Privacy Policy
Last updated: February 2026
1. Who we are
Community Card Trader ("we", "us", "our") operates the website communitycardtrader.com (the "Service"). This Privacy Policy explains how we collect, use, and protect your information when you use our Service.
2. Data minimization
We believe in collecting as little personal information as possible. The only personal data we request is your email address to create your account. We do not and will never ask for your real name, postal address, phone number, date of birth, or payment information. You may optionally add a public display name.
3. Information we collect
3.1 Account information
When you create an account, we collect your email address and an optional display name. Authentication is handled by Supabase (a third-party service hosted in the EU/US). We do not store your password directly; it is managed by Supabase Auth.
3.2 User-generated content
We store the wishlists, tradelists, community memberships, and messages you create within the Service. This data is stored in a Supabase PostgreSQL database.
3.3 Local storage
We use your browser's localStorage (not cookies) to store:
- Your preferred language setting
- A cache of card data from Scryfall (to reduce API calls)
- Pending community invite tokens (temporary)
- Your authentication session token (managed by Supabase)
3.4 Automatically collected data
Our hosting provider (Cloudflare) may collect standard web server logs including IP addresses, browser type, and pages visited. We do not currently use any analytics service (no Google Analytics, no tracking pixels).
4. How we use your information
- To provide and maintain the Service (wishlists, tradelists, matching, messaging)
- To authenticate your account and manage sessions
- To display card data and images from Scryfall
- To improve the Service and fix bugs
We do not sell your personal data to third parties.
5. Third-party services
| Service | Purpose | Data |
|---|---|---|
| Supabase | Auth, database | Email, user content |
| Cloudflare | Hosting, CDN, DDoS | IP, request metadata |
| Scryfall | Card data & images | Search queries |
| Google AdSense | Advertising | Cookies, browsing data |
6. Cookies
For details on cookies and similar technologies used on this site, please see our Cookie Policy.
7. Data retention & deletion
We retain your account data and user-generated content for as long as your account is active. You can delete your account at any time from the Account page, which will immediately and irreversibly remove all your data. If you prefer to request deletion by email, we will remove your data within 30 days.
8. Your rights (GDPR)
If you are located in the European Economic Area (EEA), you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten") — available self-service in your Account
- Restrict processing of your data
- Data portability — receive your data in a structured format
- Object to processing based on legitimate interests
- Withdraw consent at any time where processing is based on consent
To exercise any of these rights, contact us at [email protected].
9. Data security
We use industry-standard security measures including HTTPS/TLS encryption, strict Content Security Policy headers, and Cloudflare DDoS protection. Database access is protected by Supabase Row Level Security (RLS) policies.
10. Children's privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new "Last updated" date.
12. Contact
If you have questions about this Privacy Policy, contact us at:
[email protected]