Privacy Policy
Last updated: 4 July 2026
1. Who we are
GearHub is a product of Kingstone Consultancy Ltd. Kingstone Consultancy Ltd is the data controller for personal data processed through the GearHub mobile apps, website, and API (together, the "Service"). Our registered address is No1 Parkside Court, Greenhough Road, Lichfield, Staffordshire, United Kingdom, WS13 7FE. You can contact us about privacy matters at serious-stuff@gearhub.tech.
This policy explains what personal data we collect, why, how long we keep it, who we share it with, and the rights you have over it under UK GDPR.
2. Data we collect
We collect the following categories of personal data, generally provided directly by you as you use the Service, or generated automatically by your use of it:
- Identity & profile: username, display name, avatar, bio, contact email, contact phone, Instagram handle, music link, band name, genre/role, personal website, date of birth, privacy setting (public/private profile), verification status/role, your invite code, admin flag, preferred display currency, and account creation date.
- Location data: your typed hometown (name and coordinates) and, only if you opt in, a live current-location snapshot. These are used to power nearby-stolen-gear alerts and to match recovery-case claimants by area. This location data is coarse, and current-location sharing can be turned off at any time (which also deletes the stored snapshot); hometown location is used in the same way whenever it's set.
- Gear records: category, type, brand, model, series, year, serial number (and its format-verification status), finish, condition, freeform spec fields, purchase price, purchase date, estimated value, currency, notes, "story" text, photos, public/private and per-field visibility settings, a unique identifying code, status (active/stolen/recovered), and any stolen-report notes.
- Gear history & sub-records: ownership transfer history; component/part records (slot, brand, model, serial, source, install/removal dates); modification history; name-change history; timeline contributions (photos/captions and their approval status); service records (technician/shop name, cost, dates, and shared vs. private notes); appearance history (tours/shows/studio sessions); and, for manufacturer/dealer accounts, company records, gear templates, and brand submissions/change requests.
- QR & possession verification: persistent QR credentials for your gear and their scan logs (who scanned, the result, and any suspicious-activity flags), plus single-use rotating possession tokens (issued/consumed/expiry).
- Recovery & theft data: recovery case records linking a reporter and a claimant, including the claimant's location snapshot at the time of a match.
- Vault data (zero-knowledge): a key-derivation salt, your wrapped master key material, a verifier value, and — if you enable it — a TOTP secret and failed-attempt/lockout state. We never have access to, and cannot derive, your plaintext passphrase, recovery key, or file contents. Encrypted attachment metadata (encrypted filename, wrapped per-file key, size, and kind) is stored on our servers, but the actual file bytes are stored encrypted in Cloudflare R2 and never pass through our API server unencrypted.
- Social graph & activity: friendships (requester, addressee, and status), asymmetric follows, blocks, feed activity events and their visibility level, reactions, notifications, and referral relationships (who referred whom).
- Financial data: an encrypted purchase-price/valuation blob, stored separately from the main gear record.
- Access-control records: per-item service-permission grants (an owner granting another user access to a specific gear item) and their revocation state.
- Administrative/audit data: an audit log of admin/owner actions, recording the actor, action, target, and a human-readable summary and field-level diff. This log never includes vault secrets or other raw sensitive payloads.
- Device & technical data: push notification tokens (Expo push tokens and Apple Push Notification service tokens, with platform), and IP addresses captured for rate-limiting and abuse prevention — not for tracking or profiling you.
3. How we use your data
We use your data to: provide and operate the Service (accounts, gear records, sharing, verification, QR/possession features); power stolen-gear alerts and recovery-case matching; secure the vault feature while preserving its zero-knowledge guarantees; prevent abuse and enforce rate limits; provide customer support; and enforce these Terms, including the minimum age requirement.
AI-assisted features: if you import a gear listing from a URL, or request AI-generated spec or description suggestions, the fetched page content and/or the gear details you provide are sent to OpenAI for processing. This is a distinct data flow from our own storage — treat it as sharing that content with OpenAI for the purpose of generating a suggestion.
Advertising: the GearHub Expo mobile app shows native ads supplied by Google AdMob in the feed. AdMob may collect its own data (such as device identifiers) under its own privacy policy; we do not control and are not responsible for AdMob's own data practices. See Google's policies for details.
4. Who we share data with
We do not sell your personal data. We share data with the following third-party processors, each engaged to help us run the Service:
- Clerk — authentication and identity (account credentials, session management, sign-in).
- Cloudflare R2 — encrypted storage for vault attachment file bytes.
- Neon — hosting of our production database.
- OpenAI — processing for AI-assisted gear-listing and spec/description features.
- Apple Push Notification service (APNs) — delivering push notifications to the native iOS app.
- Expo Push Service — delivering push notifications to the Expo mobile app.
- Google AdMob — serving native advertising within the Expo mobile app's feed.
5. Internal (admin/owner) access
GearHub administrators and the app owner can access user data through internal moderation and support tooling — for example, to review reported content, resolve disputes, or provide support. This is a separate, internal access path from the third-party sharing described above, and internal actions of this kind are recorded in an audit log (see "Data we collect").
6. The vault: what it protects, and its limits
The vault is designed so that we cannot read its contents: your passphrase and recovery key are never sent to or stored by our servers in usable form, and file bytes are encrypted client-side before being uploaded. We only ever hold the pieces described in "Data we collect" above (salt, wrapped keys, a verifier, optional TOTP state, and encrypted attachment metadata).
The direct consequence of this design is that we cannot recover your vault contents for you. If you lose both your passphrase and your recovery key, that data is permanently unrecoverable — not just by us, but by anyone. TOTP, where enabled, is the only vault-related check we can perform server-side; it does not let us decrypt or verify the plaintext contents of your vault.
7. Data retention
We retain your account and gear data for as long as your account is active, and for a reasonable period afterward to comply with legal obligations, resolve disputes, and enforce our agreements. Audit logs of admin/owner actions are retained for accountability purposes. You can request deletion of your account and associated data at any time (see "Your rights" below); some records, such as audit log entries, may be retained where necessary for our legitimate interests in security and accountability.
8. Your rights (UK GDPR)
Subject to applicable law, you have the right to: access the personal data we hold about you; request correction of inaccurate data; request deletion of your data; request a portable export of your data; object to or restrict certain processing; and withdraw consent where processing is based on consent (for example, current-location sharing or AdMob-served ads, where applicable).
To exercise any of these rights, contact us at serious-stuff@gearhub.tech. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we have not handled your data properly.
9. Children's privacy and minimum age
The Service is not directed at, and we do not knowingly collect personal data from, anyone under 16. We collect date of birth at signup specifically to enforce this minimum age. If we become aware that we have collected personal data from someone under 16, we will take steps to delete that data and close the account. We do not offer a parental-consent pathway; the minimum age is a hard requirement rather than a feature we adapt for younger users.
10. Security
We use reasonable technical and organizational measures to protect your data, including encryption in transit, encrypted storage for vault attachments, rate limiting on sensitive endpoints, and audit logging of privileged actions. No system is perfectly secure, and the vault's zero-knowledge design specifically means that even we cannot help you recover lost vault credentials — see "The vault" above.
11. International transfers
Some of our third-party processors (listed above) may process or store data outside the United Kingdom. Where this happens, we rely on appropriate safeguards required under UK data protection law, such as standard contractual clauses or an adequacy decision.
12. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will take reasonable steps to notify active users (for example, in-app). The "last updated" date at the top of this page reflects the most recent revision.
13. Contact us
Questions about this Privacy Policy, or requests relating to your data, can be sent to serious-stuff@gearhub.tech, or by post to Kingstone Consultancy Ltd, No1 Parkside Court, Greenhough Road, Lichfield, Staffordshire, United Kingdom, WS13 7FE.