Privacy Policy

TCGinvest ("we", "us", "our") is a quantitative research service for the Pokémon trading card market. We are operated as an independent project based in the European Union. For all privacy-related questions, GDPR data-subject requests, or general inquiries about this policy, contact us at [email protected].

We deliberately collect as little personal data as we can while still operating the service. The categories are:

• Account data. When you sign up, your authentication provider (Clerk) shares your email address, display name (if provided), and a unique account identifier with us. Passwords are managed by Clerk and never reach our servers.
• Subscription & billing data. When you subscribe, our Merchant-of-Record (Polar.sh) handles your payment details. We never see or store card numbers, IBANs, or full billing addresses — only a Polar customer reference and your subscription status. Polar is the seller of record for tax and consumer-protection purposes; the charge on your statement appears from Polar* on our behalf.
• Product data. Cards you add to your watchlist or portfolio, with the quantities, cost basis, and notes you choose to enter. This is data you create using the service.
• Technical data. Your IP address, browser type and version, device type, and pages requested — collected by our hosting (Cloudflare) and server logs. Used for security (rate-limiting, abuse prevention) and to debug errors.
• Cookies and similar. See our Cookie Policy for the full list and how to manage them.

Under the EU General Data Protection Regulation (GDPR) we must tell you the legal basis for each processing activity. Here's the full list:

We share personal data only with the third parties we genuinely need to run the service. None sell your data; each is bound by a data processing agreement and is GDPR-compliant.

• Clerk — authentication, account management. Receives your email and account identifier. clerk.com/privacy
• Polar.sh — payment processing (Merchant-of-Record). Handles your billing details, applies EU VAT, issues invoices, and processes refunds on our behalf. Receives only what's required for the transaction. Stripe Inc. is Polar's underlying payment processor (PCI-DSS Level 1). polar.sh/legal/privacy
• Cloudflare — CDN, DNS, DDoS protection. Sees the IP and request metadata of all visitors. cloudflare.com/privacypolicy
• Hostinger — VPS hosting (server infrastructure where your data is stored). EU-based data centre.
• Sentry (planned, if enabled) — error monitoring. Receives stack traces and minimal request context, no payload bodies.

We do not sell or rent personal data, and we donot share it with advertisers or data brokers.

Some of our service providers (Clerk, Polar, Cloudflare, Sentry) are headquartered in the United States. Where personal data is transferred outside the European Economic Area, we rely on the EU Commission's Standard Contractual Clauses (SCCs) or applicable adequacy decisions to ensure GDPR-equivalent protection. Copies of the SCCs are available on request via [email protected].

We keep personal data only as long as we need it:

• Account data — for as long as your account exists. If you delete your account, the email and identifier are erased within 30 days, except where retention is required by law (e.g., tax records).
• Billing records — 10 years, as required by EU and Maltese accounting/tax law.
• Watchlist and portfolio — deleted on account closure.
• Server access logs — 30 days, then rotated and deleted.
• Backups — encrypted, rotated weekly, with 90-day retention. Deleted data is fully purged from backups within 90 days.

You have the following rights under the GDPR, exercisable at any time by emailing [email protected] from the address associated with your account:

• Access (Art. 15) — get a copy of the personal data we hold about you.
• Rectification (Art. 16) — correct any data that's inaccurate or incomplete.
• Erasure / "right to be forgotten" (Art. 17) — delete your account and associated data, subject to legal retention requirements.
• Restriction (Art. 18) — limit how we process your data.
• Portability (Art. 20) — receive your data in a machine-readable format (we will provide JSON exports on request).
• Object (Art. 21) — object to processing based on legitimate interest.
• Withdraw consent (Art. 7) — for anything we do under consent (e.g., marketing emails).
• Lodge a complaint — with your national data protection authority. Ours, by default, is the Information and Data Protection Commissioner (IDPC) of Malta — idpc.org.mt.

We respond to requests within 30 days. No fees, except for clearly unfounded or excessive requests as permitted by Art. 12(5).

We protect personal data with TLS encryption in transit, at-rest encryption for backups, strict server access controls (key-based SSH, firewall locked to Cloudflare IPs, no public database access), and the principle of least privilege. We are not a payment processor — card data lives at Polar (via Stripe) under PCI-DSS compliance, never on our servers. No system is invulnerable, but we monitor for unusual activity and will notify affected users and the relevant supervisory authority within 72 hours of any breach that's likely to result in risk to your rights (GDPR Art. 33–34).

TCGinvest is intended for users aged 16 and over (the digital consent age threshold under GDPR for several EU member states, including Malta). We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and believe a child has provided us personal data, contact us and we will delete it.

We may update this Privacy Policy when our service or the law changes. Material changes will be announced in-app and (for registered users) by email. The "Last updated" date at the top of this page always reflects the current version. Continued use of the service after a change constitutes acceptance.