Privacy Policy

1. Who We Are and How to Contact Us

PokéPrice is the data controller responsible for your personal data. We operate a technology platform that enables collectors and vendors of Pokémon trading cards to manage inventory, display collections and listings, and connect with potential trading and purchasing partners.

Data Controller: PokéPrice
Email: support@pokeprice.app
Contact form: Contact page

2. Information We Collect

2.1 Information You Provide Directly

• Account data: Email address, display name, password (stored as a one-way bcrypt hash — we cannot recover it).
• Profile data: Bio/description, public visibility setting, social contact links (Instagram, Facebook, Discord) that you choose to add.
• Inventory and listing data: Card names, sets, grades, acquisition costs, pricing, notes, photos, and QR code identifiers that you create.
• Wants list data: Card names and sets you add to your public wants list.
• Sales and transaction records: Sale prices, dates, and notes that you record within the platform.
• Communications: Messages you send us via our contact form or support email.
• Two-factor authentication data: An encrypted TOTP secret associated with your authenticator app. We never have access to your plaintext secret after setup.

2.2 Information Collected Automatically

• Server logs: IP address, request path, HTTP method, response code, timestamp, and user-agent string. These logs are retained for up to 90 days for security and abuse-prevention purposes only.
• Session data: A signed JWT session token stored in a secure, HTTP-only cookie for authentication. Sessions expire after 30 days of inactivity.

We do not use: advertising pixels, third-party analytics trackers (e.g. Google Analytics), social media trackers, cross-site tracking cookies, or fingerprinting techniques.

2.3 Information We Do Not Collect

• Payment card numbers or bank account information (payments are handled directly by Stripe, a PCI-DSS Level 1 certified processor — we never see raw card numbers).
• Government-issued identification numbers.
• Biometric data.
• Precise geolocation data.
• Data about children (see Section 13).

3. Legal Basis for Processing (GDPR)

For users in the EU/EEA and UK, we process personal data under the following lawful bases as defined in Article 6 of the GDPR:

• Performance of a contract (Art. 6(1)(b)): Processing necessary to provide you with the Service — account creation, authentication, storing your inventory and listings, and delivering core platform features.
• Legitimate interests (Art. 6(1)(f)): Protecting our platform and users against fraud, abuse, and security threats; server logging for security diagnostics; improving platform performance and reliability. We have assessed that our legitimate interests are not overridden by your data protection rights.
• Compliance with a legal obligation (Art. 6(1)(c)): Retaining certain data as required by applicable tax, financial, or legal regulations.
• Consent (Art. 6(1)(a)): Marketing emails and product update newsletters. You may withdraw consent at any time via your account notification settings or by contacting us.

4. How We Use Your Information

• To create and maintain your account and authenticate you securely.
• To display your public listings, trade binder, and wants list to other platform users (only when you have enabled public visibility).
• To generate QR codes that link to your public listing pages.
• To provide market pricing data and price history for cards in your inventory.
• To send transactional emails: email verification, password resets, and security alerts.
• To send product update and feature announcement emails (with your consent, opt-out available at any time).
• To investigate, detect, and prevent fraudulent activity, policy violations, and security incidents.
• To comply with applicable legal obligations and respond to lawful government requests.
• To improve the platform through aggregate, anonymized analysis of usage patterns (no individual profiling).

We will never: sell your personal information to third parties; share your personal data with advertisers; use your data to build advertising profiles; or disclose your non-public data (acquisition costs, sales records, notes) to other users.

5. Public Information

The following information is publicly visible when you enable public visibility on your profile — accessible to any user of the platform and potentially indexable by search engines:

• Your display name.
• Your profile bio/description.
• Social contact links you have added (Instagram handle, Facebook name, Discord server link).
• Cards in your trade binder (name, set, grade, price or “open to offers”).
• Cards on your wants list (name, set, card number, notes).
• For vendors: public listings accessible via QR codes, including card name, set, grade, and asking price.

The following is never publicly visible: your email address, acquisition costs, internal notes, sales revenue data, account settings, or IP address. You can disable your public profile at any time from your profile settings, which will immediately remove it from the Poké Bazaar and from direct URL access.

6. Data Sharing and Third Parties

We share personal data only in the following limited circumstances:

• Infrastructure providers: Supabase (PostgreSQL database hosting on AWS us-east-1) and Vercel (application hosting). Both are engaged under data processing agreements and handle your data only on our instructions.
• Payment processor: Stripe, Inc. (PCI-DSS Level 1 certified). Stripe processes subscription payments. We receive only a tokenized reference — never raw card numbers. Stripe's privacy policy governs their processing of your payment data.
• Email delivery: Resend (transactional email provider). Your email address and email content are transmitted to Resend solely for the purpose of delivering emails you have requested (e.g. password resets, notifications).
• Legal compliance: We may disclose personal data to law enforcement, regulators, or courts when required by applicable law, valid legal process, or to protect the rights, safety, or property of PokéPrice, our users, or the public. We will attempt to notify affected users of such disclosure where legally permitted.
• Business transfers: In the event of a merger, acquisition, or sale of substantially all assets, personal data may be transferred as part of that transaction. We will notify you via email and require re-acceptance of new terms if a transfer materially changes how your data is processed.

We do not share your personal data with any other third parties for any other purpose, including marketing, advertising, or data brokerage.

7. International Data Transfers

Our infrastructure is primarily located in the United States (AWS us-east-1). If you are located in the European Union, European Economic Area, or United Kingdom, your personal data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.

We rely on the following safeguards for international transfers from the EU/EEA/UK:

• Standard Contractual Clauses (SCCs) as approved by the European Commission, incorporated into our data processing agreements with Supabase, Vercel, Resend, and Stripe.
• Where applicable, the EU-US Data Privacy Framework and UK Extension.

You may request a copy of the relevant transfer safeguards by contacting us at support@pokeprice.app.

8. Data Storage and Security

• All data is stored on Supabase-managed PostgreSQL hosted on AWS infrastructure in the United States.
• All data in transit is encrypted using TLS 1.2 or higher (HTTPS enforced on all connections).
• Data at rest is encrypted using AES-256 encryption at the storage layer.
• Passwords are hashed using bcrypt with a cost factor of 12. We cannot recover or read your password.
• Sessions are managed via signed JWT tokens stored in HTTP-only, Secure, SameSite cookies to mitigate XSS and CSRF risks.
• Two-factor authentication (TOTP via Google Authenticator, Authy, or similar) is available and strongly encouraged for all accounts.
• Database access is restricted to application-level service accounts; no direct public database access is permitted.
• We conduct periodic security reviews and promptly address known vulnerabilities.

Despite our best efforts, no method of transmission over the Internet or electronic storage is 100% secure. If you become aware of a security vulnerability, please report it responsibly to support@pokeprice.app. In the event of a data breach affecting your personal data, we will notify you and applicable regulatory authorities within the timeframes required by law (72 hours under GDPR).

9. Data Retention

We retain your personal data for as long as your account is active and for a period of up to 30 days following account deactivation, during which it may be recoverable upon request. After 30 days from deactivation, personal identifiers (email, display name, social links, IP associations) are permanently deleted or irreversibly anonymized.

Specific retention periods by data type:

• Account credentials and profile data: Retained while your account is active; deleted within 30 days of account deactivation.
• Inventory, listings, and sales records: Retained while your account is active; deleted within 30 days of deactivation. Anonymized aggregate pricing data (with no link to your account) may be retained indefinitely for market research.
• Server and security logs: Retained for up to 90 days, then deleted.
• Email correspondence: Retained for up to 3 years for support and dispute resolution purposes.
• Billing records: Retained for 7 years as required by applicable tax and financial regulations, even after account deactivation.
• Legal hold data: Where we are subject to a legal obligation to preserve data, retention will be extended for the duration of that obligation.

10. Cookies and Tracking Technologies

PokéPrice uses cookies minimally and only as strictly necessary for the platform to function.

• Session cookie: A single HTTP-only, Secure, SameSite=Lax cookie that maintains your login session. This cookie is strictly necessary and cannot be opted out of while using the Service. It expires after 30 days of inactivity.
• CSRF protection token: A token used to protect against cross-site request forgery attacks. Strictly necessary.

We do not use: advertising cookies, analytics cookies, social media tracking pixels, retargeting cookies, or any third-party tracking technologies. We do not participate in behavioral advertising networks or data broker ecosystems.

Because we use only strictly necessary cookies, a cookie consent banner is not required under ePrivacy Directive guidelines. If our cookie usage changes to include non-essential cookies in the future, we will implement appropriate consent mechanisms.

11. Your Rights (All Users)

Regardless of your location, you have the following rights over your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data. You can update most profile data directly from your account settings.
• Deletion: Request deletion of your account and associated personal data. You can initiate this from Settings > Danger Zone, or by contacting us.
• Data export: Request an export of your inventory and listing data in a machine-readable format (CSV).
• Opt-out of marketing: Unsubscribe from marketing emails at any time via the unsubscribe link in any email or via Settings > Notifications.

To exercise any of these rights, contact us at support@pokeprice.app. We will verify your identity before processing any request and respond within 30 days.

12. Additional Rights for EU / EEA / UK Residents (GDPR / UK GDPR)

In addition to the rights in Section 11, if you are located in the EU, EEA, or United Kingdom, you have the following additional rights under the GDPR or UK GDPR:

• Right to Restriction of Processing (Art. 18 GDPR): You may request that we restrict processing of your data while we review a rectification or objection request, or where processing is unlawful but you do not want data erased.
• Right to Data Portability (Art. 20 GDPR): You may request your data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) to transfer to another service, where processing is based on contract or consent and carried out by automated means.
• Right to Object (Art. 21 GDPR): You may object at any time to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Rights Related to Automated Decision-Making (Art. 22 GDPR): We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your national supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents may contact the ICO at ico.org.uk.

We will respond to GDPR requests within 30 days. For complex or numerous requests, we may extend this by up to an additional 60 days, with prior written notice explaining the reason for the delay. We will process verified requests free of charge, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to respond.

13. Additional Rights for California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with the following rights regarding your personal information:

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers: Email address, display name, IP address.
• Commercial information: Subscription billing records (via Stripe), card inventory descriptions, listing prices.
• Internet / network activity: Server log data (IP, request path, timestamp).
• Inferences: None. We do not build user profiles or inferences for any purpose.
• Sensitive personal information: Account login credentials (email + password hash). We do not use sensitive personal information for any purpose beyond providing the Service.

Your California Rights

• Right to Know (Sec. 1798.100): You may request disclosure of the categories and specific pieces of personal information collected, the sources of collection, the business or commercial purposes for collection, and the categories of third parties with whom information is shared.
• Right to Delete (Sec. 1798.105): You may request deletion of personal information we have collected from you, subject to exceptions (e.g., legal obligations, fraud prevention, completing a transaction).
• Right to Correct (Sec. 1798.106): You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing (Sec. 1798.120): PokéPrice does not sell or share your personal information with third parties for cross-context behavioral advertising. This right is acknowledged; no action is currently required on your part.
• Right to Limit Use of Sensitive Personal Information (Sec. 1798.121): We limit our use of sensitive personal information to that which is necessary to provide the Service.
• Right to Non-Discrimination (Sec. 1798.125): We will not discriminate against you for exercising your CCPA/CPRA rights. Exercising your rights will not result in denial of services, different pricing, or lower quality of service.

How to Submit a California Privacy Request

To submit a verifiable consumer request, contact us at support@pokeprice.app with the subject line “California Privacy Request” and include: your full name, email address associated with your account, and the specific right you wish to exercise.

We will acknowledge your request within 10 business days and respond within 45 calendar days. If we require additional time (up to 90 days total), we will notify you in writing with the reason for the extension. We may verify your identity by cross-referencing information you provide with data in our systems. You may designate an authorized agent by providing written authorization.

We will process two requests per calendar year per consumer, free of charge.

14. Children's Privacy

The Service is not directed to children under the age of 18, and we do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at support@pokeprice.app and we will promptly delete the information. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information as quickly as practicable.

15. Do Not Track

Some browsers transmit a “Do Not Track” signal. Because PokéPrice does not engage in behavioral tracking or cross-site tracking of any kind, our practices inherently align with Do Not Track preferences. We do not alter our data collection in response to Do Not Track signals because we do not engage in the tracking those signals are designed to prevent.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email at least 14 days before the changes take effect. For non-material changes, we will update the “Last updated” date at the top of this page. Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. We encourage you to review this policy periodically.

Previous versions of this policy are available upon request.

17. Contact Us / Data Requests

For any privacy-related questions, data access requests, deletion requests, or to report a security concern, please reach out through one of the following channels:

Email: support@pokeprice.app
Subject line for data requests: “Privacy Request — [Your Name]”
Contact form: Contact page
Response time: Within 30 days for general requests; within 72 hours for security incidents.

If you are not satisfied with our response to a privacy complaint, you have the right to lodge a complaint with your applicable data protection supervisory authority.