Privacy Policy

Effective date: May 27, 2026 · Last updated: May 27, 2026

          Short version: We collect only what's needed to run the app. We don't
          sell your data. You control what's public.
        

1. What We Collect

Account information: Your email address, display name, and password (stored as a bcrypt hash — we never store your real password).

Profile information: Optional fields you fill in — bio, location, favorite card, tagline, social handles, and profile photo. You choose what to share publicly.

Collection data: The cards you add to your binders, including card names, quantities, conditions, and prices you record.

Uploaded images: Profile avatars, banner photos, binder cover art, and personal card photos you upload through the app.

Usage data: Basic server logs (IP addresses, request timestamps) for security and debugging purposes. These are not shared with third parties.

2. How We Use Your Information

To operate and provide the TopDeck service.
To send you a one-time email verification link when you register.
To display your public profile and binders to other users (only if you set them to public).
To calculate and display card collection statistics and estimated values.
To secure your account and prevent abuse.

3. What We Don't Do

We do not sell your personal data to third parties.
We do not serve ads or share data with advertising networks.
We do not use your card collection data for any purpose other than running TopDeck.

4. Third-Party Services

PokémonTCG.io: Card search queries are forwarded to the public PokémonTCG.io API to look up card data and prices. Your account information is not shared with this service — only the card name you search for.

Google Vision API (optional): If you use the card scanner feature, camera images may be processed by Google Cloud Vision to perform OCR text recognition. Images are not stored by Google after processing. See Google's data usage policy.

5. Public vs. Private Data

You control what others can see:

Private (default): Your email, card collection, and profile are private unless you explicitly make them public.
Public profile: If you enable "Make profile visible," your username, bio, location, favorite card, and avatar become visible to other TopDeck users.
Public binders: Individual binders can be toggled public, making them viewable (read-only) by anyone with the link.

6. Data Storage and Security

Your data is stored on a server located in the United States. We use industry-standard practices including bcrypt password hashing, JWT authentication tokens, and HTTPS in transit.

Uploaded files (avatars, card photos, banners) are stored on the server and served directly. We recommend not uploading images that contain sensitive personal information.

7. Data Retention

Your account data is retained for as long as your account is active. If you request account deletion, we will permanently delete your account data, uploaded files, and card collection within 30 days. To request deletion, email us at [email protected].

8. Children's Privacy

TopDeck is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected such information, we will delete it promptly.

9. Your Rights

Depending on your location, you may have the right to access, correct, or delete your personal data. To exercise any of these rights, contact us at [email protected].

10. Changes to This Policy

We may update this Privacy Policy from time to time. We'll notify you of significant changes by updating the "Last updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact

Questions or concerns about privacy? Email us at [email protected].