Privacy Policy

GrimDeck ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Magic: The Gathering collection management service.

By using GrimDeck, you consent to the data practices described in this policy. If you do not agree with our policies, please do not use the Service.

Account Information

When you create an account, we collect:

• Email address - Required for account creation and communication
• Password - Stored securely using industry-standard hashing (never in plaintext)
• Display name - Optional name shown on your profile
• Username - Optional unique identifier for your profile URL

Collection Data

When you use the Service, we store:

• Card inventory (cards owned, quantities, conditions, finishes, languages)
• Acquisition data (date acquired, price paid) if you choose to enter it
• Personal notes you add to cards
• Wishlist items and preferences
• Binders, decks, and their contents
• Currency preferences

Session and Technical Data

For security and service operation, we automatically collect:

• IP address - Used for security monitoring
• User agent - Browser and device information for compatibility
• Session timestamps - Last activity time for session management

Payment Information

We do not store your credit card details. All payment processing is handled by Stripe, Inc. We only store:

• Stripe customer ID (to link your account to your Stripe profile)
• Subscription status and billing period dates

Error Logs

For debugging and improving the Service, we may log errors that occur. These logs may include the page where the error occurred, error messages, and technical context. We do not intentionally log personal information in error logs.

We use your information to:

• Provide, maintain, and improve the Service
• Process your account registration and manage your subscription
• Store and display your card collection, wishlists, and binders
• Send transactional emails (account verification, password resets, billing)
• Respond to your inquiries and support requests
• Detect and prevent fraud, abuse, and security issues
• Comply with legal obligations

We use the following third-party services to operate GrimDeck. These services may have access to your information as described below:

Stripe (Payment Processing)

We use Stripe to process payments. When you subscribe, Stripe receives your email address and payment information. Stripe is PCI-DSS Level 1 certified, the highest level of payment security certification. View Stripe's Privacy Policy.

Scryfall (Card Data)

We use Scryfall's API to provide Magic: The Gathering card data and images. When you search for cards or view card details, requests are made to Scryfall. Scryfall does not receive any of your personal information from us. View Scryfall's API documentation.

Cloudflare (Hosting and Infrastructure)

Our Service is hosted on Cloudflare's infrastructure. Cloudflare provides:

• D1 Database - Stores your account and collection data
• R2 Storage - Caches card images for faster loading
• KV Storage - Session management and caching

All data stored on Cloudflare is encrypted at rest. View Cloudflare's Privacy Policy.

Resend (Email Service)

We use Resend to send transactional emails such as account verification and password reset emails. Resend receives your email address and display name for this purpose. View Resend's Privacy Policy.

Google Analytics (Usage Analytics)

We use Google Analytics 4 (GA4) to understand how visitors use our Service. Google Analytics collects information such as pages visited, time spent on pages, referral sources, and general geographic location. This data is aggregated and helps us improve the user experience. Google Analytics uses cookies to distinguish unique users.

We do not use Google Analytics data for advertising purposes. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on. View Google's Privacy Policy.

We use Google Analytics 4 to collect anonymized usage data about how visitors interact with our Service. This helps us understand which features are popular and how we can improve.

We do not use Facebook Pixel, advertising trackers, or any tools that track your behavior across other websites. We do not sell or share your data with advertisers.

We use the following cookies:

• session - Essential cookie for authentication (30-day duration)
• _ga, _ga_* - Google Analytics cookies for usage analytics (2-year duration)

We do not use advertising cookies or social media tracking pixels. For more details, see our Cookie Policy.

We implement appropriate security measures to protect your data:

• Encryption in Transit: All data is transmitted over HTTPS using TLS encryption
• Encryption at Rest: All data stored in our database is encrypted using AES-256
• Password Security: Passwords are hashed using industry-standard algorithms and never stored in plaintext
• Secure Sessions: Session tokens are cryptographically generated and HTTP-only cookies prevent XSS attacks

While we strive to protect your information, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

We retain your personal information for as long as your account is active or as needed to provide you with the Service. If you delete your account, we will delete all your data, including:

• Account information
• Collection and inventory data
• Wishlists and binders
• Session data
• Subscription records

Some information may be retained in anonymized error logs for debugging purposes. Stripe may retain payment records in accordance with their data retention policies.

Depending on your location, you may have the following rights:

Access and Portability

You can export your collection data at any time using the CSV export feature in your account settings. This provides you with a complete copy of your card collection data.

Deletion

You can delete your account at any time through your account settings. This will permanently delete all your data from our systems.

Correction

You can update your account information at any time through your account settings.

For California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act. You have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell your personal information.

For European Users (GDPR)

If you are in the European Economic Area, you have rights under the General Data Protection Regulation, including the right to access, rectify, erase, and port your data. Our lawful basis for processing is contract performance (providing the Service you signed up for) and legitimate interests (security and fraud prevention).

GrimDeck is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at grimdeckmtg@gmail.com.

Your information may be transferred to and processed in the United States and other countries where our service providers operate. By using the Service, you consent to the transfer of your information to these countries.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service. Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes.

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: grimdeckmtg@gmail.com