Legal

PRIVACY POLICY

Last updated: May 31, 2026

CardChart is built for collectors, not advertisers. We collect only what is necessary to run the service. We do not sell your personal data or share it with third parties for their marketing purposes. Free users see ads served by Google AdSense — you can decline optional advertising cookies when you first visit, or at any time by clearing your browser storage.

1. Who We Are

CardChart ("we", "us", "our") is a web and mobile application located at cardchart.app. If you have questions about this policy, contact us at privacy@cardchart.app.

2. Information We Collect

Account Information

When you create an account, we collect your email address and a hashed password (or a Google OAuth token if you sign in with Google). We do not store plain-text passwords.

Usage Data

We collect data you create while using the app: watchlists, portfolio holdings, and saved chart settings. This data is tied to your account and stored in our database so it syncs across your devices.

Payment Information

Subscription payments are processed by Stripe. We never see or store your full card number, CVV, or billing address. We receive only a Stripe customer ID and subscription status to activate your Pro account.

Technical Logs

Our servers automatically log standard request data: IP address, browser/device type, pages visited, and timestamps. These logs are used for debugging and security monitoring and are not linked to your identity for advertising purposes.

3. How We Use Your Information

Authenticate your account and keep you signed in
Sync your watchlists, portfolio, and preferences across devices
Activate and manage your CardChart Pro subscription
Send transactional emails (account confirmation, password reset, billing receipts)
Investigate bugs, errors, and security incidents
Comply with legal obligations

CardChart itself does not use your personal data to serve ads or build advertising profiles. Free users see ads delivered by Google AdSense. Google may use cookies and device identifiers to personalise those ads based on your browsing activity — this is subject to your cookie consent choice and Google's own privacy policy. Pro subscribers see no ads.

4. Third-Party Services

CardChart integrates the following third-party services to operate. Each has its own privacy policy.

Supabase — database and authentication (supabase.com/privacy)
Stripe — payment processing (stripe.com/privacy)
Vercel — hosting and serverless functions (vercel.com/legal/privacy-policy)
eBay Browse API — live card listing prices (ebay.com/help/policies/member-behavior-policies/user-privacy-notice-privacy-policy)
Google OAuth — optional sign-in method (policies.google.com/privacy)
Google AdSense — advertising on the free tier. AdSense may set cookies and use device identifiers to serve personalised ads. Only loaded if you accept optional cookies. (policies.google.com/privacy)

We do not share your personal information with any other third parties.

5. Cookies & Local Storage

We use browser storage (cookies and localStorage) in two categories:

Strictly Necessary

These are required for the app to function and are set regardless of your cookie preference. They include your authentication session (Supabase), payment session tokens (Stripe), and app preferences such as theme, default timeframe, and chart settings. They do not track you across other websites.

Ad Personalisation (Google AdSense)

Free users always see ads served by Google AdSense. If you accept personalisation, Google may set advertising cookies and use device identifiers to tailor ads to your interests and browsing history across the web. If you decline, ads still appear but are generic and non-tracked — Google does not receive personalisation signals. Pro subscribers are never shown ads regardless of this setting.

You are asked for your preference on your first visit. You can update your choice at any time using the controls below. For EU residents, personalisation cookies are not set before you give consent.

6. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or financial compliance (e.g., billing records required by tax law).

7. Your Rights

Depending on your location, you may have the right to:

Access the personal data we hold about you
Correct inaccurate data
Request deletion of your account and associated data
Export your watchlist and portfolio data
Withdraw consent for optional data processing

To exercise any of these rights, email privacy@cardchart.app. We will respond within 30 days.

8. Children's Privacy

CardChart is not directed to children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has created an account, contact us and we will delete it promptly.

9. Security

We use industry-standard measures to protect your data: encrypted connections (HTTPS/TLS), hashed passwords, and row-level security on our database so users can only access their own records. No system is perfectly secure — if you discover a vulnerability, please report it to privacy@cardchart.app.

10. Changes to This Policy

If we make material changes to this policy, we will notify you by email or by displaying a notice in the app before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent version.

11. Contact

Questions or concerns about your privacy? Reach us at privacy@cardchart.app.