Privacy Policy
LuxuriousComputers ("we," "us," "our") is a refurbished Apple hardware reseller based in Marion, Ohio. This Privacy Policy explains what personal information we collect on luxuriouscomputers.com, how we use it, who we share it with, and what rights you have. If anything here is unclear, email privacy@luxuriouscomputers.com and a real person will answer.
1. Information We Collect
We collect only what we need to answer you, sell you a machine, or keep the site from being abused:
- Contact form leads. Name, email, phone, model of interest, and the note you send Rick on the "Hit Rick Directly" form.
- Chat messages. The text you type into the on-site chat with Rick (AI-assisted), stored so we can follow up on your conversation.
- Trade-in details. The make/model/condition information you submit for a trade-in quote, including any photos or OCR-processed images of your machine.
- OCR images. If you upload a photo for trade-in pricing, we send the image to an AI vision model to read off model and condition. We don't keep the image longer than needed to produce the quote.
- Order + shipping information. Name, billing/shipping address, payment card details (handled by Stripe — we never see the full card number), items purchased.
- IP address + request metadata. Your plaintext IP is never persisted in our application database. When we need to write your IP to Cloudflare KV (for rate limiting, returning-visitor recognition, analytics events, the coach log, and trade-in lock records), we transform it first using one of two one-way operations:
- Hashed — we compute
sha256(your_ip + a server-side secret)and store the truncated hash as the lookup key. Same IP always hashes to the same value (so rate-limiting and the "welcome back" banner still work), but a database dump can't be reversed to a real address. - Network-prefix masked (
50.41.x.x) — used for analytics values where a region signal is useful but the host bits aren't. The last two octets are dropped before write.
- Hashed — we compute
- Server logs. Cloudflare's standard edge access logs (timestamps, paths, user agents, source IP) are retained by Cloudflare under their privacy policy. We do not persist these to our own systems.
2. How We Use Your Information
- Reply to your lead, chat, or quote request.
- Process and ship your order, run warranty replacements, and issue refunds.
- Produce trade-in appraisals and apply store credit.
- Prevent abuse (rate limiting, spam blocking, fraud review).
- Improve the site, the chat answers, and the trade-in pricing model.
- Comply with law (tax records, subpoenas, court orders).
We do not sell your personal information. We do not run ad-retargeting pixels. We do not share your data with data brokers.
3. Third Parties We Use
We use a small, deliberate set of vendors to run the site. Each only sees the data it needs:
- Cloudflare — hosts this website (Cloudflare Pages), runs the edge functions behind the chat and trade-in endpoints, and stores rate-limit + lead data in Cloudflare Workers KV. Cloudflare Privacy Policy.
- OpenRouter — the AI gateway we use to power Rick's chat responses and the image-based trade-in OCR. Your chat text and OCR images are sent to OpenRouter, which forwards them to the underlying model. OpenRouter Privacy.
- Stripe — processes all payments. Stripe receives your card and billing information directly; we receive only a tokenized reference. Stripe Privacy.
- NumVerify (apilayer) — verifies that the phone number you give us is real and identifies your carrier so we can send the trade-in confirmation text via the right SMS gateway. We send only the 10-digit number; we don't share your name, address, or trade-in details with NumVerify. Result is cached one year on our side, keyed by a one-way hash of the number, so each number costs at most one lookup ever. NumVerify Privacy.
- Mailboxlayer (apilayer) — verifies any email address you submit is real and reachable before we put you on a notification list. We send only the email address. Mailboxlayer Privacy.
- Resend / SendGrid / MailChannels — outbound transactional email and (via carrier email-to-SMS gateways) the trade-in confirmation text message. The provider receives your email address (or, for SMS, the carrier email-gateway address derived from your phone number) and the message body. We use whichever provider is configured at the time; only one is active per request. Resend · SendGrid (Twilio) · MailChannels.
- Twilio (paid fallback only) — sends the trade-in confirmation text if the free email-gateway path fails. Twilio receives your phone number and the message body. Twilio Privacy.
- Carriers (FedEx, UPS, USPS) — receive name and shipping address to deliver your order.
4. Data Retention (TTLs)
All entries below auto-delete at the listed TTL. We don't run an archive copy or a backup that survives the TTL.
- Rate-limit buckets (hashed IP). ≤65 seconds. The hashed-IP key is the only IP-derived data here; no IP value is stored.
- Analytics events (page views, custom events). 14 days. Each record stores a network-prefix-masked IP only (e.g.
50.41.x.x) — never your full IP. - Client error events. 30 days. Network-prefix-masked IP only.
- Coach hint log. 30 days. Stores your most recent chat message (so we can audit Rick's coaching quality), tagged with the network-prefix-masked IP.
- Coach session score history (keyed by hashed IP). 24 hours.
- Trade-recall record. 90 days. Lookup key is hashed IP; record value contains network-prefix-masked IP plus your trade-in details so the homepage can recognize you on return.
- Trade-lock lead. 1 year. Holds your phone, name, trade-in details, TCPA consent timestamp, and network-prefix-masked IP. Lookup keys are
leadId, hashed phone, and visitor cookie ID — never plaintext IP or plaintext phone. - Lead form submissions. Up to 2 years, then purged, unless you've become a customer.
- Chat transcripts (in your browser's localStorage). Up to 90 days. We do not store the transcript content on our servers.
- Trade-in photos. Deleted within 30 days of the quote being accepted or declined.
- Order records. 7 years, because tax and warranty law requires it.
- Warranty records. Life of the warranty + 1 year.
- Phone-validation cache (carrier lookups). 1 year. Lookup key is hashed phone; record value contains the carrier name and line type returned by NumVerify, never the digits.
4a. Lawful Basis for Processing (GDPR / UK GDPR)
Where GDPR or UK GDPR applies, we rely on the following lawful bases (Article 6):
- Contract (Art. 6(1)(b)) — to fulfil your order, run the warranty, process trade-ins, and provide customer support. Without this data we literally cannot ship you a Mac or honor a warranty claim.
- Legitimate interests (Art. 6(1)(f)) — to prevent fraud and abuse (rate limiting, phone-number validation, basic device-fingerprint logging), to keep the site secure (server logs), and to recognize returning customers so chat picks up where you left off. We've balanced these interests against your rights and concluded they don't override yours; you can object at any time using the contacts below.
- Legal obligation (Art. 6(1)(c)) — to retain order, tax, and warranty records as required by U.S. and Ohio law.
- Consent (Art. 6(1)(a)) — for the one-time SMS confirmation when you tap "Lock it in." Consent is captured by checkbox on the dial-pad screen, and we store the timestamp + version of the disclosure you agreed to. You can withdraw consent at any time by replying STOP to the text or emailing privacy@luxuriouscomputers.com.
5. Your Rights (CCPA + GDPR)
Wherever you live, you can ask us to:
- Show you what personal data we have about you.
- Correct anything that's wrong.
- Delete your data (subject to tax/warranty record-keeping rules for past orders).
- Export your data in a portable format.
- Stop processing your data except as legally required.
- Opt out of any "sale" or "sharing" of personal information (we don't do this in the first place, but the right is yours regardless).
How to exercise your rights: Email privacy@luxuriouscomputers.com from the address on file. We'll respond within 30 days. California residents: you can designate an authorized agent. EU / UK residents: you have the right to lodge a complaint with your local data-protection authority.
6. Cookies + Local Storage
We use essential cookies and browser localStorage only. No advertising cookies. No third-party tracking pixels. No cross-site retargeting.
Specifically, we set:
lc_visitorcookie (1 year) — a random ID that lets us recognize you on a return visit so chat picks up where you left off and your trade-in quote is still on file. Not shared.- localStorage — your chat transcript with Rick, your trade-in quote, your name (if you gave it), and your cookie-banner choice. Stored on your device, never sent to third parties.
- sessionStorage — short-lived buy/trade intent passed between the lock-in tap and the chat handoff. Cleared when you close the tab.
You'll see a small banner the first time you visit the site that names what we set and asks you to acknowledge. Tapping OK stores your choice in localStorage so the banner doesn't reappear. You can re-open the banner at any time to revisit your choice; you can also clear the choice via the "Manage cookies" link in the page footer or by clearing site data in your browser. EU/UK visitors: because we set only strictly-necessary technical storage and your own preference, no consent is required under ePrivacy / PECR for the essential set; the optional analytics toggle inside "Customize" is the consent-required path and defaults to off when you uncheck it.
7. Children
Our services are not directed to children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has given us data, email privacy@luxuriouscomputers.com and we'll delete it.
8. Security
The site is served over HTTPS end-to-end. Payment card data is handled by Stripe and never touches our servers. Lead and chat data sits in Cloudflare Workers KV behind scoped access tokens. Access to production data is limited to Rick and anyone he explicitly authorizes. No system is perfectly secure, so we encourage strong, unique passwords on any account you create with us.
9. International Transfers
We're in Ohio, USA. Some vendors (Cloudflare, OpenRouter, Stripe) may process data in other countries. Where required, we rely on Standard Contractual Clauses or equivalent transfer mechanisms.
10. Changes to This Policy
If we materially change this policy we'll update the "Last updated" date at the top and, for meaningful changes, post a notice on the homepage. Substantive changes to how we handle leads or chat data won't be applied retroactively without notice.
11. Contact
LuxuriousComputers — Attn: Privacy
731 E Center St #200, Marion, OH 43302
Email: privacy@luxuriouscomputers.com
Phone: (740) 223-5530
See also: Terms of Service · Returns & Warranty · About Rick