Privacy Policy

Account information: Email address, username, and password (hashed — we never store plain text passwords).

Activity data: Training history, candy balances, shard balances, faction choice, raid results, raffle entries, referral activity, leaderboard stats, and gallery card collection.

Card lookup data: When you use the Rarity Report or card search features, we log the card searched, timestamp, and an anonymized hash of your IP address for analytics purposes. This data is used to improve search quality and understand which cards are popular.

Card images: When you use the card scanner feature, the photo you take is sent to third-party AI services (Google Gemini) for identification. We do not permanently store your card photos on our servers.

Push notification tokens: If you opt in to push notifications, we store a browser push subscription token to deliver alerts (e.g., candy drip completion reminders).

Location data: GPS coordinates only when you use the QR check-in feature at partner stores. This is used solely to verify you are physically at the store. We do not track your location otherwise.

Technical data: IP address, browser type, and device information for security, rate limiting, and abuse prevention.

We do not share your personal information with third parties except:

• Email delivery: We use Resend to send transactional emails (verification, password reset)
• Card identification: Card photos are processed by Google Gemini AI for identification. Google's privacy policy applies to their processing.
• Card pricing: We source pricing data from PokePriceTracker, TCGPlayer (via Pokémon TCG API), and Cardmarket. No personal data is shared with these providers.
• Push notifications: Browser push tokens are processed through web push standards (no third-party service stores your data)
• Legal obligations: If required by law or legal process
• Prize fulfillment: Shipping address provided by raffle winners is used solely for delivery

We take reasonable measures to protect your data:

• Passwords are hashed with bcrypt (12 rounds)
• All connections use HTTPS/TLS encryption
• JWT access tokens expire after 24 hours
• Rate limiting protects against brute-force attacks
• Admin actions are logged for audit purposes
• IP addresses are hashed for analytics (not stored in plain text)
• Database access is restricted with role-based permissions

No system is 100% secure. We cannot guarantee absolute security of your data.

We use browser local storage to keep you logged in (JWT tokens) and to store UI preferences (e.g., onboarding tour completion, push notification preferences). We do not use third-party tracking cookies or analytics services.

You have the right to:

• Access your personal data through your profile page
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Opt out of push notifications at any time through your browser settings
• Opt out of non-essential emails

To exercise these rights, contact us at support@gcea.app.

The Service is not intended for children under 13. We do not knowingly collect information from children under 13. If you believe a child has created an account, please contact us and we will promptly delete the account.

We retain your data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days. Anonymized, aggregated data (such as card lookup counts) may be retained indefinitely for analytics purposes. Expired authentication tokens are periodically purged.

GCEA is operated from the United States. If you access the Service from outside the US, your data may be transferred to and processed in the United States. By using the Service, you consent to this transfer.

We may update this Privacy Policy at any time. Significant changes will be communicated via email or in-app notification. Continued use of the Service constitutes acceptance of the updated policy. It is your responsibility to review this policy periodically.

For privacy-related questions or requests, email us at support@gcea.app.