Privacy Policy

Last Updated: 2026

1. Who we are and scope

Cardexr ("we", "us", or "our") provides a subscription-based software service for Pokemon card and collectible portfolio tracking, pricing research, market analytics, account management, and related alpha workflows.

This policy explains how we collect, use, share, and protect personal data when you visit our website, create an account, use Cardexr, contact support, request access, or use subscription and billing features when available. Cardexr is the data controller for the personal data described in this policy.

  • Email: support@cardexr.com
  • Address: Available on request during alpha

2. Personal data we collect

Depending on how you use Cardexr, we may collect and process:

  • Identity and contact data: user IDs, email addresses, names, avatar URLs, OAuth profile metadata, invite/request-access details, and support contact details.
  • Authentication and account data: hashed passwords where password login is used, OAuth identifiers, account settings, access state, and signed session data.
  • Subscription and billing data: plan, subscription status, customer IDs, invoices, payment status, billing contact details, and limited payment metadata when paid features are available.
  • Portfolio and product data: collection entries, portfolio records, card and sealed-product selections, prices, notes, imports, sales records, preferences, and workflow choices you add to the service.
  • Support and communications data: contact form messages, privacy/data requests, bug reports, alpha feedback, transactional email records, and related correspondence.
  • Technical and security data: IP addresses, user agent strings, request URLs, timestamps, device/browser metadata, logs, rate-limit signals, error details, and security events.
  • Usage and analytics data: page views, product interactions, feature usage, referrers, session identifiers, and similar analytics data when optional analytics are enabled.

3. How we use personal data

We use personal data for the purposes and lawful bases below, including under the UK GDPR and Data Protection Act 2018 where they apply:

Purpose Examples Lawful basis
Provide and administer the service Account creation, authentication, portfolios, imports, pricing workflows, support, and service communications Contract; legitimate interests
Operate subscriptions and billing Plan management, invoices, payment status, subscription renewals, cancellation, fraud prevention, and payment support Contract; legal obligations; legitimate interests
Protect Cardexr and users CSRF protection, rate limiting, abuse prevention, audit/security logs, account recovery, and error investigation Legitimate interests; legal obligations
Improve product quality Usage analytics, feature effectiveness, debugging, performance, and alpha feedback Consent for optional browser analytics; legitimate interests for service diagnostics and aggregated product improvement
Comply with obligations and enforce terms Tax/accounting records, legal requests, dispute handling, terms enforcement, and rights requests Legal obligations; legitimate interests

4. Service providers and sharing

We use trusted service providers to operate Cardexr. They process personal data for us under contractual restrictions and only for the purposes needed to provide their services:

  • Supabase: authentication, database hosting, account records, and application data storage.
  • PostHog: optional browser analytics, product analytics, web analytics, surveys, and feature flags. Session replay is disabled.
  • Sentry: server-side error monitoring, security logging, diagnostic breadcrumbs, release/environment tracking, and cron/job visibility.
  • Resend: transactional email delivery and related email records.
  • Stripe: subscription, billing, payment, invoice, tax, and fraud-prevention processing when paid features are available.
  • Google Fonts/Material Symbols: web font and icon delivery through Google-hosted resources.

We may also share personal data if required by law, to protect rights and safety, to enforce our terms, in connection with a business transfer, or with your direction or consent.

5. Error monitoring and diagnostic data

To keep Cardexr reliable and secure, our server-side error monitoring may receive diagnostic information when an error, warning, failed job, rate-limit event, or security event occurs. This can include your internal user ID, email address, IP address, user agent, request path, environment, release, stack trace, log messages, and diagnostic breadcrumbs around the event.

We use this data to investigate failures, detect abuse, fix production issues, verify pricing jobs, and protect users. We do not intentionally send raw access tokens, refresh tokens, full payment card numbers, passwords, or secret keys to error monitoring, and we keep debug routes disabled by default outside short controlled verification windows.

Because error monitoring can include user identifiers, we treat it as personal data and disclose it here as part of our security logging and service operations.

6. International transfers

Some providers are based outside the UK or European Economic Area. Where personal data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses, adequacy regulations, data processing terms, and provider security commitments where applicable.

  • Primary account and application data is stored through Supabase infrastructure configured for Cardexr's environment.
  • PostHog analytics is configured for the EU cloud.
  • Sentry, Resend, Stripe, and Google-hosted font resources may involve processing in the United States or other locations.

7. Retention

We keep personal data only as long as reasonably needed for the purposes described in this policy, including to provide the service, comply with legal obligations, resolve disputes, maintain security, and enforce our terms. Typical retention periods include:

  • Account and portfolio data: until you delete your account or ask us to delete the data, unless we need to retain limited records for legal, security, or legitimate business reasons.
  • Subscription and billing records: for the period required for tax, accounting, fraud prevention, chargeback, and legal purposes.
  • Session cookies: usually 7 days or until logout, subject to the configured inactivity and absolute session lifetime.
  • Flash message cookies: about 60 seconds.
  • Security and error logs: according to our service provider and operational retention settings, often around 90 days for error monitoring unless a longer period is needed for security or incident investigation.
  • Optional analytics identifiers: until changed, expired, cleared, or reset according to browser storage and provider settings.

After account deletion, we delete or anonymize personal data where practical, except for limited records we must or may retain for legal, security, accounting, dispute, backup, or abuse-prevention purposes.

8. Your rights and choices

Depending on where you live and how the law applies, you may have rights to access, correct, delete, restrict, export, or object to our processing of your personal data. You may also have the right to withdraw consent where processing is based on consent.

Account controls

You can update some account details directly in Cardexr. Where account deletion is available in the account area, it starts the deletion flow for your account and associated user data.

Data requests

To request access, export, correction, restriction, objection, or deletion, contact support@cardexr.com or use the contact form and choose the privacy or data request topic.

Analytics preference

You can accept or reject optional browser analytics and change that choice later from the privacy page or footer cookie settings control.

We will respond to legally valid privacy rights requests within the period required by applicable law. We may need to verify your identity before acting on a request.

9. Cookies and similar technologies

We use essential cookies and browser storage to provide security, sessions, CSRF protection, flash messages, OAuth flow continuity, and analytics preference storage. These are needed to provide the service you request. If you accept optional analytics, analytics identifiers may be stored in cookies or local storage so we can understand usage and improve Cardexr:

Cookie Name Purpose Duration
session Stores signed session data to maintain your authentication state 7 days
flash Stores temporary flash messages to display notifications after page redirects 60 seconds
csrf_token Helps protect forms from cross-site request forgery 1 hour
oauth_next Temporarily remembers a safe sign-in destination during OAuth flows Short-lived authentication flow
cardexr_analytics_consent Remembers whether you accepted or rejected optional browser analytics Until changed in this browser
ph_*_posthog Optional PostHog analytics identifiers such as distinct ID, session ID, device ID, and feature flag state. These are only used after analytics acceptance. Session replay is not enabled. Up to 365 days

Essential application cookies are first-party cookies set by our domain. Session cookies are signed, HttpOnly, SameSite=Lax, and marked Secure in production. Optional analytics storage is not loaded until analytics acceptance. Rejecting analytics keeps Cardexr usable.

10. Security

We use technical and organisational measures designed to protect personal data, including signed and secure cookies in production, CSRF protection, rate limiting, restricted debug routes, access controls, and monitoring for errors and abuse. No online service can be guaranteed completely secure.

11. Children

Cardexr is intended for adults and is not directed to children. Do not use Cardexr if you are not old enough to enter into these terms or use the service under applicable law.

12. Right to lodge a complaint

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority:

  • Website: https://ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We would appreciate the opportunity to address your concerns first, so please contact us before lodging a complaint with the ICO.

13. Contact us

If you have any questions about this privacy policy or wish to exercise any of your data protection rights, please contact us:

  • Email: support@cardexr.com
  • Address: Available on request during alpha

14. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by posting the new privacy policy on this page and updating the "Last Updated" date. We encourage you to review this privacy policy periodically.