Privacy Policy

Last updated: 25 April 2026

1. What We Collect

We collect different categories of information depending on how you interact with the Service:

Data	Purpose	Retention
Email address	Account creation, login, and transactional emails (verification, password reset)	Until you delete your account
Password	Authentication (stored as a one-way bcrypt hash — we never store or see your plaintext password)	Until you delete your account
Display name (optional)	Shown alongside your activity within the platform	Until you delete your account
IP address	Rate limiting and abuse prevention (login lockout, signup throttle)	In-memory only, not persisted to disk
Currency preference	Display prices in your preferred currency	Until you delete your account
Watchlist entries	Your saved brand/model alerts	Until you delete your account
Contact form messages	To receive and respond to your inquiries	Until resolved and deleted by admin

2. Listing Data (Third-Party Information)

The watch listings displayed on Catch Watch are sourced from WhatsApp trading groups. Listing messages — including trader contact details, prices, and watch descriptions — are parsed by AI and stored to power the marketplace view. This data originates from messages voluntarily posted by traders in group chats and is not submitted by platform users.

We process this third-party data on the basis of legitimate interest: providing market intelligence to the luxury watch trading community. Traders whose information appears on the platform may contact us at support@catch.watch to request removal of their data.

3. How We Use Your Information

• Account management: to create and maintain your account, verify your email, and reset your password.
• Service delivery: to display listings, apply your currency preference, and deliver watchlist alerts.
• Security: to detect and prevent abuse, enforce rate limits, and protect against unauthorized access.

We do not use your information for advertising, profiling, or marketing purposes.

4. Third-Party Services

We use the following third-party services to operate the platform:

• Resend — for sending transactional emails (verification, password reset). Your email address is shared with Resend solely for this purpose.
• Google Gemini AI — for parsing listing messages into structured data. Raw message text from WhatsApp groups (not your account data) is sent to Google's API for processing.
• WhatsApp connection service — for users who choose to connect their own WhatsApp account via the Bring-Your-Own Groups feature (see Section 11). The service relays messages from groups you join to our servers; we do not control or store data on the connection service beyond what is necessary to receive your messages.
• Hetzner — cloud server hosting (European Union).

We do not sell, rent, or share your personal information with any other third parties.

5. Cookies & Sessions

We use a single session cookie to keep you logged in. This cookie is:

• HttpOnly (not accessible to JavaScript)
• Secure (transmitted only over HTTPS)
• SameSite=Lax (not sent on cross-site requests)

We do not use tracking cookies, analytics scripts, or third-party cookies of any kind.

6. Data Security

We protect your data with industry-standard security measures including encrypted connections (TLS), bcrypt password hashing, CSRF protection, rate limiting, and security headers. However, no system is 100% secure and we cannot guarantee absolute security.

7. Your Rights

You can at any time:

• Access your account data from your account settings page.
• Update your display name, password, or currency preference.
• Delete your account and all associated data from your account settings page. Deletion is immediate and irreversible.

8. Data Retention

Account data is retained until you delete your account. When you delete your account, all personal data (email, password hash, display name, watchlist entries, and activity logs) is permanently removed.

9. Children

The Service is not intended for anyone under 18 years of age. We do not knowingly collect information from children.

10. International Data Transfers

Your data is stored on servers located in Germany (Hetzner). If you access the Service from outside the European Union, your data may cross international borders. By using the Service, you consent to the transfer of your information as described in this policy.

11. Bring-Your-Own WhatsApp Groups (Optional Feature)

If an admin grants you access to the Bring-Your-Own Groups feature, you can connect your own WhatsApp account so messages from groups you are already a member of flow into Catch Watch alongside our curated public groups. This is opt-in, granted by an admin, and can be revoked at any time. If you do not use this feature, none of the data flows in this section apply to you.

What we collect when you connect your account

Data	Purpose	Retention
Your WhatsApp phone number	Required to provision the WhatsApp connection	Until your account or session is deleted
WhatsApp group identifiers and names you choose to add	To filter which groups' messages we ingest	Until you remove the group or delete your account
Raw text of messages posted in groups you've added	Parsed into structured listings (same as Section 2 above)	As described in our standard listing data retention
Per-group counters (messages received per day / total)	To show you and admin that the connection is alive and to enforce per-user rate caps	Until you remove the group; daily counter resets nightly

What we do not collect

• We do not read, store, or process direct messages, status updates, broadcasts, or messages from groups you have not explicitly added.
• We do not monitor your WhatsApp activity outside the groups you select.
• We do not store or display your phone number publicly. Only admins can see it on the per-user configuration page.

Visibility of your data

• Listings parsed from your private (non-public) groups are visible only to you, to admins, and (where the same group is also owned by another user) to those co-owners. They are not exposed via our public sync API or shown to other Catch Watch users by default.
• Cross-user matches involving private groups are visible only to admins.
• Other Catch Watch users never see your group names.

Your control

• You can remove any group from your account at any time. Removed groups stop being ingested immediately.
• You can ask an admin to disconnect your WhatsApp link at any time. Disconnecting stops ingestion and revokes the WhatsApp connection.
• Deleting your Catch Watch account also removes your WhatsApp connection configuration and your group selections. Listings already ingested from your groups remain in the system as historical market data, with any direct link to you removed.

WhatsApp's own terms

Connecting your WhatsApp account uses WhatsApp's "Linked Devices" feature. You remain responsible for compliance with WhatsApp's terms of service when using your WhatsApp account in this way. Catch Watch does not control WhatsApp and cannot guarantee that the connection will continue to work if WhatsApp changes its policies or technical interfaces.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will indicate the date of the most recent update at the top of this page. Continued use of the Service after changes constitutes acceptance of the revised policy.

13. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us or email support@catch.watch.