Privacy Policy

Last updated: April 22, 2026

ThreeOldGoats Vintage ("we", "our", or "us") operates a small, private inventory management application used by our family business. This policy describes what the application collects, how it is used, and how it is protected. The application — including both the mobile app (com.threeoldgoats.inventory) and the website at www.threeoldgoatsvintage.com — is not open to general public sign-ups; accounts are created by invitation only.

Information we collect

  • Account information. Username, email address, and a hashed (never plaintext) password. Email is used only to send account setup and password reset links.
  • Inventory content. Text you enter about items — descriptions, costs, quantities, restoration notes, sale records, seller contact details you choose to record.
  • Location. When you tap "Get GPS Location" while adding an item, the app records the device's current latitude and longitude and attaches it to that item. Location is captured only when you explicitly request it; the app does not track location in the background.
  • Photos. Images you capture or select while adding or editing items.
  • Server logs. Standard web server logs — IP address, request path, timestamp, user agent — retained for security and diagnostic purposes.

How we use the information

  • To let you sign in and use the inventory features.
  • To store and display the inventory items you create.
  • To display booth-photo galleries and the "About Us" page.
  • To generate reports visible only to authenticated users.
  • To detect and investigate abuse or technical errors.

What we do not do

  • We do not sell or rent your data to anyone.
  • We do not share data with advertisers or analytics brokers.
  • We do not use your data to build behavioural profiles.
  • We do not run third-party ads, tracking pixels, or cross-site trackers.

Data sharing

All data is stored on servers we operate directly. We do not transfer data to third-party processors except:

  • Resend — used solely to deliver transactional email (account setup and password reset links). Resend receives only the recipient email address and the message body.
  • Cloudflare — fronts the website to provide TLS and DDoS protection. Cloudflare sees request metadata in transit.
  • Google Play Services — on-device only, used by the Android app to obtain GPS fixes when you tap "Get Location". Coordinates are sent to our server, not to Google.

Security

  • Traffic to the server is encrypted in transit with TLS (HTTPS).
  • Passwords are stored as bcrypt hashes, never in plaintext.
  • Authentication tokens are scoped per session and expire.
  • The server is administered by the owner; no external vendor has access.

Data retention

We retain your account and the items you create for as long as your account is active. If you stop using the application, contact us to request deletion of your account and associated data.

Your rights

You may, at any time, ask us to:

  • Tell you what personal data we hold about you.
  • Correct data that is inaccurate.
  • Delete your account and its data.

Requests are honoured within a reasonable period, typically a few business days.

Children's privacy

The application is not directed at children under 13, and we do not knowingly collect data from them. If you believe a child has provided us data, please contact us and we will delete it.

Changes to this policy

If we materially change what we collect or how we use it, we will update this page and revise the "Last updated" date above.

Contact

Questions or requests about this policy, or about the data we hold on you, can be sent to:

the contact email listed on our About page.