Privacy Policy

1. Introduction

Card Library ("we," "us," or "our") is a trading card collection management service operated by Joseph Condon, covering both sports cards (baseball, basketball, football, hockey, soccer) and trading card games (Magic: The Gathering, Pokemon, Yu-Gi-Oh, Lorcana, and others). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website and iOS application (collectively, the "Service").

By using Card Library, you agree to the collection and use of information as described in this policy.

2. Information We Collect

Account Information

• First name and last name
• Display name
• Email address
• Password (stored encrypted, never in plain text)
• Apple ID identifier (if you sign in with Apple)
• Date format preference

Collection Data

• Cards you add to your collection (sports cards or TCG cards)
• Grade information for slabbed cards (grading company — PSA, BGS, SGC, CGC, HGA — numeric grade, and slab serial number)
• Raw condition assessments (Mint, Near Mint, Excellent, etc.) for ungraded cards
• Personal notes and star ratings you assign to each copy
• Purchase details (price paid, date, source, eBay listing URL) if you choose to enter them
• Folders and organizational structures you create
• Wishlist items (whole cards, every card by a specific player, or every card in a specific set) with priority levels, max-price thresholds, minimum desired grade, and notes
• Multiple copies of the same card, each with independent grade, condition, and metadata

Subscription Information

• Subscription status (free, active, expired, billing issue)
• Subscription plan and product identifier
• Subscription expiration date and renewal status
• Purchase source (App Store, web, etc.)
• Original purchase date

Subscription billing is managed by RevenueCat and Apple (for App Store purchases). We do not store your payment card details. See Section 4 for more information.

Automatically Collected Data

• Activity logs of collection changes (additions, removals, rating changes, grade updates) for your activity feed
• Basic request information (IP address, browser type) via standard server logs

Imported Data

If you use our CSV import feature, we process the uploaded file to add cards to your collection. The CSV file is processed on our servers and is not retained after the import is complete. Duplicate detection is performed automatically — re-importing the same row (same card, same grade, same notes) does not create a second entry.

Contact Form Data

If you submit a message through our contact form, we store your name, email address, message category, subject, and message body. This data is used to respond to your inquiry and is emailed to our support team. We also record the IP address of contact form submissions for anti-spam purposes.

3. How We Use Your Information

We use your information to:

• Provide and maintain the Card Library service
• Authenticate your account and secure your data
• Display your collection, statistics, and activity history
• Estimate collection values based on third-party marketplace pricing data
• Calculate set-completion progress based on cards you own versus the printed set size
• Manage your subscription status and feature access
• Send transactional emails (password resets, contact form confirmations)
• Respond to support inquiries submitted through the contact form
• Improve the service based on usage patterns

4. Third-Party Services

Card Catalog Data Providers

Card Library uses several free, public catalog APIs to provide card, player, set, and manufacturer information. When you search for or add a card, your search queries are sent to the relevant provider for the game or sport you're searching:

• Magic: The Gathering — Scryfall (privacy policy)
• Pokemon — pokemontcg.io
• Yu-Gi-Oh! — YGOPRODeck
• Lorcana — Lorcast
• Sports cards (and fallback for everything else) — eBay Browse API

We cache catalog data locally to reduce API calls and improve performance. Each provider has its own privacy policy governing data on their end.

eBay (Pricing)

In addition to its catalog role, we use eBay's Browse and Marketplace Insights APIs to fetch active listing prices and recent sold-comparable sales. This data powers card-level price estimates and the value-insights views available to subscribers. Your individual cards are not sent to eBay — only generic search queries (card name, set, year, grade) are submitted. eBay's privacy policy governs their handling of these queries.

RevenueCat

Subscription billing and management is handled by RevenueCat. When you subscribe to Card Library+, RevenueCat processes your payment (via Apple's App Store or Stripe for web purchases) and sends us subscription lifecycle events (purchase, renewal, cancellation, expiration). We store your subscription status but never your payment card details. RevenueCat's privacy policy governs their handling of your data.

Image Storage

Card images, set covers, manufacturer logos, and player photos are downloaded and stored on Backblaze B2 cloud storage to ensure fast and reliable image loading. These are publicly accessible images sourced from the catalog providers listed above.

Email Service

We use SMTP2GO to send transactional emails such as password reset links and contact form confirmations. Your email address is shared with SMTP2GO solely for the purpose of email delivery. We do not send marketing emails.

Apple Sign In

If you use Sign in with Apple, we receive and store only your Apple user identifier and, if you choose to share it, your email address. We verify your identity through Apple's authentication servers. Apple's privacy policy governs data on their end.

5. Data Storage and Security

Your data is stored in a MySQL database. We use industry-standard security measures including:

• Encrypted password storage (bcrypt hashing)
• HTTPS encryption for all data in transit
• Token-based API authentication (Laravel Sanctum)
• Per-user data isolation — you can only access your own collection

6. Data Sharing

We do not sell, rent, or share your personal information with third parties for marketing purposes. Your collection data is private to your account. We share data with third-party services only as described in Section 4 (to provide core functionality such as billing, email delivery, and catalog / pricing data). We may disclose information if required by law or to protect the safety of our users.

7. Cookies and Local Storage

We use:

• Session cookies — to keep you logged in and maintain your session
• CSRF tokens — to protect against cross-site request forgery
• Local storage — to remember your appearance preferences (dark/light mode)

We do not use tracking cookies or third-party analytics cookies.

8. Your Rights

You have the right to:

• Access — View all data associated with your account through the app
• Update — Edit your profile information and collection data at any time
• Export — Download your collection data as a CSV file (available to Card Library+ subscribers)
• Delete — Delete your account and all associated data (collection, activity history, folders, wishlist, and personal information) through the account settings. This action is permanent and cannot be undone.

9. Children's Privacy

Card Library is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us so we can remove it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. Continued use of the Service after changes constitutes acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or your data, please contact us.