Skip to content

Privacy Policy

ShelfStamp has no accounts, no passwords, and no advertising. For most people, we never learn who you are. The one genuinely sensitive thing we handle is a photograph of a label, taken inside your home — so that is what most of this document is about.

1. Scope

This policy covers the ShelfStamp website and service. It explains what we collect, why, who else sees it, how long we keep it, and what you can make us do about it.

2. Who is responsible for your data

CLV Media, LLC, a North Carolina limited liability company, is the data controller.

10850 Providence Rd, Suite 1325, Charlotte, NC 28277
privacy@shelfstamp.com

3. What we collect

3.1 To run a free screening: nothing about you

You do not create an account. You do not give us your name, your email, or your phone number. You type a brand and a model number, or you photograph a label. We do not know who you are, and for the overwhelming majority of people who use this service, we never find out.

3.2 What you type

The brand, model number, product type and date of manufacture you enter. This is information about an object, not about a person.

3.3 Label photographs

If you use the camera, the photograph you take. See section 4 — it is the most important section in this document.

3.4 Your email address, only if you ask us to keep a record

If you ask us to send you a copy of a screening record, we take your email address, we send you that one record, and that is the end of it. No account is created. No marketing list exists to add you to. We will not email you again.

3.5 Payment information — which we never see

If you buy a certificate, you enter your card details on Stripe’s form. We receive a confirmation that a payment succeeded and an identifier for it. We never receive, see, or store your card number.

3.6 Technical data

IP address, user agent, and the pages you requested — the ordinary exhaust of serving a web page, held in our server logs and by our host.

3.7 What happens on our own pages

We record events in our own database: a screening was run, a result was viewed, a badge was clicked. These are tied to a random session identifier (see section 9), not to a person. We use them to know whether the product works. We do not use them to build a profile of you, because there is no you here to build one of.

3.8 What we deliberately do not collect

No third-party analytics. No advertising or retargeting pixels. No session recording. No fingerprinting. No data purchased from brokers. No cross-site tracking of any kind. We do not follow you anywhere else on the internet, and we have not built the machinery to.

4. Photographs — and where they go

A label photograph is taken inside your home. We treat it that way.

4.1 EXIF and GPS are stripped before anything else happens

Every uploaded photograph has its EXIF and GPS metadata removed on our server before it is stored, before it is hashed, and before it is transmitted anywhere. The location where you photographed a crib is not something we want, keep, or could hand over.

4.2 The photograph is sent to Anthropic to be read

When you photograph a tracking label, that image is transmitted to Anthropic, PBC — a third-party AI provider — whose model reads the text on it and returns the brand and model number it believes it sees.

Most companies would file this under “automated processing” and leave you to work it out. We are putting it in a box in the middle of the page, because if we were you, it is the one thing we would want to know.

What is sent: the stripped photograph. Nothing else. No name, no email, no account, no session identifier travels with it. Anthropic does not use it to train models.

4.3 What we cannot promise you

We can tell you we removed the metadata. We cannot tell you what is in the frame.

If a driving licence was lying on the table next to the crib, if a face is reflected in the plastic, if a letter with your address on it is in the corner of the shot — that is in the photograph, and it goes where the photograph goes. We have no way to detect it and we will not pretend we do.

This is why the camera screen says: photograph the label, not the room. It is the one piece of privacy advice on this site that actually depends on you.

4.4 A machine reading is a guess

The model misreads labels. We show you what it read and require you to confirm it before we screen, and we discard any value it returns that does not literally appear in the text it was given. It is still a guess until you check it.

4.5 Why photographs are permanent while a certificate exists

A certificate is bound to the SHA-256 hash of the photograph. That is what makes it verifiable rather than merely signed: anyone can fetch the image, hash it, and check it against the document. If we deleted the photograph, the certificate would become an assertion nobody could check.

So the photograph lives as long as the certificate does. If you want it gone, the certificate goes too — ask us, and we will destroy both.

5. How we use what we collect

  • To run the screening you asked for.
  • To read a label you photographed.
  • To issue, sign, store, and serve a certificate you bought.
  • To take a payment you made.
  • To send you a record you asked us to send you.
  • To know whether the product works, in aggregate, so we can fix it when it does not.
  • To keep the service up, secure, and free of abuse.
  • To comply with the law.

We do not sell, rent, lease, or trade personal information to anyone, for any purpose, under any circumstances. We do not share personal information for cross-context behavioural advertising. We do not run advertising at all, and we do not build advertising profiles.

6. Legal basis for processing (GDPR)

If you are in the European Economic Area or the United Kingdom, we process personal data on these bases:

WhatWhyBasis
Running a screening; reading a labelTo deliver the thing you asked forArt. 6(1)(b) — performance of a contract
Issuing a certificate; taking paymentTo deliver what you paid forArt. 6(1)(b) — performance of a contract
Emailing you a record you requestedBecause you asked us toArt. 6(1)(a) — consent
Server logs; abuse prevention; securityTo keep the service running and unabusedArt. 6(1)(f) — legitimate interests
Aggregate product measurementTo know whether the product worksArt. 6(1)(f) — legitimate interests
Retaining payment recordsTax and accountingArt. 6(1)(c) — legal obligation

We do no automated decision-making producing legal or similarly significant effects concerning you within the meaning of Article 22. The Service makes a determination about an object — whether a model number matches a recall record — not about a person.

7. Who else touches your data

These are our sub-processors. This list is the honest answer to “who else sees my label photograph”, and it is published in full rather than hidden behind the phrase “service providers”.

CompanyWhat it doesWhat we send itWhere
Anthropic, PBCReading the text on a photographed tracking label — the brand and model number — so it can be screened.The label photograph itself, after EXIF and GPS metadata have been stripped from it on our server. No name, email, or account is attached to it.United States
Vercel Inc.Hosting the website and running the application.Requests to the site, including IP address and user agent, as an inherent property of serving a web page.United States
Supabase, Inc.The database and the storage bucket that holds label photographs.Screening records, certificates, label photographs, and any email address you choose to give us.United States
Stripe, Inc.Taking payment for a certificate.Your payment details, which you enter on Stripe’s own form. We never see or hold your card number.United States
Resend (Plus Five Five, Inc.)Sending you the screening record you asked us to email you.Your email address and the contents of that one message.United States

We will update this list before a new sub-processor begins receiving data, not after. The current version always lives at /subprocessors.

8. Data retention

WhatHow longWhy
A free screening with no certificate24 monthsSo we can show you your own result, and measure the product
A certificate, and the photograph it is bound toAs long as the certificate existsDeleting the photograph would make the certificate unverifiable
An email address you gave us for a record24 months, or until you ask us to delete itSo the record can be re-sent if you lose it
Payment records7 yearsTax and accounting obligations
Server logs30 daysSecurity and debugging
Aggregate, non-identifying countsIndefinitelyThey are not about anyone

We will hold data longer where the law requires it or where it is subject to a legal hold. If that ever applies to you, we will say so.

9. Cookies

There are two, both strictly necessary, neither shared with anyone:

NameWhat it is forDuration
cs_sidTies the screenings you run in one visit together, so a result page can be shown back to you, and so we can count how many people used the tool without knowing who any of them are. It is a random number. It is not linked to your name or your email.1 year
cs_refIf you arrived here by clicking a ShelfStamp badge on someone else’s listing, this records WHICH certificate sent you — first touch only, never overwritten. It is how we know whether the badge works at all. It holds a certificate number, not a person.30 days

That is also why this site has no cookie banner. Not because we found a loophole, but because there is nothing to consent to. The full detail is in the Cookie Policy.

10. Certificates are private by default

Every certificate is marked noindex when it is issued. It is reachable only by its address, and that address contains 160 bits of randomness — it cannot be guessed, and certificates cannot be enumerated.

You can make a certificate publicly listed. That is a choice you make, not a default we chose for you.

11. Security

Data is encrypted in transit. Certificates are signed with an Ed25519 key, and the signature covers the verdict, the photo hash, and the data-freshness timestamps — so none of them can be altered after the fact without breaking it. Photographs are content-addressed, which means the bytes at a given address can never change. Screening records are append-only at the database level, enforced by a trigger rather than by a promise.

No system is impregnable, and we will not tell you ours is. What we can tell you is what we would do if it failed: we would tell you, quickly, in plain language, and we would tell you what we did not yet know. Details are in the security policy.

12. Your rights

12.1 Everyone, regardless of where you live

You can ask us what we hold about you, ask for a copy, ask us to correct it, and ask us to delete it. Write to privacy@shelfstamp.com. We will respond within 30 days.

The practical difficulty is a good one to have: for most people we hold nothing linked to them at all, so there is nothing to produce. If you bought a certificate, quote its number and we can find you. If you did not, we most likely cannot — not because we are refusing, but because we genuinely do not know who you are.

12.2 If you are in the EEA or the UK (GDPR)

You additionally have the rights of access, rectification, erasure, restriction, data portability, and objection, and the right to withdraw consent at any time. You may lodge a complaint with your supervisory authority, and you do not have to come to us first.

12.3 If you are in California (CCPA/CPRA)

You have the right to know what personal information we collect and how it is used; to delete it; to correct it; to opt out of its sale or sharing; and not to be discriminated against for exercising any of these.

On the opt-out: we do not sell personal information and we do not share it for cross-context behavioural advertising. There is nothing to opt out of. That is why there is no “Do Not Sell” link in our footer — not an oversight, an absence.

12.4 Other US states

Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other states with comprehensive privacy statutes have substantially similar rights. Use the same address, and we will honour them.

13. International transfers

We process data in the United States. If you use the Service from the EEA or the UK, your data is transferred there. Where a transfer requires a safeguard, we rely on the European Commission’s Standard Contractual Clauses.

14. Children

The Service is for adults making decisions about children’s products. It is not directed to children, and we do not knowingly collect personal information from anyone under 13. If you believe a child has given us personal information, write to privacy@shelfstamp.com and we will delete it.

Note what this service does not do, because the subject matter invites the assumption: we collect no information about any child. We collect information about objects. There is no field anywhere in this system for a child’s name, age, or anything else about them, and there never will be.

15. Changes to this policy

We may update this policy. If a change is material we will post the new version with a new version number and effective date at least 14 days before it takes effect. We will not retroactively reduce the protections that applied to data we already hold.

16. Contact and data-subject requests

CLV Media, LLC
10850 Providence Rd, Suite 1325, Charlotte, NC 28277
privacy@shelfstamp.com