What we collect, how we use it, who we share with.

1. Introduction

This Privacy Policy describes how Spellstash ("we," "us," or "our") collects, uses, discloses, and protects your personal information when you visit or use our website at spellstash.com (the "Service"). By using the Service, you consent to the practices described in this policy.

2. Information We Collect

Account information. When you sign up with email and password, we store your email address and a hashed password (we never store your plaintext password). When you sign in with Google, we receive your name, email address, and profile picture from Google through OAuth 2.0; in that case no password is stored on Spellstash. Authentication is handled by Supabase Auth.

Collection data. The containers you create, the cards you add to them, quantities, finishes, conditions, sleeved/unsleeved status, free-form notes, and timestamps for every move event. This is the data Spellstash exists to manage. It is visible only to you; row-level security on our database enforces that no other account can read your data.

Subscription and billing information. If you upgrade to Pro or purchase a scan-credit pack, payment is processed by Stripe, Inc. We do not collect or store full credit card numbers, debit card numbers, CVV codes, or bank-account details. Stripe provides us with a Stripe customer ID, your subscription status, plan type, billing cycle, and the last four digits of your payment method for display purposes. For details on how Stripe handles your payment data, see Stripe's Privacy Policy.

Card-scan images (Pro feature). When you use the AI-vision card-scan feature, the photo you submit is sent to our AI vision provider (Anthropic) for card identification. The image is processed in memory and is not retained on Spellstash servers after the scan completes. The vision provider's privacy practices apply during processing.

Server logs. We automatically collect standard server log data when you access the Service, including your IP address, browser type and version, operating system, referring URL, the request paths you visit, and timestamps. Logs are used for debugging, abuse prevention, and basic operational monitoring.

Cookies and local storage. We use a session token stored in browser local storage to maintain your authentication state. We do not use third-party advertising or tracking cookies.

3. How We Use Your Information

We use your information for the following purposes:

• To provide, operate, and maintain the Service, including your account and your collection data
• To authenticate your identity and manage your sign-in session
• To process subscription payments and scan-pack purchases, and to maintain your subscription status
• To enforce per-tier limits (container caps, card caps, scan credits) for free and paid users
• To communicate with you about your account, subscription changes, billing receipts, or material updates to the Service
• To analyze aggregate usage patterns and improve the Service's features, performance, and reliability
• To detect, prevent, and address technical issues, abuse, or fraud
• To comply with applicable legal obligations

We do not use your collection data, scan images, or other personal information to train AI models.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

• Service providers. We share data with third-party services that help us operate the Service: Supabase (database hosting, authentication, and row-level security enforcement), Render (web service hosting), Stripe, Inc. (payment processing for Pro subscriptions and scan-pack purchases), and Anthropic (AI vision processing for the Pro card-scan feature). These providers act as data processors on Spellstash's behalf and are contractually obligated to protect your data and to use it only to perform services for us.
• Legal requirements. We may disclose information if required to do so by law, regulation, valid legal process (including subpoena or court order), or governmental request.
• Business transfers. If Spellstash is involved in a merger, acquisition, or sale of all or a substantial portion of its assets, your personal information may be transferred as part of that transaction. We will notify you of any such transfer.

5. Data Retention

We retain your account information and collection data for as long as your account is active or as needed to provide the Service. Subscription and billing records (excluding full payment-card details, which are held by Stripe) are retained for as long as required for accounting, tax, and legal compliance. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal, regulatory, or financial record-keeping purposes. Server logs are retained for up to 30 days for security and debugging purposes.

6. Data Security

We implement industry-standard security measures to protect your personal information, including encrypted data transmission (HTTPS/TLS), hashed password storage, secure session tokens, and database row-level security policies that prevent any account from reading another account's data. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

7. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

• Access. You may request a copy of the personal data we hold about you.
• Correction. You may request that we correct inaccurate or incomplete personal data.
• Deletion. You may request that we delete your personal data. We will comply unless we have a legal obligation to retain it.
• Portability. You may request a machine-readable export of your data.
• Objection. You may object to our processing of your personal data in certain circumstances.
• Withdrawal of consent. Where processing is based on consent, you may withdraw that consent at any time.

To exercise any of these rights, contact us at info@spellstash.com. We will respond within 30 days.

8. California Privacy Rights (CCPA)

If you are a California resident, you have the right to: know what personal information we collect and how we use it; request deletion of your personal information; opt out of the sale of your personal information (we do not sell personal information); and not be discriminated against for exercising your privacy rights. To make a request, email info@spellstash.com.

9. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR). Our legal bases for processing your data include: your consent (for optional features), contractual necessity (to provide the Service you signed up for), and our legitimate interests (to improve and secure the Service). You have the right to lodge a complaint with your local data protection authority.

10. Children's Privacy

The Service is not intended for use by anyone under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal data from a child under 13, we will take steps to delete it promptly. If you believe a child under 13 has provided us with personal data, contact us at info@spellstash.com.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our servers and our service providers are located. We use appropriate safeguards for such transfers, including standard contractual clauses where applicable.

12. Third-Party Links and Services

The Service displays card data and images sourced from Scryfall. The Service may also link to third-party websites (for example, Stripe's billing portal, Scryfall's card pages, or our authentication provider). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at info@spellstash.com.