Privacy Policy

1. Who is responsible for your data (controller)

The controller responsible for the processing described in this policy is:

Lorenzo Pironti (sole trader / ditta individuale), Viale Partigiani d'Italia 35, 43123 Parma (PR), Italy. VAT no. IT03106290343.

For all privacy matters, including the exercise of your data-subject rights, you can contact us at privacy@tcgnotify.com.

Data Protection Officer: not appointed (we are not required to appoint a DPO under Article 37 GDPR). EU representative (Article 27 GDPR): not applicable, as the controller is established in the European Union (Italy). UK representative: not applicable.

2. Scope: website versus App

This policy covers two very different surfaces, and the data practices differ accordingly.

Website (minimal). This marketing website is built to be privacy-first. It runs no analytics, no advertising, no tracking pixels, and no third-party profiling. The only cookie it can set is a strictly functional language-preference cookie, and only when you manually change languages (see the Cookie Policy).

App. The TCGNotify iOS App is an account-based product that helps you track trading-card collections, prices, and grading, and receive alerts. To do this, the App necessarily processes more personal data, all of which is described below.

3. Data we process via the website

We do not use any analytics, advertising, tracking, or profiling technologies on this website.

Language preference. When you manually switch the site language, we store your choice in a strictly functional cookie named NEXT_LOCALE. It contains only a language code (for example, "en" or "de"), holds no personal data, and is used solely to remember your preference. No such cookie is set unless you actively change the language.

Security and delivery (Cloudflare). Our website and infrastructure are served through Cloudflare, which acts as a content-delivery network and web-application firewall. As part of delivering content securely, Cloudflare may transiently process technical connection data such as your IP address and request metadata, and may set strictly necessary security cookies, to protect against attacks and abuse. The legal basis is our legitimate interest in keeping the service secure and available (Article 6(1)(f) GDPR).

We do not build user profiles from website visits, and we do not combine website data with App data.

4. Data categories we process in the App

Depending on how you use the App, we may process the following categories of personal data:

Account and profile: your display name, profile preferences, and authentication identifiers from the sign-in provider you choose (Apple, Google, or Discord).

Email address: stored in encrypted form, and additionally indexed using a one-way hash so that we can look up an account without keeping a plaintext copy available for everyday queries. If you sign in with Apple and choose "Hide My Email", the address we receive is an anonymized forwarding address at @privaterelay.appleid.com — in that case we have no access to your real email and all communications transit Apple's relay.

Device push tokens: stored in encrypted form, so we can deliver the alerts you have enabled.

Collection data: the cards you add to your collection and the copies you own, including condition, quantity, receipt or proof-of-purchase images, and your personal notes.

Wishlist: the cards you wish to acquire.

Purchases and portfolio: purchase prices, dates, and portfolio valuation data you record.

Scan images and machine-learning embeddings: photos you take to identify or grade cards, and the numerical feature vectors (embeddings) derived from them for matching.

Social links: any external profile or marketplace links you choose to add.

Audit and security logs: records of security-relevant events, which may include your IP address, user-agent, timestamps, and the action performed, kept to protect your account and our service.

5. Purposes and legal bases

We process your personal data for the following purposes and on the following legal bases under Article 6 GDPR:

To provide the service (contract — Article 6(1)(b)). Creating and maintaining your account, storing your collection and wishlist, computing portfolio values, and delivering the core features you request.

To keep the service secure and reliable (legitimate interest — Article 6(1)(f)). Maintaining audit logs, preventing fraud and abuse, debugging, and protecting our infrastructure. You can object to this processing as described in your rights below.

To send notifications (contract and consent). Core, service-related alerts are part of providing the App. Optional notification channels are opt-out on a per-channel basis, and the trade-match feature is strictly opt-in. Where we rely on consent (Article 6(1)(a)), you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

To identify and grade cards from your scans. Processing scan images and embeddings to power recognition and grade estimates, as part of providing the features you use.

We do not engage in advertising, ad targeting, or automated decision-making that produces legal or similarly significant effects on you.

6. Subprocessors and recipients

We use a small number of carefully selected subprocessors to operate the service. We do not sell your personal data, and we do not share it with advertisers. We use no third-party analytics providers, no advertising networks, and (at this time) no payment processor.

Apple Inc. — Purpose: Sign in with Apple authentication and push notifications via APNs. Data processed: Apple ID identifier; your name (only if you choose to share it at first sign-in); email address (your real Apple ID address or, if you choose Hide My Email, an anonymized forwarding address at @privaterelay.appleid.com — in which case we have no access to the real email and all communications transit Apple's relay); device push tokens. Place of processing: USA. Transfer basis: EU Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. Privacy policy: https://www.apple.com/legal/privacy/.

Google LLC — Purpose: Sign in with Google authentication. Data processed: Google account identifier, name, email address, and (where available) profile image. Place of processing: USA. Transfer basis: EU Standard Contractual Clauses and the EU–US Data Privacy Framework. Privacy policy: https://policies.google.com/privacy.

Discord Inc. — Purpose: OAuth sign-in and optional webhook notifications. Data processed: Discord account identifier, username, email address; for webhooks you configure, the alert messages we deliver to that webhook URL. Place of processing: USA. Transfer basis: EU Standard Contractual Clauses. Privacy policy: https://discord.com/privacy.

Resend, Inc. — Purpose: transactional email delivery (account verification, password reset, account and service notices). Data processed: email address, name (where provided), and the content of the transactional message. Place of processing: USA. Transfer basis: EU Standard Contractual Clauses. Privacy policy: https://resend.com/legal/privacy-policy.

Cloudflare, Inc. — Purpose: content-delivery network, web-application firewall, and secure tunnel for our infrastructure. Data processed: connection metadata (IP address, request headers, user-agent) on a transient basis to detect and mitigate abuse, plus strictly necessary security cookies. Place of processing: globally distributed edge network including the EEA and USA. Transfer basis: EU Standard Contractual Clauses where applicable. Privacy policy: https://www.cloudflare.com/privacypolicy/.

Self-hosted object storage (MinIO) — Purpose: storage of images you upload (receipts, scans). Operated on our own infrastructure within the EEA. No third-party processor involved; images are stored encrypted at rest and served via short-lived presigned URLs.

Self-hosted observability (OpenTelemetry) — Purpose: operational logging and tracing for debugging and incident response. Operated on our own infrastructure within the EEA. No third-party SaaS analytics.

7. How long we keep your data (retention)

Account deletion uses a 30-day soft-delete grace period. When you request deletion, your account is deactivated immediately and scheduled for permanent removal. After 30 days, your data is permanently deleted across our systems by cascading deletion, except for the limited records described below.

Image links are short-lived. Access to your stored images is granted through presigned URLs that expire after 15 minutes; the images themselves remain encrypted at rest until deletion.

Audit and security logs are retained for up to 7 years (the link to your identity is irreversibly anonymised after your account is deleted) to meet our security and legal obligations, and may be kept after account deletion to the extent required (see the Data Deletion page).

Where we are legally required to retain certain records for a longer period, we will keep only what the law requires and for no longer than necessary.

8. Your rights

Subject to the conditions in the GDPR, you have the right to:

Access and obtain a copy (portable export) of your personal data;

Rectify inaccurate or incomplete data;

Erase your data ("right to be forgotten");

Restrict processing in certain circumstances;

Data portability, to receive your data in a structured, commonly used, machine-readable format;

Object to processing based on our legitimate interests; and

Withdraw consent at any time where processing is based on consent, without affecting prior processing.

How to exercise your rights. You can exercise most of these rights directly in the App (including account export and deletion). You can also contact us at privacy@tcgnotify.com. We may need to verify your identity before acting on a request.

Right to complain. You also have the right to lodge a complaint with a data-protection supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement. In Italy, the competent authority is the "Garante per la protezione dei dati personali" (Piazza Venezia 11, 00187 Roma; www.garanteprivacy.it). If you are in the UK, you may instead contact the UK Information Commissioner's Office (ICO).

9. International data transfers

Some of our subprocessors (such as Apple, Google, Discord, Resend, and Cloudflare) may process data outside the European Economic Area. Where personal data is transferred to a country that has not received an adequacy decision, we rely on appropriate safeguards under Chapter V GDPR, in particular the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework (DPF).

You can request more information about these safeguards by contacting us at privacy@tcgnotify.com.

10. Children

The App is not directed to children. You must be at least 16 years old to create an account, consistent with Article 8 GDPR (subject to any lower age set by your Member State).

If you believe a child has provided us with personal data without appropriate consent, please contact privacy@tcgnotify.com and we will take steps to delete it.

11. How we protect your data (security)

We apply technical and organizational measures appropriate to the risk, including: encryption of sensitive data at rest (such as email addresses and device tokens); passwordless and federated authentication (Sign in with Apple, Google, and Discord), so we never store passwords; one-way hashing for email lookups; short-lived presigned URLs for image access; and access controls and logging across our infrastructure.

No method of transmission or storage is completely secure, but we work to protect your data and to respond promptly to any incident.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "last updated" date and, where appropriate, notify you in the App.

This English-language version is the governing version; translations are provided for convenience only.