Privacy Policy
Effective on publication (draft under review)
This Privacy Policy explains how ⟦registered legal entity name⟧ (“we”, “us”) collects, uses, and protects your personal data when you use Snug Cards at snug.cards. We are the data controller. This policy is written to meet the standards of the EU General Data Protection Regulation (GDPR) and the UK GDPR; those rights apply to data subjects in the EU and UK, and we extend the core rights below to all users.
1. Data we collect
We collect only what we need to run the Service:
- Account data: your email address, a securely hashed password (argon2id — we never store your plaintext password), and your account role and plan.
- Age confirmation: at signup we ask your date of birth to confirm you meet our minimum age of 13. We use it to make that check and do not use it for any other purpose.
- Optional profile data: if you choose to make a public profile, your handle, bio, and any contact links (e.g. Discord, X/Twitter) you add.
- Session data: an opaque session token stored in a cookie (valid for 30 days), plus your device’s user-agent string, to keep you signed in.
- Your content: the binders, prompts, card lists, and holdings you create, including the free-text prompts you write to generate binders.
- AI generation records: the prompt you submit and the response used to build a binder, retained for up to 90 days to operate, debug, and improve the feature.
- Technical data: your IP address and standard request metadata, processed at our edge for security, rate-limiting, and abuse prevention.
2. How we use your data & legal bases
- To provide the Service (create your account, build and store binders, sign you in) — legal basis: performance of a contract.
- To secure the Service (rate-limiting, abuse and fraud prevention, age gating) — legal basis: legitimate interests and legal obligation.
- To communicate with you (sign-in links, password resets, essential account notices) — legal basis: performance of a contract.
- To improve the Service (aggregate, privacy-respecting product analytics) — legal basis: legitimate interests.
We do not sell your personal data, and we do not use it to serve third-party advertising.
3. Sub-processors
We use a small number of trusted providers to operate the Service. They process personal data only on our instructions and only as needed for their function:
| Provider | Purpose | Region |
|---|---|---|
| OpenAI | AI binder generation and cover-image creation. Receives the binder prompt and any imported text you provide (which is free-form and could contain personal data you type). | United States |
| Mailgun | Transactional email — sign-in links, password resets, and account alerts. Receives your email address and message content. | United States |
| Cloudflare | Content delivery, DNS, and edge security. Processes request metadata including your IP address. | Global (US-headquartered) |
We keep this list current as our providers change. We also use third-party trading-card data sources (PriceCharting, pokemontcg.io, TCGdex) that supply card and price information — we fetch data from them and they receive no personal data about you.
4. Cookies
We use a single essential cookie to store your session token and keep you signed in. It is not used for advertising or cross-site tracking. Because we rely only on this strictly-necessary cookie (and any product analytics we use is cookieless), no cookie-consent banner is required. You can clear it by logging out or clearing your browser cookies.
5. Data retention
We keep your account data for as long as your account is active. Session records expire after 30 days. We aim to retain AI generation records (prompts and responses) for no more than 90 days. When your account is deleted, we remove your personal data and scrub the free-text you provided (including generation prompts and any imported content) as described in Section 7.
6. International data transfers
Some of our sub-processors are located in the United States. Where we transfer personal data of EU/UK data subjects internationally, we rely on appropriate safeguards such as the providers’ Standard Contractual Clauses and equivalent transfer mechanisms.
7. Your rights
Subject to applicable law, you have the right to:
- Access and receive a copy of your personal data — download it anytime from your account settings (data export / portability).
- Erasure — delete your account and personal data yourself from your account settings; deletion removes your account and scrubs the free-text you provided (generation prompts, imported content) so no orphaned personal data remains.
- Rectification of inaccurate data, and to update your profile at any time.
- Objection / restriction of certain processing, and (where processing is based on consent) to withdraw consent.
- Complain to your local data-protection authority.
To exercise a right you cannot complete in-product, contact us at ⟦privacy contact email⟧.
8. Children
The Service is not directed to children under 13, and we do not knowingly collect their personal data. We ask for date of birth at signup and reject accounts below the minimum age. If you believe a child has provided us personal data, contact us and we will delete it.
9. United States & California residents
We do not sell or share your personal data as those terms are defined under U.S. state privacy laws, and we do not use it for cross-context behavioral advertising. If and when U.S. state privacy laws such as the California Consumer Privacy Act apply to us, we will honor the applicable rights (to know, delete, correct, and opt out). This section is provided for transparency and is not a claim that any specific U.S. state law currently applies to us.
10. Changes to this policy
We may update this policy. For material changes we will take reasonable steps to notify you before they take effect. The effective date above reflects the current version.
11. Contact
For any privacy question or request, contact ⟦registered legal entity name⟧ at ⟦privacy contact email⟧. See also our Terms of Service.