Collector's Key

Last updated: April 22, 2026

Collector's Key (“we,” “us”) operates collectorskey.com — a free digital collection manager for U.S. and world coin collectors. This policy explains what information we collect, how we use it, and what rights you have. If you have any questions, write to us at /contact or by mail at Collector's Key, PO Box 20118, Columbus, OH 43220.

Short version

  • We collect the minimum needed to run your account: email, username, and display name.
  • Your coin collection data and uploaded photos belong to you. You can export or delete them anytime.
  • We do not sell your personal data. Ever. To anyone.
  • Analytics, affiliate, and advertising cookies are governed by the consent banner and your Settings › Privacy choices. In the EEA, UK, and Switzerland they are off until you consent; in California and other US privacy-law states you can opt out of ad personalization at any time.
  • If you want us to delete your account, email /contact or use Settings › Account › Close Account.

1. What we collect

Account information you provide

  • Email address — for login, password reset, and critical account notifications.
  • Username — your public identifier on the site and forum.
  • Display name — optional; defaults to your username.
  • Password — stored as a salted hash (bcrypt). We can never see your password.

Optional profile information

If you choose to add them: avatar image, bio, location, collecting start year, favorite series, and a public/private toggle. All of these are opt-in.

Collection data

Coins you mark as owned or wanted, photos you upload, grades and purchase prices you record, roll-hunting sessions and finds, and series you’re tracking. All of this is yours — see Your rights below for export and deletion.

Automatic technical information

  • IP address — logged server-side for a short window for security (rate limiting, abuse detection). Not attached to your profile in our databases.
  • Browser user-agent — standard web-server access logs.
  • Cookies set by Joomla (session cookie, remember-me if you check that box). See the Cookies section.

What we don’t collect

  • Payment card details. When subscriptions are enabled in the future, checkout is handled by a third-party payment processor (merchant of record) — we never see your card, only that a payment succeeded or failed.
  • Social-security or government ID numbers.
  • Location beyond country-level (inferred from your IP when you opt into bank logging in the roll-hunting feature).
  • Phone numbers, home addresses, or real name (unless you put them in a profile field yourself).

2. How we use it

  • To run your account — authenticate you, save your collection, show your achievements.
  • To send you account emails — password reset, security alerts, optional tier upgrade receipts. We do NOT send marketing emails unless you opt in.
  • To answer support questions when you email us via /contact.
  • To keep the site running — caching, security, rate limiting.
  • To comply with the law — court orders, legitimate legal requests.

3. Cookies & tracking

We use four categories of cookies:

Category Purpose Default
Essential Login session, remember-me (if you checked it), CSRF token, your theme/accent/density preferences in localStorage. The site will not function without these. Always on (legitimate interest)
Analytics Google Analytics 4 — anonymized (anonymize_ip is enabled) — helps us understand which features matter and what’s broken. No personal profile tracking. Off (you opt in)
Affiliate eBay Partner Network — when you click a sponsored coin listing, eBay reads a tracking parameter from the URL so we earn a commission on purchases. Images for sponsored listings load from eBay’s servers (images only, no tracking beacons). Off (you opt in)
Advertising Google AdSense and its partners. Third-party vendors, including Google, use cookies to serve ads based on your prior visits to this site and to other sites on the Internet. Google’s use of advertising cookies enables it and its partners to serve ads to you based on those visits. Ads may be personalized or non-personalized depending on your consent choice. Governed by the Google-certified consent banner shown in regulated regions (EEA/UK/Switzerland and US states with privacy laws). Non-personalized ads may still serve where consent is declined.

Essential cookies set by us: PHPSESSID (session), joomla_user_state (auth), and various ck_* keys in localStorage for your preferences (ck_theme, ck_accent, ck_consent_*).

Advertising cookies set by Google AdSense include identifiers used to serve ads, limit how often a given ad is shown to you (frequency capping), measure ad performance, and detect invalid traffic. You can opt out of personalized advertising across Google services at any time by visiting Google Ads Settings. You can also opt out of a third-party vendor’s use of cookies for personalized advertising by visiting www.aboutads.info (run by the Digital Advertising Alliance) or youronlinechoices.eu (EU equivalent).

You can change your analytics, affiliate, and advertising choices anytime in Settings › Privacy, via the consent banner (clear your browser’s site data and reload to re-display it), or through the opt-out links above.

4. Third parties we share data with

We do not sell your data. We share it only with these processors, and only what each one needs to do its job:

  • Cloudflare — CDN, DDoS protection, bot detection (Turnstile on the contact form). Sees your IP + request metadata for every page load. This is infrastructure, not optional.
  • Google Analytics 4 — only if you’ve opted in to analytics cookies. Anonymized. Google Privacy Policy.
  • Google AdSense — when advertising cookies are permitted, a standard set of ad-serving signals (IP address, approximate location, device and browser info, referring URL, and the URL of the page you’re viewing) is shared with Google so it can serve and measure ads. Google’s use of this data is governed by the Google Privacy Policy and the How Google uses information from sites that use its services page. Opt out anytime at Google Ads Settings or via www.aboutads.info.
  • eBay Partner Network — only if you’ve opted in to affiliate cookies and click a sponsored listing. eBay sees a tracking parameter + the standard referrer data. eBay Privacy Policy.
  • Our hosting provider — stores server logs, database, and uploaded photos. Bound by a data processing agreement.
  • R2 (Cloudflare Object Storage) — stores uploaded coin photos. Photos are tagged with your user ID internally but are not public unless you mark your profile public.
  • Kunena forum software — integrated with Collector’s Key user accounts. Same data, same policy; no external data transfer.

We do not share data with data brokers, social-media trackers, or marketing platforms beyond the processors listed above.

5. Your rights

Regardless of where you live, you have these rights at Collector’s Key:

  • Access — request a copy of the data we hold about you. Email /contact with subject “Data Access Request”; we’ll respond within 30 days. Your coin collection is already exportable to CSV or PDF from the My Collection page.
  • Deletion — we’ll permanently erase your account, collection, photos, roll-hunting logs, achievements, and forum posts. Use Settings › Account › Close Account, or email /contact. Irreversible.
  • Correction — fix any wrong information in your profile anytime via Settings.
  • Portability — your collection data exports as a standard CSV.
  • Object / restrict — turn off analytics, affiliate, or advertising consent anytime in Settings › Privacy.
  • Complain — if you believe we mishandled your data, you can contact your local data protection authority (the ICO in the UK, your state AG in the US, your DPA in the EU/EEA).

If you’re in the EU, UK, EEA, or Switzerland, our legal basis for processing your data is contract (running your account), consent (analytics, affiliate, and advertising cookies), and legitimate interest (security logs, spam prevention).

If you’re in California, under the CCPA/CPRA, you have the right to know, delete, correct, and limit the use of your sensitive personal information, and to opt out of the “sale” or “sharing” of personal information for cross-context behavioral advertising. We honor the Global Privacy Control (GPC) signal and the “Do Not Sell or Share My Personal Information” choice presented in our consent banner. To exercise these rights, email /contact with subject “CCPA Request.”

6. Data retention

  • Active account: kept for as long as you use the site.
  • Deleted account: account + collection data are permanently removed within 30 days. Photos in R2 storage are also purged within 30 days.
  • Server logs: rotated every 30 days.
  • Analytics data: Google retains GA4 data for up to 14 months by default.
  • Ad-serving data: Google retains AdSense measurement and fraud-detection data per its published retention schedules; see the Google retention policy.
  • Forum posts: these are public; if you delete your account, your posts are anonymized (your username is replaced with a generic label) rather than removed, to preserve thread continuity. You can request full deletion if you prefer.

7. Children

Collector’s Key is a general-audience site. We don’t knowingly collect personal data from children under 13 (or under 16 in the EU/EEA). If you believe a child has registered, email /contact and we’ll delete the account.

8. Security

We use HTTPS site-wide, bcrypt password hashing, CSRF tokens on every form, rate limiting, Cloudflare DDoS protection, and Cloudflare Turnstile on the contact form. Photos in R2 storage are served via signed URLs when accessed from a private profile. No system is perfect; if you spot a vulnerability, please email /contact with subject “Security Report” instead of disclosing publicly.

9. International data transfers

Our hosting is in the United States. If you’re in the EU/EEA/UK, your data may be transferred to and stored in the US. Our third-party processors (Cloudflare, Google Analytics, Google AdSense, eBay) also operate in the US. We rely on the EU–U.S. Data Privacy Framework and standard contractual clauses where required.

10. Changes to this policy

If we make a material change (adding a new processor, changing how we use your data), we’ll email you at the address on your account and post a notice at the top of the site for at least 14 days before the change takes effect. Minor clarifying edits happen without notice; the “Last updated” date at the top of this page reflects the latest version.

11. Contact

Questions, data requests, or complaints:

  • Email via the contact form
  • Mail:
    Collector’s Key
    PO Box 20118
    Columbus, OH 43220
Share
Type at least 2 characters to search