Privacy Policy

Diecast Radar (diecastradar.app) is a free hobby tool for 1:64 diecast collectors. It tracks live retailer availability, restock and price-drop alerts, AI-assisted in-store sightings, a personal collection and wishlist, a shoppable cart optimizer, and a Hunter Score, for Hot Wheels, Mini GT, Tarmac Works, and related brands.

Diecast Radar uses Supabase anonymous sign-in by default. When you first visit the site a random device-tied UUID is created for you — no email address, no name, and no password is required. This UUID is stored in a session cookie (sb-*-auth-token) so your preferences, Hunter Score, collection, wishlist, and cart persist across visits on the same device. You can clear this data at any time by clearing your browser cookies.

You may optionally create a full account to sync across devices by signing in with a one-time email code (OTP), or with Google or Discord. We receive only the email address (and, for OAuth, the basic profile your provider returns); we do not receive your social passwords. When you create an account you also pick a username, which is shown in your account menu and on any collection or wishlist you choose to share publicly.

A separate alert email is collected only if you opt in to digest alert notifications. It is stored apart from your identity and used solely to send the restock or price-drop notifications you configure. You can remove it any time from your profile.

Associated with your account (anonymous UUID or signed-in identity), we store:

• Username and profile preferences (default brand, light/dark theme)
• Country preference (US or CA) and, optionally, a sales-tax region for cart estimates
• Hunter Score and tier (Scout → Legend), with an immutable score-change log
• Onboarding quiz answers (brand and collecting-style preferences)
• Collection items, wishlist items (including any target prices you set), cart contents, saved searches, and your watch list of followed cars
• Alert history (pending, delivered, and interacted alerts)
• Collection and wishlist public share tokens — opaque random strings you can activate to share a read-only view with anyone who has the link, and revoke at any time

Two small preference cookies remember your settings outside the signed-in session:

• dr_country — your selected country (US or CA). Expires after 1 year.
• dr_brand — your preferred brand filter. Expires after 1 year.
• dr_consent — remembers your cookie choice (accept or decline analytics and advertising cookies). Expires after 1 year.

These cookies contain no personal information and are not shared with third parties. For visitors who are not signed in, catalog saved searches are kept in your browser's local storage so they persist across reloads; signing in moves this data to your server-side account and clears the local copy.

Essential cookies (sign-in, your country and consent choices) are always on, because the site can't work without them. Analytics and advertising cookies (Google Analytics and our ad network, described below) are different: in the EEA, the UK, and Switzerland we ask for your consent beforewe load them, and we don't set them unless you accept.

You can change your mind at any time. Use the Cookie settings link in the footer to accept or withdraw consent, or the Do Not Sell or Share My Personal Information link to opt out of advertising cookies. Declining turns off analytics and advertising cookies; the rest of the site keeps working.

If you submit an in-store sighting report, we collect: the retailer, the city and state/province (optional), an approximate location (latitude and longitude rounded when saved so it points to a general area rather than your exact position), the product spotted, the rarity you saw, the quantity, optional notes, and an optional photo. Photos are sent to an AI service for immediate analysis (see below) and are not stored on our servers or in our database; they are discarded as soon as analysis completes.

Contesting a verification. The one exception is if you contestan "couldn't verify" result on a photo sighting. Only then, and only with your explicit action, is that photo stored (in a private bucket) so a moderator can review it. It is deleted as soon as the contest is resolved, and in any case within 30 days (an unreviewed contest is automatically resolved in your favor and the photo deleted). We tell you this before you contest.

Sightings appear publicly on the Sightings map and feed, including the product, store, and approximate location. They never show who reported them.

You choose a visibility each time you report:

• Public(default): you earn Hunter Score points and the report appears in your “My History”. For a trailing 30 dayswe keep a recoverable, encrypted link between you and the report (so a confirmed false report can be penalized, and so your history can show it). After 30 days that link is automatically severed and the sighting can no longer be traced back to you. During that window, “My History” shows you the product you reported and, for public sightings, the store and approximate location.
• Anonymous: no points, and no link between you and the report is ever stored, so it never appears in your history and cannot be traced back to you.

If your profile is private, new sightings default to Anonymous so your identity is never attached to a report unless you choose Public yourself.

Flagging. Any signed-in user can flag a sighting they believe is inaccurate. We record which sightings you have flagged using a blinded (hashed) identifier rather than your raw account id. This lets us count one flag per person, stop you flagging your own sighting, show you what you have already flagged, and let you revoke a flag. When enough members flag a sighting it is hidden pending review.

Reporting a note. If a sighting includes a written note that is spam, abusive, or otherwise breaks our community rules, any signed-in user can report it (the same way comments can be reported). We store the report with your account so moderators can review it; a moderator may remove the note while leaving the sighting itself.

Store restocks.You can also report a general “fresh restock” at a store, without naming a product. A restock report stores the store name, the approximate location you provide, your account (so we can award points if it is confirmed and enforce daily limits), and a coarse device signal used only to stop someone confirming their own restock from a second account. You only earn points once a different hunter confirms the restock; an unconfirmed restock expires after two weeks. To keep this fair we limit how many restocks you can report per day, allow only one report per store per day, and limit how often the same two members can earn points by confirming each other.

If you post a comment, leave a star rating or review, submit a product suggestion, or vote on one, we store that content along with your account so it can be displayed, attributed, and counted toward your contribution totals. When your profile is public, this content is shown next to your username and links to your profile; when your profile is private, it appears as “Anonymous User” with no link. You can edit or delete your own comments and ratings at any time.

Community content is subject to moderation. To keep the community healthy we may hide, remove, or limit the reach of content that breaks our Terms of Service, and we keep a record of moderation actions and any reports you file.

Linking your Discord account is optional. If you choose to link it, we store your Discord user ID and share it with Discord so we can add you to our community server and grant the roles your membership includes. We never receive your Discord password. You can unlink at any time from your account settings, which removes the granted roles.

If you submit a bug report or product-inaccuracy report, we store the category, description, the page URL where the issue occurred, and your browser user-agent string, used only to investigate and resolve the report.

During onboarding we silently collect a small set of risk signals — such as timing between quiz questions, pointer-interaction patterns, and browser characteristics — to detect automated bots and scalper tools. These signals are visible only to site administrators, are never exposed through any client or public endpoint, and are never used for advertising or sold to third parties. Your IP address is used server-side as part of this check and is not stored beyond the request.

Diecast Radar uses the xAI Grok API for two purposes:

• Sighting photo analysis.A photo you attach is sent to Grok's vision API to identify the product on the shelf and verify your sighting. The image is processed ephemerally — xAI does not train on API inputs, and we discard the image immediately after analysis. It is stored only if you choose to contest a verification result (see Sightings above), and then only until the contest is resolved or 30 days pass.
• Product research.Automated background jobs use Grok's web search to discover upcoming releases and restock news. No personally identifiable information is included in these queries.

xAI's data practices are governed by their Privacy Policy.

We use Google Analytics 4 to understand how visitors use the site (page views, session duration, navigation paths). It sets cookies (including _ga and _gid) to distinguish users. IP addresses are truncated by Google before storage; we do not receive full IP addresses. In the EEA, the UK, and Switzerland this runs only after you consent (see “Cookie consent” above), and anyone can turn it off any time via the footer Cookie settings link.

You can also opt out across all sites using the Google Analytics Opt-out Browser Add-on.

Diecast Radar may display advertisements served by Google AdSense, Mediavine, or a comparable ad network. These networks may use cookies and similar technologies to show ads based on your prior visits to this and other sites. In the EEA, the UK, and Switzerland these load only after you consent; everyone can opt out using the Do Not Sell or Share My Personal Information link in the footer.

You can also opt out of personalised advertising via Google Ad Settings or the NAI opt-out tool. This policy will be updated if we change ad networks.

If you grant browser notification permission, your browser's push subscription endpoint (a URL issued by your browser vendor) is stored in your account and used solely to deliver restock and alert notifications you have enabled. You can revoke notification permission in your browser settings at any time; expired or revoked endpoints are automatically removed.

We automatically poll roughly 25 major and specialty diecast retailers — including Mattel Creations, Walmart, Target, Amazon, Dollar General, Kroger, Canadian Tire, and independent diecast shops — to fetch product availability, prices, and stock status. This uses publicly accessible product APIs and web pages; no personal data about you is sent to retailers.

Links to retailers may include affiliate parameters. If you make a purchase after clicking one, we may receive a small commission at no extra cost to you. Retailer sites have their own privacy policies; we are not responsible for their data practices.

To operate the site we also rely on:

• Supabase — database and authentication hosting (US-based servers)
• Vercel — hosting, CDN, and serverless compute. We also use Vercel BotID (invisible bot detection) on a few sensitive actions (reporting or flagging a sighting, and signing in) to block automated abuse. It analyzes request and device signals to tell humans from bots; it is not used to track you or for advertising.
• Inngest — background job orchestration (no personal data in payloads)
• Upstash Redis — rate limiting (request counts keyed by anonymous UUID or IP; not retained long-term)
• Resend — transactional email for alert digests (only if you opt in to email alerts)

These providers process data only as necessary to deliver the service and are contractually prohibited from using it for other purposes.

Your account record (UUID or identity, Hunter Score, preferences, collection, wishlist, and cart) is retained as long as you continue using the site. Delivered alerts are retained for 30 days, then pruned. Background-job event logs are pruned after 14 days. Sighting data is removed from the public map after 48 hours; the underlying record may be kept for analytics in anonymised form.

Delete your account yourself. Signed-in members can permanently delete their account and personal data at any time from profile settings(“Delete Account”). This erases your email and profile details and removes your collection, wishlist, cart, saved searches, alerts, and notifications; cancels any Premium subscription; and severs the link between you and your sightings. Your public comments and ratings remain but are shown as “Anonymous User”. For anonymous (not signed-in) use, clearing your browser cookies disassociates your UUID. You can also contact us and we will action your request.

You can download a copy of the personal data we hold for your account at any time from your profile settings(“Your Data → Download my data”).

If you are in the EEA, the UK, or Switzerland, we rely on these legal bases:

• Contract — to run your account and provide the features you use (collection, wishlist, cart, alerts, sightings, Hunter Score).
• Consent — for analytics and advertising cookies, and for optional email digest alerts. You can withdraw consent at any time.
• Legitimate interests — to keep the service secure and abuse-free (rate limiting, bot and scalper detection, moderation), balanced against your rights.
• Legal obligation — where we must keep certain records to comply with the law.

Depending on where you live (for example the EEA, the UK, Switzerland, or US states such as California), you have some or all of these rights over your personal data:

• Access and portability— see and download your data (“Your Data → Download my data” in your profile).
• Rectification — correct your details from your profile settings.
• Erasure— delete your account and personal data (“Delete Account” in your profile).
• Withdraw consent — turn off analytics and advertising cookies, or remove your alert email, at any time.
• Object or request restriction of certain processing, and the right not to be discriminated against for exercising any of these rights.

Use the in-app controls above, or email privacy@diecastradar.app and we will respond within the time the law allows (within one month for EEA/UK requests). You may also lodge a complaint with your local data protection authority.

Diecast Radar is operated from, and uses service providers based in, the United States (see “Third-party service providers” above). If you access the site from outside the US, your data is transferred to and processed in the US. Where we transfer personal data out of the EEA, the UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum) with our providers.

We do not sell your personal information for money. Like most ad-supported sites, our use of advertising cookies may be considered “sharing” for cross-context behavioural advertising under California law. You can opt out using the Do Not Sell or Share My Personal Informationlink in the footer, which turns off advertising cookies on this browser. California residents also have the rights to know, access, delete, and correct their information, described in “Your privacy rights” above, and we will not discriminate against you for exercising them.

Diecast Radar is not directed at children under 13, and we do not knowingly collect data from them. Creating an account requires confirming you are at least 13 years old. If you believe a child under 13 has given us personal data, email privacy@diecastradar.app and we will delete it.

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Continued use of the site after changes constitutes acceptance of the revised policy.

Questions about your data? Email privacy@diecastradar.app.