Last updated: March 8, 2026
This Privacy Policy explains what personal data CardCard collects, how we use it, who we share it with, and what rights you have. By using CardCard, you agree to this policy.
Account data: Your email address when you create an account.
Watchlist data: Card search terms, card types, and filters you add to your watchlist.
Alert history: Records of deal alerts sent to you including card names, prices, and eBay listing URLs. Retained for 90 days.
Payment data: Handled entirely by Stripe. We never store your full payment card number, CVV, or bank details. We store only your Stripe customer ID and subscription status.
Usage data: Login timestamps, subscription tier, and account activity logs.
AI chat data: Messages you send to the Card Market Assistant are processed by Anthropic's API. We do not permanently store your chat history beyond the current session.
Analytics data: We use Google Analytics to collect anonymized data about site visits. This data does not identify you personally.
We use your data solely to: operate your account and provide the Service; monitor eBay listings based on your watchlist and send deal alerts; process subscription payments via Stripe; send transactional emails via SendGrid; power the AI Market Assistant via Anthropic; and analyze aggregate usage to improve the Service.
We do not sell your personal data. We do not use your data for advertising.
Stripe: Payment processing. Governed by Stripe's Privacy Policy at stripe.com/privacy.
SendGrid: Email delivery. Your email address and alert content are transmitted to SendGrid to deliver emails on our behalf.
Anthropic: AI assistant functionality. Messages you send to the Card Market Assistant are transmitted to Anthropic's API. We do not send your personal account details to Anthropic — only watchlist context and chat messages. Governed by Anthropic's Privacy Policy at anthropic.com/privacy.
eBay: Listing data retrieved via eBay's official API. We do not share your personal data with eBay.
Google Analytics: Anonymized usage analytics governed by Google's Privacy Policy.
CardCard participates in the eBay Partner Network. Links in alert emails may be affiliate links. Clicking these links may result in CardCard receiving a commission from eBay if you make a purchase. No personal data is shared with eBay through this program beyond standard affiliate tracking.
CardCard uses a single session cookie solely to keep you logged in. We do not use advertising cookies or behavioral tracking. Google Analytics uses its own cookies to collect anonymized usage data — you can opt out via Google's opt-out browser add-on.
Passwords are hashed using bcrypt. Sessions use secure HTTP-only cookies. Our servers use firewall protection (UFW), intrusion detection (Fail2ban), and Cloudflare protection. All data is transmitted over HTTPS. No system is completely secure and we cannot guarantee absolute security.
We retain your account data for as long as your account is active. Alert logs are retained for 90 days. If you request account deletion, your personal data will be permanently removed within 30 days.
You have the right to: access a copy of your personal data; request correction of inaccurate data; request deletion of your account and data; receive your data in a portable format; and object to certain types of processing.
To exercise any of these rights, contact us at the email address associated with your account. We will respond within 30 days.
If you are located in the EEA, United Kingdom, or Switzerland, you have additional rights under GDPR. Our legal basis for processing your data is contractual necessity and legitimate interest. You have the right to lodge a complaint with your local data protection authority.
California residents have rights under CCPA including the right to know what personal information we collect, the right to delete it, and the right to opt out of its sale. We do not sell personal information.
CardCard is not directed at children under 13. We do not knowingly collect personal data from children under 13. If we become aware of such data, we will delete it immediately.
CardCard operates in the United States. If you access the Service from outside the US, your data may be transferred to and processed in the US and other countries where our third-party providers operate.
We may update this Privacy Policy at any time. We will notify active subscribers of material changes by email at least 14 days before they take effect.
For questions, data requests, or privacy concerns, contact us at the email address associated with your CardCard account.