STATUS: DRAFT. Not reviewed by counsel. Placeholders: [COMPANY], [STATE],
[CONTACT_EMAIL], [EFFECTIVE_DATE]. Written to be readable — keep it that way.
Effective date: [EFFECTIVE_DATE]
- Account: email address and authentication data (managed by our backend
provider, Supabase).
- Your card data: the cards you catalog — details like player, set, year,
serial, condition, prices (asking, estimated, and sold), listing status,
notes, and the photos you take of cards.
- App logs: diagnostic logs are stored ON YOUR DEVICE to help you
troubleshoot; they are not sent to us automatically.
- What we do NOT collect: your AI API keys (stored only in your device's
credential store), your eBay password (eBay sign-in happens on eBay's site),
payment card numbers (we don't process payments today).
- To run the Service: sync your cards and images between your devices, create
the eBay listings you ask for, and show you your own reports.
- Pooled, de-identified card data: we combine card-level details across
all users — with account identifiers removed — to build pricing, trend, and
hype analysis that powers the product (and features like community reports).
A one-of-one card is inherently distinctive, so features that would showcase
a specific card to other users are opt-in per card and never include your
identity, location, or precise timing.
- We do NOT sell your personal information.
- Supabase — database, authentication, image storage (backend host).
- Cloudinary — hosts listing images, under YOUR Cloudinary account/keys.
- AI providers (Google, Anthropic) — when you use AI features, card
images/details are sent to the provider you configured, under YOUR API keys
and their terms.
- eBay — listing/order data flows to and from eBay under your
authorization.
[ATTORNEY: confirm processor vs controller framing; add DPA links.]
Your card data persists while your account is active. If you delete your
account, we delete your account-linked data within [30] days, except:
(a) records we must keep for legal reasons, and (b) already-de-identified
pooled data, which cannot be re-linked to you and is retained.
[ATTORNEY: confirm de-identified retention position under applicable law.]
- Edit or delete cards anytime; deletions sync everywhere.
- Card showcase features are opt-in per card, default off.
- Export your data anytime (built-in backup export).
- Delete your account: [CONTACT_EMAIL] (self-serve deletion planned).
Row-level security isolates each account's data server-side; API keys live in
your OS credential store, not our database; images and sync travel over TLS.
No system is perfectly secure; report concerns to [CONTACT_EMAIL].
The Service is not directed to children under 13 (or the minimum age in your
region), and we do not knowingly collect their data.
Material changes will be announced in-app or by email before they take
effect.
[COMPANY] · [CONTACT_EMAIL] · [STATE]
[ATTORNEY: add state-specific sections as user base requires — e.g.,
California (CCPA/CPRA) disclosures — before public launch.]