Privacy Policy

Last Updated: January 25, 2026

CardCrush Sports ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our sports card scanning and collection management service.

1. Information We Collect

1.1 Personal Information

When you register for an account, we collect:

  • Email address
  • Account credentials (encrypted password)
  • Profile information (username, avatar)
  • Payment information (processed securely through third-party providers)

1.2 Card Collection Data

When you use our scanning service, we collect:

  • Images of your sports cards (front and back)
  • Card metadata (player names, teams, years, sets)
  • Collection organization preferences
  • Physical location tracking data (if enabled)

1.3 Usage Information

We automatically collect:

  • Device information (browser type, operating system)
  • IP address and general location data
  • Usage patterns and feature interactions
  • Performance and error logs

1.4 Camera & Device Permissions

CardFlux uses your device camera solely to scan trading cards for identification purposes. Camera access is only requested when you initiate a scan and is not used for any other purpose.

  • Camera images are processed locally or sent to our servers only when you explicitly upload a card for scanning
  • We do not store camera images unless explicitly uploaded by the user
  • No background camera access is requested or used

2. How We Use Your Information

We use your information to:

  • Provide and maintain our card scanning and collection management services
  • Process your card images using AI to identify and catalog cards
  • Enable collection organization, search, and management features
  • Process payments and manage subscriptions
  • Send service-related notifications and updates
  • Improve our services through analytics and user feedback
  • Detect and prevent fraud or unauthorized access
  • Comply with legal obligations

3. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your data based on:

  • Consent: You have given clear consent for us to process your personal data for specific purposes
  • Contract: Processing is necessary to fulfill our service agreement with you
  • Legal Obligation: Processing is necessary to comply with applicable laws
  • Legitimate Interest: Processing is necessary for our legitimate business interests, such as improving our services

4. Data Sharing and Disclosure

We do not sell user data — ever. We may share your data only with:

4.1 Service Providers

  • Cloud hosting and storage providers (Supabase)
  • AI processing services (OpenAI) for card identification
  • Payment processors for subscription management
  • Email service providers for communications

4.2 Legal Requirements

We may disclose your information when required by law or to protect our rights, safety, or property.

5. Your Rights (GDPR)

Under GDPR, you have the right to:

  • Access: Request copies of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your personal data
  • Restrict Processing: Request limitation of data processing
  • Data Portability: Receive your data in a portable format
  • Object: Object to data processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time

To exercise these rights, please contact us at support@cardflux.io

6. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential Cookies: Required for basic site functionality
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Help us understand how you use our service

You can manage your cookie preferences through our cookie settings banner or your browser settings.

7. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption of data in transit and at rest
  • Regular security audits and monitoring
  • Secure authentication mechanisms
  • Access controls and data minimization
  • Regular backups and disaster recovery procedures

However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

8. Data Retention

We retain your personal data only as long as necessary to provide our services and comply with legal obligations:

  • Account data: Retained while your account is active
  • Card collection data: Retained until you delete it or close your account
  • Transaction records: Retained for 7 years for tax and accounting purposes
  • Usage logs: Retained for 90 days unless required for security investigations

9. International Data Transfers

Your data may be transferred to and processed in countries outside your jurisdiction. We ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions for data transfers
  • Data Processing Agreements with service providers

10. Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes by email or through a prominent notice on our service. Your continued use after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions or to exercise your rights:

CardFlux

Email: support@cardflux.io

For GDPR-related inquiries, you also have the right to lodge a complaint with your local data protection authority.