. App Stores and Billing Platforms.
Apple and Google process downloads, subscriptions, entitlements, renewals, cancellations, refunds, and related app-store matters under their own terms and privacy policies. Ricasso may receive entitlement and receipt information necessary to provide paid features.
5.4. Merchandise Store Vendors.
Merchandise purchases through shop.ricasso.app are handled by Shopify and related e-commerce vendors. Ricasso may access order information as merchant of record for fulfillment, customer service, taxes, fraud prevention, chargebacks, and recordkeeping, but app Account data and Shopify merchandise customer data are separate at launch.
5.5. Legal, Safety, and Enforcement.
We may disclose information if we believe disclosure is necessary or appropriate to comply with law, legal process, subpoenas, court orders, law-enforcement requests, tax obligations, app-store requirements, regulatory inquiries, or contractual obligations; to enforce our Terms or policies; to protect Ricasso, Users, third parties, or the public; or to investigate fraud, abuse, misuse, security incidents, or unlawful activity.
5.6. Business Transfers.
We may disclose or transfer information in connection with a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, change of control, transfer of the Platform, or similar business transaction, subject to applicable law and the commitments in this Privacy Policy.
5.7. With Your Direction or Consent.
We may disclose information when you direct us to do so, consent to the disclosure, enable a future sharing feature, request support that requires access, export data, participate in a future registry or transfer feature, or otherwise authorize disclosure.
5.8. No Sale or Sharing for Advertising.
At launch, Ricasso does not sell personal information and does not share personal information for cross-context behavioral advertising. Ricasso does not disclose User collection data to ad networks, data brokers, analytics providers, marketplace partners, dealers, makers, insurers, appraisers, or other third parties for their own advertising, market research, AI training, or analytics purposes.
5.9. AI-Assisted Bulk Import.
If you use an AI-assisted bulk-import feature, Ricasso may disclose user-uploaded CSV, spreadsheet, or structured import content to Anthropic or another AI service provider for one-time field extraction, mapping, cleanup, normalization, or formatting. Ricasso does not send photos, proof-of-purchase images, serial numbers, purchase prices, sale prices, storage location notes, or other sensitive vault fields to Anthropic for the bulk-import feature at launch. Anthropic processes commercial customer data as a processor under its applicable commercial terms and data-processing terms, and Anthropic states that it does not use commercial-product inputs or outputs to train its models by default unless the customer chooses to participate in certain feedback or development programs. Anthropic also states that API inputs and outputs are automatically deleted from its backend within thirty (30) days of receipt or generation, subject to stated exceptions such as longer-retention services, customer agreements, usage-policy enforcement, or legal requirements.
6. Third-Party Vendors and Subprocessors
| Vendor / Service | Role | Data They May Process |
|---|---|---|
| Google / Firebase / Google Cloud | Authentication, Firestore database, Storage, Cloud Functions, Hosting, Cloud Logging, Secret Manager | Account data, vault data, photos, proof-of-purchase images, logs, operational data, UID, email, IP/request metadata |
| Cloudflare | DNS only at launch | Resolver-level metadata and DNS-related information; no Cloudflare Analytics, proxy/CDN/WAF mode at launch |
| eBay | Marketplace comparable data through API calls | Brand, model, condition strings; no direct User identity sent by Ricasso for comparable requests |
| UPCitemdb or other UPC provider | UPC enrichment | UPC code only; no direct User identity sent by Ricasso for UPC lookup requests |
| Google Fonts | Website font delivery | IP address and browser request metadata when fonts are loaded remotely |
| Apple App Store | App distribution and iOS IAP | Apple account data, subscription purchase/receipt data, refund/cancellation data handled by Apple; Ricasso receives entitlement/receipt status |
| Google Play | App distribution and Android billing | Google account data, subscription purchase/receipt data, refund/cancellation data handled by Google; Ricasso receives entitlement/receipt status |
| Shopify / Shopify Payments / Stripe infrastructure | Merchandise storefront and payment processing | Merchandise customer name, email, shipping/billing address, order and payment-related information |
| Printful or fulfillment provider | Print-on-demand fulfillment | Order, shipping, product, and fulfillment information necessary to ship merchandise |
| Gmail / Google Workspace | Email routing and communications | Support, privacy, deletion, legal, accessibility, and DMCA communications |
| Anthropic | AI-assisted bulk-import field extraction, mapping, cleanup, normalization, and formatting | User-uploaded CSV, spreadsheet, or structured import content containing knife or edged-tool metadata. Ricasso does not send photos, proof-of-purchase images, serial numbers, purchase prices, sale prices, storage location notes, or other sensitive vault fields to Anthropic for this feature at launch. DPA. |
7. Cookies, Tracking, and Analytics
At launch, Ricasso does not place first-party cookies, third-party cookies, analytics cookies, advertising cookies, localStorage, sessionStorage, IndexedDB, pixels, tags, social widgets, session replay tools, heatmaps, or similar tracking technologies on ricasso.app. The Ricasso mobile app does not use web cookies. Ricasso also does not use ad SDKs or collect advertising identifiers at launch.
The website loads Google Fonts from Google-hosted domains. This may result in Google receiving your IP address and browser request metadata consistent with Google’s font delivery practices. We disclose this in our Cookie and Tracking Notice.
If Ricasso introduces cookies, analytics, targeted advertising, behavioral tracking, pixels, SDK tracking, or similar technologies in the future, we will update our notices and provide consent tools or opt-out choices where required by applicable law.
8. Data Retention
We retain information for as long as reasonably necessary to provide the Platform, comply with law, resolve disputes, enforce agreements, maintain security, preserve business records, process subscriptions and refunds, respond to requests, and operate our business. Retention periods vary by data type.
| Data Type | General Retention |
|---|---|
| Account email, display name, Firebase UID | Until Account deletion, subject to legal, security, backup, and operational retention. |
| Vault records and Collection data | Until Account deletion or user-initiated item-level deletion, subject to backup and operational retention. |
| Photos and proof-of-purchase images | Until Account deletion or user-initiated photo deletion, subject to backup and operational retention. |
| eBay comparable cache | Adaptive cache of approximately 6 hours to 7 days depending on listing volume, and purged on applicable knife deletion where tied to a knife record. |
| UPC lookup cache | Approximately 30-day TTL keyed by UPC and not intended to be user-specific. |
| Waitlist email and referral records | Until deletion request or Account creation supersedes the waitlist record, subject to operational retention. |
| Cloud Functions logs | Generally 30 days under Google Cloud defaults unless changed. |
| Audit logs | Generally up to 400 days under Google Cloud defaults for certain admin activity logs unless changed. |
| Subscription receipts and entitlement records | As needed for entitlement, refund, chargeback, tax, accounting, and platform requirements. |
| Support, privacy, deletion, legal, DMCA, and accessibility emails | Retained in Gmail/Google Workspace according to operational needs and applicable legal obligations. |
| Tax and accounting records | Generally retained as required for tax, accounting, and legal compliance. |
| Bulk-import CSV or spreadsheet content processed by Anthropic. DPA. | Anthropic API inputs and outputs are generally deleted from Anthropic backend systems within thirty (30) days of receipt or generation under Anthropic’s standard commercial/API retention practices, subject to Anthropic’s applicable terms, customer agreements, legal requirements, usage-policy enforcement, and other stated exceptions. Ricasso may separately retain the resulting imported records in your Account until Account deletion or item-level deletion, subject to this Privacy Policy. |
9. Account Deletion and Data Controls
The Ricasso mobile application includes an in-app account deletion process under Settings. Ricasso also intends to provide a web deletion request page at ricasso.app/delete-account for Users who have uninstalled the app or cannot access it.
When you delete your Account through the in-app process, Ricasso is designed to purge the Firebase Auth account, Firestore documents under the user path, Firebase Storage files under the user path, and certain orphaned event-ledger references. Active production deletion may occur quickly, but logs, backups, subscription records, tax/accounting records, support emails, legal records, and records necessary for security, fraud prevention, dispute resolution, legal compliance, or platform requirements may be retained as permitted by law.
You may access and correct many categories of Account and Collection data directly in the app. CSV export is available at launch for certain vault records. Photos, receipts, eBay comps, UPC cache entries, and logs may not be included in CSV export.
10. Security
Ricasso uses reasonable measures designed to protect the Platform, including Firebase Security Rules, Storage Rules, authentication controls, rate limits, HTTPS/TLS in transit, Google Cloud/Firebase encryption at rest, Google Secret Manager for certain server-side API secrets, and Google Cloud audit logging. At launch, Firebase Security Rules are intended to restrict vault records to authenticated owners, and Storage Rules are intended to restrict image storage to authenticated user paths.
No security measure is perfect. We cannot guarantee that the Platform, User Content, local device caches, cloud storage, logs, exports, emails, or third-party systems will be completely secure, error-free, or immune from unauthorized access. You are responsible for maintaining device security, using strong passwords, securing your email account, protecting exported files, and promptly notifying us of suspected unauthorized access.
11. International Users
At launch, Ricasso is intended for United States Users and is distributed in the United States through App Store and Google Play country settings. The Platform is hosted in the United States and uses U.S.-based or globally operated service providers. If you access the Platform from outside the United States, you do so at your own risk and are responsible for complying with local law. Ricasso does not intentionally offer the Platform to users in the European Economic Area or United Kingdom at launch.
12. State Privacy Rights
Ricasso may not meet the statutory thresholds for every state privacy law. However, Ricasso intends to provide a practical privacy request process for United States Users. Depending on your state and applicable law, you may have rights to request access, correction, deletion, portability, information about disclosures, opt out of sale or sharing, opt out of targeted advertising, opt out of certain profiling, limit certain sensitive-data uses, or appeal a denied request.
You may submit privacy requests by emailing privacy@ricasso.app. We may need to verify your identity before processing a request. We may deny or limit requests where permitted by law, including for security, fraud prevention, legal compliance, free speech, internal uses aligned with consumer expectations, technical feasibility, or where we cannot verify the request. We aim to respond within thirty (30) days where practicable, and within the time required by applicable law.
At launch, Ricasso does not sell personal information, does not share personal information for cross-context behavioral advertising, does not engage in targeted advertising, and does not engage in automated profiling that produces legal or similarly significant effects. If this changes, we will update our notices and provide required opt-out mechanisms.
13. Email and Communications
Ricasso may send transactional emails, password reset emails, account notices, service messages, launch announcements, security notices, subscription notices, support responses, legal notices, privacy responses, deletion responses, accessibility responses, and other communications relating to the Platform. These communications may be necessary to provide, secure, administer, or support the Service.
Ricasso may send marketing or promotional emails where permitted by law, including product announcements, launch updates, feature updates, promotions, tier information, or merchandise-related communications. Marketing emails will include an unsubscribe mechanism where required by applicable law. If you unsubscribe from marketing emails, Ricasso may still send transactional, account, security, subscription, legal, privacy, deletion, support, or other non-marketing communications.
Ricasso does not collect phone numbers at Account creation and does not send SMS/text-message marketing, MMS marketing, autodialed calls, prerecorded calls, or artificial-voice calls at launch. If Ricasso introduces any SMS, MMS, telephone, autodialed, prerecorded, artificial-voice, or similar communication program in the future, Ricasso will update its practices and obtain any consent required by applicable law before sending those communications. Future text-message programs should include required disclosures, including message frequency, message and data rates, HELP instructions, and STOP or other opt-out instructions.
At launch, Ricasso does not use email open pixels or click-tracking links in its own emails. Firebase may send authentication or password-reset emails, and Shopify may send transactional merchandise emails under their respective systems.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Updates will be posted on the Platform or otherwise made available with a revised Last Updated date. If we make material changes to how we collect, use, disclose, or protect information, we will provide notice where required by applicable law. Your continued use of the Platform after an updated Privacy Policy becomes effective means you acknowledge the updated Privacy Policy.
15. Additional California and State Privacy Details
The following additional disclosures are provided for California and other United States consumers where applicable. Ricasso may not meet the statutory thresholds for every privacy law, but provides this information to improve transparency and support a uniform privacy request process for United States Users.
| Category | Collected | Sold/Shared for Targeted Ads | Retention Summary |
|---|---|---|---|
| Identifiers | Yes. Email address, display name, Firebase UID, IP address, user-agent string, app-store entitlement identifiers. | No. | Until Account deletion or as needed for logs, security, legal, tax, accounting, support, and platform requirements. |
| Commercial information | Yes. Subscription entitlement, purchase status, merchandise order records on Shopify. | No. | As needed for entitlement, refund, chargeback, tax, accounting, and legal records. |
| Internet or network activity | Yes. Request logs, status codes, app interactions necessary for operation, authentication events. | No. | Generally 30 days for Cloud Functions logs and up to 400 days for certain audit logs, unless changed. |
| User content | Yes. Vault records, photos, proof-of-purchase images, notes, event ledger entries, and bulk-import CSV or spreadsheet content submitted by the User. | No. | Vault records and resulting imported records are retained until deletion by User or Account deletion, subject to backups and lawful retention. Bulk-import content processed by Anthropic is subject to Anthropic’s applicable commercial/API retention terms, generally thirty (30) days for API inputs and outputs, subject to stated exceptions. |
| Sensitive information | Yes. Serial numbers, prices, storage notes, buyer/seller handles, proof-of-purchase images where entered. | No. | Processed to provide the Service and retained as vault data unless deleted. |
| Geolocation | Ricasso does not request GPS or conduct IP-geolocation lookup. | No. | Infrastructure providers may process IP address for network operations. |
| Inferences | No advertising/profiling inferences at launch. | No. | N/A at launch. |
16. Sensitive Personal Information and Limitation Rights
Certain state laws provide rights to limit the use or disclosure of sensitive personal information. Ricasso uses sensitive vault information only to provide the Service, maintain security, respond to requests, comply with law, enforce Terms, protect rights, and perform user-directed actions. Ricasso does not use sensitive vault information to infer characteristics, deliver targeted advertising, sell or share personal information, train AI models, or provide third-party market research at launch. Ricasso does not send photos, proof-of-purchase images, serial numbers, purchase prices, sale prices, storage location notes, or other sensitive vault fields to Anthropic for the bulk-import feature at launch. Users should not include unnecessary sensitive information in bulk-import CSV or spreadsheet files.
17. Authorized Agents and Verification
You may submit a privacy request through an authorized agent where allowed by law. We may require written authorization, proof of agency, verification of your identity, and confirmation that the agent has authority to act for you. We may deny a request if we cannot verify the request, if the request conflicts with law, or if an exception applies.
18. Appeals
Where applicable law provides an appeal right, you may appeal a denial by replying to our response or emailing privacy@ricasso.app with the subject line “Privacy Appeal.” We will review appeals within the time required by applicable law and will provide a written explanation of the result where required.
19. Deidentified, Aggregated, and Anonymized Information
At launch, Ricasso does not aggregate user collection data for advertising, analytics, market research, AI training, or third-party use. Ricasso may create deidentified, aggregated, or anonymized information for security, debugging, legal compliance, internal financial planning, system performance, or business operations, provided that Ricasso will not attempt to reidentify information that is maintained as deidentified except as permitted by law to test or validate deidentification.
20. AI, Machine Learning, and Automated Decision-Making
At launch, Ricasso does not use User vault data, Collection data, photos, proof-of-purchase images, serial numbers, prices, storage notes, or bulk-import content to train or fine-tune artificial intelligence models. Ricasso does not use computer vision, OCR, machine learning, or AI to identify knives from photos at launch. Ricasso may use Anthropic for the limited purpose of AI-assisted bulk-import field extraction from user-uploaded CSV, spreadsheet, or structured import content containing knife or edged-tool metadata. Ricasso does not send photos, proof-of-purchase images, serial numbers, purchase prices, sale prices, storage location notes, or other sensitive vault fields to Anthropic for this feature at launch.
Anthropic processes commercial customer data as a processor under its applicable commercial terms and data-processing terms. Anthropic states that it does not use commercial-product inputs or outputs to train its models by default unless the customer chooses to participate in certain feedback or development programs, and Anthropic states that API inputs and outputs are automatically deleted from its backend within thirty (30) days of receipt or generation, subject to stated exceptions. Ricasso does not engage in automated decision-making or profiling that produces legal or similarly significant effects concerning Users at launch.
21. Public Registry and Future Sharing Features
Public registry pages, opt-in share links, maker verification, dealer verification, grading entries, certificates of authenticity, transfer-of-ownership flows, public stolen-knife lookup, insurer/appraiser interfaces, and similar trust-infrastructure features are not live at launch. If Ricasso later introduces public or semi-public sharing features, those features will require affirmative user action or additional terms and notices before vault information is made public or shared with other Users.
22. Account Deletion Details
Account deletion through the in-app process is intended to remove the Firebase Auth account, Firestore documents under the user path, Firebase Storage files under the user path, and certain orphaned event-ledger documents referencing the User. Deletion may not immediately remove all information from logs, backups, app-store systems, subscription records, tax/accounting records, support communications, legal files, DMCA files, privacy request files, security records, or third-party systems. Some records may be retained because they are not reasonably associated with the User, are necessary for security or legal purposes, or are maintained by independent third parties.
23. Local Device Data and Exports
The app may store data locally through operating-system storage, AsyncStorage, React Native Firebase persistence, offline cache, queued writes, downloaded images, exported files, or other app-local mechanisms. You are responsible for protecting your device and any exported files. Ricasso cannot control files after you export, download, email, save, share, print, or otherwise remove them from the Platform.
24. Merchandise Store Privacy
The merchandise store at shop.ricasso.app is powered by Shopify and may use Shopify Payments, Stripe infrastructure, and Printful or another fulfillment provider. Merchandise purchases collect information needed for e-commerce, including name, email, billing/shipping address, payment processing information handled by processors, order history, fulfillment details, return/refund information, and customer service communications. App Account data and Shopify customer data are separate at launch. Shopify standard analytics may be enabled within the Shopify admin, but Ricasso does not add Meta, Google Ads, TikTok, or similar third-party advertising pixels at launch.
25. Legal Process and Law Enforcement
Ricasso may disclose information in response to subpoenas, court orders, warrants, law-enforcement requests, regulatory inquiries, app-store investigations, tax obligations, or other legal process. Where legally permitted and feasible, Ricasso may seek to narrow requests or notify affected Users, but Ricasso is not required to do so where prohibited by law, where notice would create risk, or where notice is impracticable.
26. Security Incidents
If Ricasso becomes aware of a security incident involving personal information, Ricasso will investigate, take appropriate steps to contain and remediate the issue, and provide notices required by applicable law. Ricasso may delay notice if requested or required by law enforcement or if necessary to investigate and prevent further harm.
27. Do Not Track
Some browsers transmit “Do Not Track” signals. Because there is no uniform standard for Do Not Track at launch and Ricasso does not engage in targeted advertising or cross-site tracking, Ricasso does not respond to Do Not Track signals in a separate manner. Ricasso will evaluate legally required opt-out preference signals, including Global Privacy Control, if covered practices are introduced in the future.
28. Children and Age Restrictions
Ricasso is intended only for Users who are at least eighteen (18) years old. Ricasso does not knowingly allow minors to create Accounts or use the Platform. If we learn that a minor has created an Account or submitted personal information, we may delete the Account and associated information as appropriate.
29. Supplemental Product-Specific Disclosures
The following supplemental sections provide additional detail regarding Ricasso’s product-specific data practices, app-store disclosures, mobile permissions, administrative access, marketing choices, device-level storage, future features, and related privacy matters. These supplemental sections are part of this Privacy Policy and should be read together with the sections above.
30. Detailed Feature-by-Feature Data Use Matrix
| Feature / Surface | Information Involved | How Ricasso Uses It | Shared With |
|---|---|---|---|
| Account signup | Email, display name, password credential handled by Firebase Auth, UID, account timestamp. | Create and authenticate Account; maintain account state; communicate with User; enforce Terms. | Firebase/Google Cloud; app stores only as applicable to app distribution. |
| Login and password reset | Email, authentication events, reset emails, failed login logs. | Authenticate Users; allow password reset; detect abuse; maintain security. | Firebase/Google Cloud; email infrastructure. |
| Vault record creation | Catalog fields, acquisition fields, status fields, notes, serial number, prices, storage notes. | Store and display private collection records; enable editing, export, deletion, subscription features. | Firebase/Google Cloud as infrastructure provider. |
| Photo upload | Knife photos, proof-of-purchase images, compressed/resized images, EXIF-stripped images. | Document Collection items and purchases; store in User vault; display to User. | Firebase Storage/Google Cloud. |
| Marketplace comps | Brand, model, condition; returned listing data, prices, images, URLs, cache timestamps. | Retrieve and display comparable listing information; calculate estimates, ranges, medians, vault totals, gain/loss. | eBay APIs through Ricasso server-side systems; Firebase cache. |
| UPC scan | UPC code and returned product information. | Pre-fill product fields and allow User correction. | UPC provider through Ricasso server-side systems; Firebase cache. |
| CSV export | Selected vault fields. | Allow User to download records for backup or personal use. | No third party unless User exports and shares file. |
| Account deletion | UID, account data, storage paths, deletion request metadata. | Delete Account and associated active production data; maintain allowed records. | Firebase/Google Cloud; app-store systems for subscription records. |
| Subscriptions | Platform receipt, entitlement state, subscription tier, renewal/cancellation/refund status. | Validate paid features and provide entitlements. | Apple or Google; RevenueCat if later selected. |
| Merchandise store | Name, email, shipping/billing address, order data, payment processing information handled by processors. | Process orders, fulfill merchandise, handle customer service, returns, refunds, tax/accounting. | Shopify, Shopify Payments/Stripe infrastructure, Printful or fulfillment providers. |
| Support and privacy requests | Email contents, attachments, request details, account identifiers. | Respond to requests, verify identity, troubleshoot, comply with law. | Gmail/Google Workspace; professional advisors if necessary. |
| Security and logs | IP, user-agent, UID on authenticated requests, status codes, timestamps, error logs. | Rate limiting, debugging, security, abuse prevention, audit trail, legal compliance. | Google Cloud/Firebase logging. |
| AI-assisted bulk import | User-uploaded CSV, spreadsheet, or structured import content containing knife or edged-tool metadata. Photos, proof-of-purchase images, serial numbers, purchase prices, sale prices, and storage location notes are not sent to Anthropic for this feature at launch. DPA. | Extract, map, clean, normalize, and format fields for one-time import into the User’s Collection. | Anthropic or another AI service provider for one-time field extraction; Firebase/Google Cloud for resulting imported records. DPA. |
31. App Store Privacy and Google Play Data Safety Alignment
Ricasso intends for its Apple App Privacy disclosures and Google Play Data Safety disclosures to match this Privacy Policy. Expected disclosures include contact information such as email address, user content such as knife records, photos, and bulk-import CSV or spreadsheet content submitted by the User, identifiers such as Firebase UID, purchase or entitlement data, usage or operational logs, and diagnostics or error information. Ricasso does not use collected data to track Users across apps and websites owned by other companies at launch. Ricasso does not collect financial card data, contacts, precise location, advertising data, health data, or biometric data at launch.
Google Play requires apps that allow account creation to provide both an in-app path and a web resource for account deletion. Ricasso provides in-app deletion at launch and intends to provide a web deletion resource at ricasso.app/delete-account before launch. Apple requires apps that support account creation to allow users to initiate account deletion within the app; Ricasso provides an in-app deletion flow under Settings.
32. Device Permissions and Purpose Descriptions
| Permission | Used at Launch | Purpose |
|---|---|---|
| Camera | Yes | Photograph knives and scan UPC codes. |
| Photo library read | Yes | Import existing photos into knife records. |
| Photo library write/save | Yes | Save photos or exports to the device where supported. |
| Android storage read/write | Yes | Support photo input/output on Android where required by the platform. |
| Vibrate / haptics | Yes on Android | Provide haptic feedback. |
| Location | No | Ricasso does not request location permission or collect GPS coordinates at launch. |
| Microphone / contacts / calendar / health / biometrics / Bluetooth / NFC / clipboard / background location | No | Not requested at launch. |
| Push notifications | No at launch | Scaffold may exist for future version but is not live at launch. |
33. Data Accuracy and User-Entered Third-Party Information
Users may enter information about third parties, including seller handles, buyer handles, maker names, dealer names, appraiser notes, receipt images, COAs, or marketplace screenshots. Ricasso does not verify that Users have the right to enter or upload this information. Users are responsible for ensuring that any third-party personal information or third-party content they provide is accurate, lawful, and permitted to be uploaded.
34. Administrative Access and Internal Controls
At launch, the founder and designated personnel with Firebase or Google Cloud administrative access may technically access User records in plaintext. Ricasso intends to limit administrative access to persons with a need to know and to rely on Google Cloud IAM, Firebase Security Rules, Storage Rules, and audit logging. Per-piece time-limited support access and user-visible support access logs are not live at launch and should not be treated as part of the V1 privacy architecture.
35. Backup, Restore, and Unrecoverable Future Encryption
At V1, password reset through Firebase can restore account access if the User controls the email address. If Ricasso later implements client-side or field-level encryption where Users hold keys, some encrypted fields may become unrecoverable if the User loses the relevant key, passcode, or device. Ricasso will provide additional notices before launching that feature.
36. No Location Tracking
Ricasso does not request location permission, collect GPS coordinates, or perform IP-based geolocation lookup at launch. However, infrastructure providers may process IP addresses to transmit data, serve fonts, provide security, maintain logs, or operate networks. Users may also voluntarily enter storage location notes, which may include addresses or other precise location information if the User chooses to enter them.
37. No AI Training or Photo Analysis
Ricasso does not send User photos, proof-of-purchase images, serial numbers, purchase prices, sale prices, storage location notes, or sensitive vault fields to OpenAI, Google Gemini, Anthropic, AWS, Microsoft, or other AI vendors at launch. Ricasso does not use User data to train, fine-tune, or improve AI models at launch.
The limited exception is Ricasso’s AI-assisted bulk-import feature. If you use that feature, Ricasso may send user-uploaded CSV, spreadsheet, or structured import content containing knife or edged-tool metadata to Anthropic for one-time field extraction, mapping, cleanup, normalization, or formatting. This processing is used only to help import records into your Collection. Ricasso does not send photos, proof-of-purchase images, serial numbers, purchase prices, sale prices, storage location notes, or other sensitive vault fields to Anthropic for this feature at launch.
Visual identification may be a future roadmap feature, but no photo-based identification, computer vision, OCR, or visual AI identification feature is live unless Ricasso expressly updates this Privacy Policy or provides an additional notice.
38. CAN-SPAM and Marketing Choices
Ricasso may send service, transactional, account, security, support, legal, subscription, deletion, privacy, accessibility, and launch-related messages. Ricasso may also send marketing or promotional emails where permitted by law. Marketing emails will include an unsubscribe mechanism where required by applicable law, and Ricasso will use commercially reasonable efforts to honor marketing-email opt-out requests within the time required by law.
Transactional emails, legal notices, security messages, account messages, subscription notices, privacy responses, deletion responses, accessibility responses, and support messages may still be sent even if you opt out of marketing communications.
Ricasso does not send SMS/text-message marketing, MMS marketing, autodialed calls, prerecorded calls, artificial-voice calls, or similar telephone marketing communications at launch. If Ricasso introduces those communications later, Ricasso will obtain any consent required by applicable law and provide opt-out instructions where required.
39. Contact Us
If you have questions about this Privacy Policy or wish to exercise privacy rights, please contact us at:
ThisIsDisco Ventures, LLC33 Geraldine DriveNorwood, Massachusetts 02062Email: privacy@ricasso.app
Last Updated: ____________, 2026
Related documents
This document is part of Ricasso's legal framework. See also:
Terms of Service Privacy Policy Privacy Rights Summary Account Deletion Do Not Sell or Share Targeted Ad Preferences Cookie & Tracking Notice Accessibility Statement