Privacy Policy

Last updated: 2026-07-01

This Privacy Policy explains how AutographCOA, LLC ("AutographCOA", "we", "us", or "our") collects, uses, shares, and protects information when you visit autographcoa.com or use our authentication services. It also describes your choices and rights, including those under the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA). Because authentication services work differently from general e-commerce, Section 5 ("Authentication submissions and public COA records") explains the specific treatment of items submitted for authentication and Certificates of Authenticity that we issue.

1.Information we collect

Information you provide

  • Account & order details: name, email address, mailing address, phone number, and any item details you submit for authentication.
  • Authentication submissions: item details (signer, item type, claimed provenance, any history you choose to share) and photographs of the item that you upload. See Section 5 for how these are used, retained, and displayed.
  • Payment information: when you place an order, payment card data is collected and processed by our PCI-compliant payment processor. We do not store full card numbers on our servers.
  • Support communications: messages, support tickets, and any attachments you send us.

Information we collect automatically

  • Usage and device data: IP address, browser type, operating system, referring URL, pages viewed, and timestamps.
  • Cookies and similar technologies: see the Cookies section below.

2.How we use your information

  • To process orders, fulfill authentication services, and issue Certificates of Authenticity ("COAs").
  • To maintain a verifiable archive of issued COAs (see Section 5).
  • To communicate with you about your account, orders, and support requests.
  • To operate, secure, and improve the website.
  • To detect and prevent fraud, including counterfeit autographs, and to enforce our terms.
  • To train and improve the AI tools we use for customer support and authentication, using the content of customer communications (support tickets, chat, email, and SMS). See Section 2A.
  • With your consent or where otherwise permitted by law, to send marketing emails about our services. You can unsubscribe at any time.
  • To comply with legal obligations.

2A.Use of communications to train AI

We use the content of communications between you and our team — including support tickets, chat messages, email, and SMS — to train, evaluate, and improve the AI tools we use for customer support and authentication. This helps us respond faster and more consistently. Where practical, we minimize or remove directly identifying details before this content is used for training.

Some of these AI tools are provided by third-party technology vendors that process this content on our behalf, under contracts that require them to protect it and prohibit them from using it to train or improve their own general-purpose models. We do not sell your personal information.

3.Legal bases (GDPR)

If you are in the EEA or UK, we process your personal data on the following legal bases: performance of a contract (to provide our services), our legitimate interests (to operate and secure our site, to maintain a verifiable authentication archive, to detect and respond to forgeries, and to prevent fraud), your consent (for marketing emails and non-essential cookies), and compliance with legal obligations.

4.How we share information

We do not sell or rent your personal information. We share it only as described below and, for authentication-specific sharing, in Section 5:

  • Service providers: hosting, payment processing, email delivery, analytics, and customer support vendors who process data on our behalf under contract.
  • AI technology providers: vendors that provide the AI tools we use for customer support and authentication, who process communication content on our behalf under contract and are prohibited from using it to train their own general-purpose models.
  • Legal and safety: when required by law, subpoena, or court order, or to protect the rights, property, or safety of AutographCOA, our users, or others.
  • Business transfers: in connection with a merger, acquisition, or sale of assets, subject to this Privacy Policy.

5.Authentication submissions and public COA records

Authentication is the core of our service, and it places some information outside the normal e-commerce pattern described above. Please read this section carefully before submitting an item.

Customer-submitted photographs

Photographs you upload of an item sometimes incidentally contain personal information beyond the item itself — for example, return labels, prior dealer paperwork, inscriptions, handwriting, or other items visible in the frame. Submitted photographs are retained as part of the authentication record and, where a COA is issued, are displayed on the public verification page for that COA (see below). Please crop or redact anything you do not want to appear publicly before submitting.

Public Certificate of Authenticity verification

Each Certificate of Authenticity has a public verification page so that buyers, dealers, and the public can look up a COA by its number and confirm the result. The public verification page displays item details (such as the signer, item type, and our opinion) together with the customer-submitted photograph(s) of the item. The submitter's name, contact information, account details, and payment information are not displayed on the public verification page.

Long-term retention of authentication records

A Certificate of Authenticity is only useful if it can be verified years or decades after issuance, including after the original submitter has sold the item or moved on. For that reason, authentication records — including the submission, item photographs, COA number, and our opinion — are retained indefinitely as a matter of service integrity, even after associated account-level personal data has been deleted. We rely on our legitimate interest in maintaining a verifiable, tamper-resistant authentication archive, and on the interests of future buyers and the public in relying on it.

Sharing with other authenticators and industry experts

The authentication community works in part by sharing information about suspected forgeries across firms and experts. From time to time we may share item images, our opinion, and related contextual information with other authenticators or recognized industry experts to evaluate a suspected forgery or improve detection. We do not share your contact details for this purpose except where reasonably necessary.

Sharing with law enforcement

Where we believe information may be useful to law enforcement investigating counterfeit autographs, fraud, or related crimes, we may proactively share information with appropriate agencies — including item images, submission details, and the circumstances surrounding a submission — even in the absence of a subpoena or court order. We will also respond to lawful requests from law enforcement as required by Section 4 ("Legal and safety").

Effect on deletion requests

If you request deletion of your personal information under GDPR, CCPA/CPRA, or otherwise, we will honor it to the extent the law allows. Authentication records (the submission data, photographs, COA number, and our opinion) are retained on the bases described above and may not be fully deleted on request. We will tell you what we are unable to delete and why if this applies to your request.

6.Cookies and tracking

We use cookies and similar technologies to keep you signed in, remember your preferences, secure the site, and measure usage. You can control cookies through your browser settings. Disabling cookies may make some features (such as login or checkout) work incorrectly.

Do Not Track

Some browsers send a "Do Not Track" (DNT) signal. There is no industry-standard interpretation of DNT, so our site does not currently respond to DNT signals. You can still control tracking through cookie settings and the rights described below.

Third-party analytics and advertising

We may use third-party analytics providers to understand how our site is used. We do not currently serve Google AdSense or other third-party display advertising on autographcoa.com. If that changes, we will update this policy.

7.How we protect your information

We use administrative, technical, and physical safeguards designed to protect your information, including TLS encryption in transit, restricted internal access on a need-to-know basis, and regular monitoring for vulnerabilities. Payment card data is encrypted and handled by our PCI-compliant processor. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

8.Data retention

We retain personal information for as long as needed to provide our services, comply with legal and tax obligations, resolve disputes, and enforce our agreements. When information is no longer needed for these purposes, we delete or de-identify it. Authentication records are retained on a separate basis described in Section 5.

9.Your rights

Everyone

  • Access, update, or correct your account information by signing in to your account, or by emailing us at the address below.
  • Unsubscribe from marketing emails using the link in any marketing email, or by emailing team@autographcoa.com.

EEA / UK residents (GDPR)

You have the right to request access, correction, deletion, restriction, portability, and to object to certain processing. You may withdraw consent at any time without affecting prior processing. You may also lodge a complaint with your local supervisory authority. As described in Section 5, deletion may be limited for authentication records.

California residents (CCPA/CPRA)

You have the right to know what personal information we collect, use, disclose, and share; to request deletion or correction; to opt out of any "sale" or "sharing" of personal information (we do not sell personal information and do not share it for cross-context behavioral advertising); and to be free from discrimination for exercising these rights. To exercise these rights, email team@autographcoa.com. We may need to verify your identity before responding. You may also designate an authorized agent to act on your behalf. As described in Section 5, deletion may be limited for authentication records.

10.Children's privacy (COPPA)

Our website and services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. We do not knowingly allow third parties to collect personal information from children under 13 through our site. If you believe a child has provided us with personal information, contact us and we will delete it.

11.International transfers

We operate from the United States. If you access our services from outside the United States, your information will be transferred to, stored, and processed in the United States, which may have different data protection laws than your jurisdiction.

12.CAN-SPAM

If we send you commercial email, we will identify it appropriately, include our physical address, honor opt-out requests promptly, and not use false or misleading subject lines. To unsubscribe, use the link at the bottom of any marketing email or email team@autographcoa.com, and we will remove you from all marketing correspondence.

13.Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top. Material changes will be communicated through the site or by email where appropriate.

14.Contact us

AutographCOA, LLC
386 Main Street
Middletown, CT 06457
USA
team@autographcoa.com