Plain English summary: VaultedTCG is a trading card collection tracker. We collect what you put in (cards, sales, photos) and the minimum needed to make the app work (email, device token for push). We don't sell your data. We don't show ads. Your collection is yours.
Who we are
VaultedTCG is operated by Adir J. Cohen (operator, we, us). Contact: adir@vaultedtcg.io · support@vaultedtcg.io · vaultedtcg.io
What data we collect
We collect only the data needed to make the app work or that you explicitly provide.
| Category | What + why |
|---|---|
| Account | Email address (or Apple ID relay address if you Sign in with Apple) and a Supabase user identifier. Required to sync your inventory across devices and restore subscriptions. |
| Inventory you create | Cards you add (name, set, card number, condition, grade, quantity, cost, market value, notes, optional photos), folders you create, sales you log, and watchlist entries. This IS your collection — we hold it so it follows you across devices. |
| Scan photos | When you scan a card with the camera, the photo is uploaded to our partner Scrydex's Vision API to identify the card. The photo is NOT retained after identification completes. We do not store scan photos on our servers. |
| Device token | When you grant notification permission, Apple issues a device token which we store to deliver push notifications (price alerts, set completion milestones, new-set announcements). Token alone doesn't identify you to anyone other than Apple. |
| Subscription state | Your Apple subscription receipt + tier (Free / Pro / Vendor) so we can gate paid features. Payment details are handled by Apple, never seen by us. |
| App preferences | Settings you choose: visible games, folder names, default condition / kind / folder, set completion mode, scanner audio toggle, language preference. Stored locally; mirrored to your account when signed in so they follow you between devices. |
| Usage analytics (opt-in) | If PostHog analytics is configured by us and you haven't opted out, we record anonymized events: which features you use, which screens you view, which scans succeed or fail. No personally identifying content (no card names, no notes text, no photos) is sent. Used only to improve the app. |
| Crash reports | Anonymous crash reports go to PostHog Error Tracking. Helps us fix the things that break. |
| Catalog cache | We cache card prices, set lists, and card metadata from Scrydex on our servers. This is GLOBAL data (the same for every user); no personal information is associated with it. |
What we do NOT collect
We deliberately don't collect any of these:
- Your real name or postal address
- Your phone number or contacts
- Your precise location (we use no location services)
- Your browsing history outside the app
- Your photo library beyond photos you explicitly attach to inventory items
- Any data from other apps on your device
Who we share data with
We use a small set of service providers to run the app. Each one only sees what they need to.
| Provider | What they receive · why |
|---|---|
| Supabase (database + auth) | Encrypted storage of your account, inventory, sales, watchlist, and subscription state. Bound by their privacy terms. supabase.com/privacy |
| Scrydex (card data + Vision API) | Receives card scan photos for identification (not retained). Also serves card prices + catalog metadata to all VaultedTCG users globally. scrydex.com/privacy |
| Apple (StoreKit + APNs + Sign in with Apple) | Handles payment for subscriptions; relays your Apple ID (or private relay email); routes push notifications via your device token. Apple's privacy policy applies. |
| Resend (transactional email) | Sends account verification + password reset emails from noreply@vaultedtcg.io. Sees only your email address. resend.com/privacy |
| PostHog (optional analytics) | Anonymous app usage events. No personal content. Can be disabled via Settings. posthog.com/privacy |
| Frankfurter.app (FX rates) | Fetches daily USD/JPY exchange rate. No user data sent. |
Third-party deep links
VaultedTCG includes buttons that open external websites in Safari. When you tap them, you leave our app and their privacy policy applies:
- ALT.xyz — sales history for the specific card you tapped
- TCGplayer — current marketplace listing
- PSA / BGS / CGC / SGC — cert verification when a graded slab is in your inventory
- vaultedtcg.io — our marketing site (light, no personal data passed through)
We do not share your VaultedTCG identity with these sites. The URLs we deep-link to contain only the public card / cert identifier.
Your rights
You can:
Export — Settings → Export inventory / Export sales. Pulls a complete CSV of your data. Pro tier.
Delete your account — Settings → Account → Delete account. Permanently removes your user record, inventory, sales, watchlist, and device tokens from our servers within 30 days. Anonymous analytics events are retained.
Opt out of analytics — Settings → Privacy → toggle analytics off.
Choose which games appear — Settings → Games I track. Hidden games are not deleted; inventory items with hidden games still display in your collection.
Access or correct your data — Email adir@vaultedtcg.io with your request. We'll respond within 30 days.
Children's privacy
VaultedTCG is rated 4+ in the App Store. We don't knowingly collect personal information from anyone under 13. If you believe a child under 13 has signed up, contact adir@vaultedtcg.io and we'll delete the account within 7 days.
Data retention
Account data — retained as long as your account is active. Deleted within 30 days of account deletion request.
Scan photos — never retained server-side. They're streamed through Scrydex Vision and discarded after identification.
Anonymous analytics — PostHog retains for 12 months by default.
Catalog snapshots — global, not personal — retained indefinitely for the price-history feature.
Security
All data in transit uses HTTPS / TLS. Data at rest in Supabase is encrypted. Row-level security policies enforce that your inventory can only be read by your authenticated session. We never store your Apple password or payment details — those stay with Apple.
Changes to this policy
We'll update this page when our practices change. The Effective date at the top reflects the most recent update. Material changes get a notification in-app + a heads-up email if you've given us one.
Contact
Questions about this policy? Email adir@vaultedtcg.io or support@vaultedtcg.io.
Not legal advice. This document was drafted from the app's actual data flows as of iOS build 100. It should be reviewed by a lawyer admitted in your jurisdiction before being relied on for App Store submission or commercial use. The author of VaultedTCG is not a lawyer.