Privacy Policy
Version 1.1 · Effective June 28, 2026
1. Information We Collect
1.1 Account Information
When you create an account, we collect your email address and password (stored as a hash). We do not collect real names, physical addresses, or payment information at this time.
1.2 Collection Data
When you add cards to your collection, we store the card identity information you provide (player, set, year, card number, variant, condition, grade) and any images you upload. This data is associated with your user account.
1.3 Contribution Data
When you contribute to the community catalog (opt-in mining, corrections, evidence uploads), we store your contributions with attribution to your account for reputation tracking and audit purposes.
1.4 Automatically Collected Data
We collect standard web analytics data including IP address, browser type, device information, pages visited, and interaction patterns. This data is used for service improvement, security, and abuse prevention.
1.5 Card Images
Card images you upload are stored in secure cloud storage. Images submitted with collection-only visibility are private to your account. Images submitted with opt-in mining visibility may be reviewed by administrators and, if approved, displayed in the public catalog.
Photos taken on phones and cameras often carry embedded metadata (EXIF) — including the date a photo was taken and, on many devices, the GPS coordinates of where it was taken. When you upload a card image, we strip this metadata on our servers before the image is stored, so it is never shown to other users and is not retained by us. (We also automatically rotate images to display right-side up.) Card photos must show the card only; submissions containing faces or personal surroundings are rejected during review.
1.6 Profile Information
You may set a username, a profile image, and a short bio, and you can earn badges (such as Cardwiki Claim status) through your participation. Section 3 explains which of these are visible to other people and which are not.
2. How We Use Your Information
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide the Service | Account data, collection data | Contract performance |
| Card identification & matching | Card images, identity fields | Contract performance |
| Community catalog improvement | Contribution data (opt-in only) | Consent |
| Moderation & trust scoring | Contribution history, account activity | Legitimate interest |
| Security & abuse prevention | IP address, rate-limit counters, activity patterns | Legitimate interest |
| Service improvement & analytics | Aggregated usage data | Legitimate interest |
| Email communications | Email address | Consent / contract performance |
3. Data Sharing & Public Visibility
We do not sell your personal data. Some information is public by design, and we share data only in the circumstances below.
Your public profile. Every member has a public profile. The only details visible to other users and visitors are your username, profile image, and any public badges you have earned. Nothing else is public — your email, real name, location, phone number, IP address, image geolocation, private holdings, and account settings are never shown on your profile or anywhere else in the public catalog.
- Public catalog: Approved contributions become part of the public catalog (opt-in only)
- Service providers: We use Supabase for database and authentication, and cloud storage for images
- Third-party links: When clicking through to third-party marketplaces, the destination site may receive referral data per standard web protocols
- Legal requirements: If required by law, subpoena, or to protect the rights and safety of CardWiki and its users
4. Data Retention & Account Deletion
Active account data is retained for the lifetime of your account.
Published contributions are permanent.When you contribute to the public catalog — card images, card details, or sales data that are approved and published — those records, and the username credited on them, become a permanent part of the shared community dataset.
You can request deletion of your account at any time by emailing support@cardwiki.ai. We grant these requests in most cases and remove your private account data and collection. Two things remain: contributions you have published to the public catalog stay live as part of the shared record, and we keep the internal records tied to those contributions indefinitely for attribution, audit, and legal purposes.
5. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Request deletion of your account and private personal data (published catalog contributions remain part of the shared record — see Section 4)
- Export your collection data in a portable format
- Withdraw consent for optional data processing (e.g., opt-in mining)
- Object to processing based on legitimate interest
To exercise these rights, contact support@cardwiki.ai. We will respond within 30 days.
6. Children's Privacy
CardWiki is intended for users who are 13 years of age or older. We do not knowingly collect personal information from children under 13. If you are under 13, please do not create an account or submit any personal information through the Service.
If You Are a Parent or Guardian
If you believe your child has created an account or used CardWiki without your permission, please contact us at support@cardwiki.ai. In your message, include the email address associated with the account so we can locate it. Upon verification, we will promptly delete the account and any associated personal data from our systems.
We take children's privacy seriously. If we become aware that we have collected personal information from a child under 13 without verified parental consent, we will delete that information as quickly as practicable.
7. Security
We implement industry-standard security measures including encrypted connections (HTTPS), hashed passwords, row-level security (RLS) on database tables, and role-based access controls. No system is perfectly secure; we cannot guarantee absolute security.
8. Cookies and Tracking Technologies
What We Use
We use cookies and similar technologies to operate and improve CardWiki. We group these into two categories:
Strictly Necessary. These cookies are required for the site to function. They include session authentication tokens and your cookie consent preference. Because they are essential to the service, they cannot be disabled.
Analytics.With your consent, we use Google Analytics 4 to collect anonymized data about how visitors use the site — including which pages are visited, how long sessions last, and where traffic originates. This data is processed by Google and helps us understand what's working and improve the product. We do not use Google Analytics for advertising or behavioral profiling.
Your Choices
When you first visit CardWiki, you will see a consent banner. You can accept or decline analytics cookies at that time. You may change your preferences at any time by clicking Cookie Preferences in the footer.
No Advertising Cookies
We do not serve ads, and we do not allow any third-party advertising networks to set cookies on your device through CardWiki.
Cookie List
| Cookie | Category | Purpose | Expires |
|---|---|---|---|
cw_consent | Necessary | Stores your cookie consent preferences | 1 year |
sb-[ref]-auth-token | Necessary | Manages your authenticated session | Session |
_ga | Analytics | Distinguishes unique users for Google Analytics | 2 years |
_ga_XXXXXXXXXX | Analytics | Stores session state for Google Analytics | 2 years |
Third-Party Processors
Google Analytics data is processed by Google LLC. For more information, see Google's Privacy Policy and Google's data safeguarding terms.
9. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or in-app notification. Continued use after changes constitutes acceptance.
10. Contact
For privacy questions or data requests, contact: support@cardwiki.ai