1. Data controller
Trade name: ProStrike
Controller: Benjamin Perry
Address: 37 Chemin du Puissanton, Entrée A, 06220 Vallauris, France
DPO email: support@lostnfound-app.com
2. Data we collect
2.1 Account data
- Email address: for authentication and notifications
2.2 Search data
- Uploaded images: photos of the items you're looking for
- Search country: to prioritize relevant resale platforms
- Search results: links, images, and metadata from detected listings
- Public sharing (optional): if you enable a sharing link, a public page may display the item photo, country, monitoring dates, and related results until you disable sharing or delete the search
2.3 Payment data
- Billing address: name, address, city, postal code, country
- Tax details (optional): company name, VAT number
Important: Your card details are processed directly by Stripe and are never stored on our servers. We only store a secure reference identifier.
2.4 Technical data
- Sign-in logs: timestamp, IP address (anonymized)
- Preferences: language, display theme
- First-party identifiers: anonymous and session identifiers used to deduplicate events, relate journeys, and protect measurement integrity
- Attribution parameters: UTMs, ad click IDs, email parameters, referral / affiliate references, and provenance information when present in the URL
- Support chatbot: message content, conversation identifier, language, pseudonymized IP address, and technical signals needed to run the feature and prevent abuse
2.5 Tracking and attribution data
- Consent data: cookie / measurement / advertising choices, consent source, banner version, and timestamp of the decision
- Product and marketing events: page views, onboarding steps, CTA clicks, subscription, payment, email, and search events where the applicable legal basis allows it
- Email clicks: email type, clicked link, related search, and destination URL to measure post-click journeys and prepare future referral / affiliate programs
- Per-search email preferences: whether result alerts and optional upgrade / re-engagement emails remain enabled for a specific search
3. Purposes of processing
We use your data to:
| Purpose | Legal basis |
|---|---|
| Create and manage your account | Contract performance |
| Run visual searches | Contract performance |
| Send you match alerts | Contract performance |
| Process your payments | Contract performance |
| Send you account-related information | Contract performance |
| Keep invoices (10 years) | Legal obligation |
| Improve the service | Legitimate interest |
| Measure journeys, understand acquisition sources, and diagnose funnel friction | Consent, except where measurement is strictly necessary or exempt under applicable law |
| Feed explicitly enabled advertising platforms with web/server-side events | Consent |
| Prepare referral / affiliate attribution and measure email click journeys | Legitimate interest or consent depending on the signal and the applicable jurisdiction |
| Answer your questions through the support chatbot and keep the history needed for follow-up | Legitimate interest |
| Generate a public sharing link and display search data when you enable that option | Contract performance / at your request |
| Send guidance, upgrade, or re-engagement emails related to a search when you keep optional emails enabled | Consent |
4. Retention period
| Data type | Retention period |
|---|---|
| Account data | Subscription period + 3 years |
| Uploaded images | Deleted when monitoring for the related search ends |
| Search results | 30 days after expiration or manual deletion |
| Billing data | 10 years (legal accounting obligation) |
| Unverified accounts | Deleted after 24 hours |
| Consent preferences | 6 months for the consent cookie, then proof archived according to applicable obligations |
| First-party tracking events | Maximum 25 months in our measurement tables unless local law requires a shorter period |
| Attribution parameters and email clicks | 90 days for attribution cookies, then up to 13 months in the analytics database unless you object or a shorter retention applies |
| Public share tokens | Until you disable sharing or delete the related search |
| Support chatbot conversations | 12 months after the last message, then deleted |
5. Processors and data transfers
To provide our service, we use the following processors:
| Processor | Role and location |
|---|---|
| Supabase | Database, authentication · USA |
| Stripe | Secure payments · US / Ireland |
| Vercel | App hosting · USA |
| Resend | Transactional email delivery · USA |
| SerpAPI (Google Lens) | Image analysis and retrieval of public matches · USA |
| OpenRouter | Support chatbot inference and AI model routing · USA |
| Tag infrastructure, analytics, consent mode, and advertising measurement when those services are enabled · EU / USA | |
| Meta | Advertising measurement, audiences, and conversions when Meta Ads is enabled · EU / USA |
Transfers outside the EU: Our US-based processors comply with the EU-U.S. Data Privacy Framework or use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an adequate level of protection.
6. Your rights
Under the GDPR, you have the following rights:
Right of access
Get a copy of your personal data
Right to rectification
Correct inaccurate or incomplete data
Right to erasure
Request deletion of your data
Right to data portability
Receive your data in a structured, commonly used format
Right to object
Object to certain processing
Right to restriction
Temporarily limit processing
To exercise your rights, email support@lostnfound-app.com with a copy of your ID. We will respond within 30 days.
You can also withdraw or adjust your consent at any time from the cookie preferences panel available on the site.
7. Data security
We implement the following security measures:
- Encryption in transit (HTTPS/TLS)
- Encryption at rest
- One-time code authentication
- User-level data isolation (Row Level Security)
- Automatic deletion of unverified accounts (24h)
- Rate limiting for sign-in attempts
- Secure cookies (HttpOnly, Secure, SameSite)
- First-party server-side routing to reduce direct exposure to ad platforms
- Hashing or pseudonymization of technical signals where relevant
8. Cookies
To learn more about the cookies we use, see our Cookie Policy.
9. Changes
We may update this policy at any time. If we make material changes, we will notify you by email. The last updated date is shown at the top of this page.
10. Complaint
If you believe your rights are not being respected, you can file a complaint with the relevant supervisory authority:
CNIL (Commission Nationale de l'Informatique et des Libertés (France))
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
11. Contact
If you have any questions about this Privacy Policy, contact us at: support@lostnfound-app.com