DRAFT. This document has not yet been reviewed by legal counsel and is not in effect. Placeholders in [BRACKETS] are unfilled. Do not rely on this text.

SCPC Privacy Policy — DRAFT FOR ATTORNEY REVIEW

STATUS: DRAFT. Not reviewed by counsel. Placeholders: [COMPANY], [STATE],
[CONTACT_EMAIL], [EFFECTIVE_DATE]. Written to be readable — keep it that way.

Effective date: [EFFECTIVE_DATE]

What we collect

- Account: email address and authentication data (managed by our backend

provider, Supabase).

- Your card data: the cards you catalog — details like player, set, year,

serial, condition, prices (asking, estimated, and sold), listing status,

notes, and the photos you take of cards.

- App logs: diagnostic logs are stored ON YOUR DEVICE to help you

troubleshoot; they are not sent to us automatically.

- What we do NOT collect: your AI API keys (stored only in your device's

credential store), your eBay password (eBay sign-in happens on eBay's site),

payment card numbers (we don't process payments today).

How we use it

- To run the Service: sync your cards and images between your devices, create

the eBay listings you ask for, and show you your own reports.

- Pooled, de-identified card data: we combine card-level details across

all users — with account identifiers removed — to build pricing, trend, and

hype analysis that powers the product (and features like community reports).

A one-of-one card is inherently distinctive, so features that would showcase

a specific card to other users are opt-in per card and never include your

identity, location, or precise timing.

- We do NOT sell your personal information.

Who processes your data (service providers)

- Supabase — database, authentication, image storage (backend host).

- Cloudinary — hosts listing images, under YOUR Cloudinary account/keys.

- AI providers (Google, Anthropic) — when you use AI features, card

images/details are sent to the provider you configured, under YOUR API keys

and their terms.

- eBay — listing/order data flows to and from eBay under your

authorization.

[ATTORNEY: confirm processor vs controller framing; add DPA links.]

Retention and deletion

Your card data persists while your account is active. If you delete your

account, we delete your account-linked data within [30] days, except:

(a) records we must keep for legal reasons, and (b) already-de-identified

pooled data, which cannot be re-linked to you and is retained.

[ATTORNEY: confirm de-identified retention position under applicable law.]

Your choices

- Edit or delete cards anytime; deletions sync everywhere.

- Card showcase features are opt-in per card, default off.

- Export your data anytime (built-in backup export).

- Delete your account: [CONTACT_EMAIL] (self-serve deletion planned).

Security

Row-level security isolates each account's data server-side; API keys live in

your OS credential store, not our database; images and sync travel over TLS.

No system is perfectly secure; report concerns to [CONTACT_EMAIL].

Children

The Service is not directed to children under 13 (or the minimum age in your

region), and we do not knowingly collect their data.

Changes

Material changes will be announced in-app or by email before they take

effect.

Contact

[COMPANY] · [CONTACT_EMAIL] · [STATE]

[ATTORNEY: add state-specific sections as user base requires — e.g.,

California (CCPA/CPRA) disclosures — before public launch.]