Privacy Policy
Last Updated: 2026
1. Who we are and scope
Cardexr ("we", "us", or "our") provides a subscription-based software service for Pokemon card and collectible portfolio tracking, pricing research, market analytics, account management, and related alpha workflows.
This policy explains how we collect, use, share, and protect personal data when you visit our website, create an account, use Cardexr, contact support, request access, or use subscription and billing features when available. Cardexr is the data controller for the personal data described in this policy.
- Email: support@cardexr.com
- Address: Available on request during alpha
2. Personal data we collect
Depending on how you use Cardexr, we may collect and process:
- Identity and contact data: user IDs, email addresses, names, avatar URLs, OAuth profile metadata, invite/request-access details, and support contact details.
- Authentication and account data: hashed passwords where password login is used, OAuth identifiers, account settings, access state, and signed session data.
- Subscription and billing data: plan, subscription status, customer IDs, invoices, payment status, billing contact details, and limited payment metadata when paid features are available.
- Portfolio and product data: collection entries, portfolio records, card and sealed-product selections, prices, notes, imports, sales records, preferences, and workflow choices you add to the service.
- Support and communications data: contact form messages, privacy/data requests, bug reports, alpha feedback, transactional email records, and related correspondence.
- Technical and security data: IP addresses, user agent strings, request URLs, timestamps, device/browser metadata, logs, rate-limit signals, error details, and security events.
- Usage and analytics data: page views, product interactions, feature usage, referrers, session identifiers, and similar analytics data when optional analytics are enabled.
3. How we use personal data
We use personal data for the purposes and lawful bases below, including under the UK GDPR and Data Protection Act 2018 where they apply:
| Purpose | Examples | Lawful basis |
|---|---|---|
| Provide and administer the service | Account creation, authentication, portfolios, imports, pricing workflows, support, and service communications | Contract; legitimate interests |
| Operate subscriptions and billing | Plan management, invoices, payment status, subscription renewals, cancellation, fraud prevention, and payment support | Contract; legal obligations; legitimate interests |
| Protect Cardexr and users | CSRF protection, rate limiting, abuse prevention, audit/security logs, account recovery, and error investigation | Legitimate interests; legal obligations |
| Improve product quality | Usage analytics, feature effectiveness, debugging, performance, and alpha feedback | Consent for optional browser analytics; legitimate interests for service diagnostics and aggregated product improvement |
| Comply with obligations and enforce terms | Tax/accounting records, legal requests, dispute handling, terms enforcement, and rights requests | Legal obligations; legitimate interests |
4. Service providers and sharing
We use trusted service providers to operate Cardexr. They process personal data for us under contractual restrictions and only for the purposes needed to provide their services:
- Supabase: authentication, database hosting, account records, and application data storage.
- PostHog: optional browser analytics, product analytics, web analytics, surveys, and feature flags. Session replay is disabled.
- Sentry: server-side error monitoring, security logging, diagnostic breadcrumbs, release/environment tracking, and cron/job visibility.
- Resend: transactional email delivery and related email records.
- Stripe: subscription, billing, payment, invoice, tax, and fraud-prevention processing when paid features are available.
- Google Fonts/Material Symbols: web font and icon delivery through Google-hosted resources.
We may also share personal data if required by law, to protect rights and safety, to enforce our terms, in connection with a business transfer, or with your direction or consent.
5. Error monitoring and diagnostic data
To keep Cardexr reliable and secure, our server-side error monitoring may receive diagnostic information when an error, warning, failed job, rate-limit event, or security event occurs. This can include your internal user ID, email address, IP address, user agent, request path, environment, release, stack trace, log messages, and diagnostic breadcrumbs around the event.
We use this data to investigate failures, detect abuse, fix production issues, verify pricing jobs, and protect users. We do not intentionally send raw access tokens, refresh tokens, full payment card numbers, passwords, or secret keys to error monitoring, and we keep debug routes disabled by default outside short controlled verification windows.
Because error monitoring can include user identifiers, we treat it as personal data and disclose it here as part of our security logging and service operations.
6. International transfers
Some providers are based outside the UK or European Economic Area. Where personal data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses, adequacy regulations, data processing terms, and provider security commitments where applicable.
- Primary account and application data is stored through Supabase infrastructure configured for Cardexr's environment.
- PostHog analytics is configured for the EU cloud.
- Sentry, Resend, Stripe, and Google-hosted font resources may involve processing in the United States or other locations.
7. Retention
We keep personal data only as long as reasonably needed for the purposes described in this policy, including to provide the service, comply with legal obligations, resolve disputes, maintain security, and enforce our terms. Typical retention periods include:
- Account and portfolio data: until you delete your account or ask us to delete the data, unless we need to retain limited records for legal, security, or legitimate business reasons.
- Subscription and billing records: for the period required for tax, accounting, fraud prevention, chargeback, and legal purposes.
- Session cookies: usually 7 days or until logout, subject to the configured inactivity and absolute session lifetime.
- Flash message cookies: about 60 seconds.
- Security and error logs: according to our service provider and operational retention settings, often around 90 days for error monitoring unless a longer period is needed for security or incident investigation.
- Optional analytics identifiers: until changed, expired, cleared, or reset according to browser storage and provider settings.
After account deletion, we delete or anonymize personal data where practical, except for limited records we must or may retain for legal, security, accounting, dispute, backup, or abuse-prevention purposes.
8. Your rights and choices
Depending on where you live and how the law applies, you may have rights to access, correct, delete, restrict, export, or object to our processing of your personal data. You may also have the right to withdraw consent where processing is based on consent.
Account controls
You can update some account details directly in Cardexr. Where account deletion is available in the account area, it starts the deletion flow for your account and associated user data.
Data requests
To request access, export, correction, restriction, objection, or deletion, contact support@cardexr.com or use the contact form and choose the privacy or data request topic.
Analytics preference
You can accept or reject optional browser analytics and change that choice later from the privacy page or footer cookie settings control.
We will respond to legally valid privacy rights requests within the period required by applicable law. We may need to verify your identity before acting on a request.
9. Cookies and similar technologies
We use essential cookies and browser storage to provide security, sessions, CSRF protection, flash messages, OAuth flow continuity, and analytics preference storage. These are needed to provide the service you request. If you accept optional analytics, analytics identifiers may be stored in cookies or local storage so we can understand usage and improve Cardexr:
| Cookie Name | Purpose | Duration |
|---|---|---|
session |
Stores signed session data to maintain your authentication state | 7 days |
flash |
Stores temporary flash messages to display notifications after page redirects | 60 seconds |
csrf_token |
Helps protect forms from cross-site request forgery | 1 hour |
oauth_next |
Temporarily remembers a safe sign-in destination during OAuth flows | Short-lived authentication flow |
cardexr_analytics_consent |
Remembers whether you accepted or rejected optional browser analytics | Until changed in this browser |
ph_*_posthog |
Optional PostHog analytics identifiers such as distinct ID, session ID, device ID, and feature flag state. These are only used after analytics acceptance. Session replay is not enabled. | Up to 365 days |
Essential application cookies are first-party cookies set by our domain. Session cookies are signed, HttpOnly, SameSite=Lax, and marked Secure in production. Optional analytics storage is not loaded until analytics acceptance. Rejecting analytics keeps Cardexr usable.
10. Security
We use technical and organisational measures designed to protect personal data, including signed and secure cookies in production, CSRF protection, rate limiting, restricted debug routes, access controls, and monitoring for errors and abuse. No online service can be guaranteed completely secure.
11. Children
Cardexr is intended for adults and is not directed to children. Do not use Cardexr if you are not old enough to enter into these terms or use the service under applicable law.
12. Right to lodge a complaint
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority:
- Website: https://ico.org.uk
- Telephone: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
We would appreciate the opportunity to address your concerns first, so please contact us before lodging a complaint with the ICO.
13. Contact us
If you have any questions about this privacy policy or wish to exercise any of your data protection rights, please contact us:
- Email: support@cardexr.com
- Address: Available on request during alpha
14. Changes to this policy
We may update this privacy policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by posting the new privacy policy on this page and updating the "Last Updated" date. We encourage you to review this privacy policy periodically.