My Vista Scout (“Scout”, “we”, “us”) is an independent tool that helps resellers evaluate Vista liquidation auction lots. We take privacy seriously and collect only what we need to deliver the service. This page explains what we collect, why, and what you can do about it.
1. What we collect
- Account data: name, email address, and a bcrypt-hashed password.
- Product data: your watchlist, saved searches, favourite categories, bid targets, and feedback you send through the in-app form.
- Email preferences: whether you opted into the daily digest, and the timestamp of the last digest sent to you.
- Operational logs: standard web-server logs (IP address, user-agent, path, status code) kept for up to 30 days for abuse detection.
- Verification & reset tokens: SHA-256 hashes of the one-time tokens we email you for address verification and password reset, plus their expiry timestamps. Raw tokens only appear in the email we send and are never stored on our side.
We do not collect: payment information (the service is free during beta), public profile photos, social-network identifiers, advertising identifiers, or geolocation.
2. Why we collect it
- Provide the service: show you your watchlist, run your saved searches, deliver the digest you asked for.
- Authenticate you: the email/password pair and the signed session cookie keep your account yours.
- Prevent abuse: rate limits, Cloudflare Turnstile, and short-lived server logs help us stop credential stuffing and signup spam.
- Communicate: account email (verification, password reset, occasional critical service notices) and the opt-in daily digest.
3. Third-party processors
We share data with a small set of vendors who help us run the service:
- Resend — transactional and digest email delivery. They see the recipient address, subject, and body of the email.
- Cloudflare Turnstile — CAPTCHA on sign-up, sign-in, and password reset. Turnstile sees the IP address making the request.
- Our infrastructure provider — the dedicated server that hosts the Postgres database and the Next.js application.
- vistaauction.com— Scout reads lots from Vista’s public listings; we don’t share your data with them.
We don’t sell or rent your data to anyone, and we don’t run any advertising trackers.
4. Cookies & session
We use a single first-party cookie called session — an HTTP-only, SameSite=Lax, Secure-in-production JWT that keeps you signed in for 30 days. Clearing cookies signs you out. We do not use third-party analytics or advertising cookies.
5. Your rights
You can:
- Access & export your data from the in-app Export data page — we ship a JSON of everything we have on you.
- Delete your account from the in-app Delete account page. This removes your user row, watchlist, saved searches, condition presets, and feedback. Operational logs are purged on the standard rolling window.
- Unsubscribe from the digestfrom your account Settings. Transactional email (verification, password reset, critical notices) continues — it’s required to operate the account.
- Ask us about your data by emailing [email protected]. We reply within 30 days.
EU/UK users: under GDPR you have rights of access, rectification, erasure, restriction, portability, and objection — covered by the bullets above. California users: under CCPA you have the right to know, delete, and opt out of sale of personal data. We don’t sell data.
6. Security
Passwords are hashed with bcrypt (cost 12). Session tokens are signed and never stored server-side. Database access requires authenticated Postgres credentials and is restricted to our application’s network. TLS is enforced for all browser traffic. We’ll disclose any breach impacting your account within 72 hours of confirming it.
7. Children
Scout is for adults running a resale business. We don’t knowingly collect data from anyone under 16. If you believe a child has signed up, email us and we’ll delete the account.
8. Changes to this policy
We’ll post material changes here with a new “Last updated” date and, if the change affects how we use existing data, email the accounts on record. Continued use after the effective date counts as acceptance.