privacy policy
Last updated: June 2026. CardDropX is a TCG hub for collectors, sellers, and streamers — not a retailer.
Data controller
The data controller is [Legal entity name TBC] trading as CardDropX. Privacy contact: [email protected]. Data Protection Officer: [TBC].
What we collect
- Account data — email, display name, workspace settings, date of birth (where provided), parental consent status, and authentication credentials (hashed passwords or OAuth identifiers).
- Inventory & scans — cards you catalog, photos you upload for scanning, portfolio history, and listing data you choose to publish on Explore.
- Seller integrations — Shopify, Stripe Connect, Telegram, and Discord credentials are encrypted at rest when you connect Hub.
- Streaming integrations — OAuth tokens and platform identifiers for connected Twitch, YouTube, TikTok, or Kick accounts when you subscribe to the stream connector.
- Usage — scan counts, refresh requests, billing entitlements, affiliate acknowledgement, and audit logs for support and security.
- Payments — processed by Stripe; we do not store full card numbers.
Lawful bases (UK GDPR)
- Contract — to provide the service you sign up for (account, catalog, Hub, billing).
- Legitimate interests — security, fraud prevention, service improvement, and affiliate click logging where proportionate.
- Consent — where required for optional analytics or marketing cookies.
- Legal obligation — where we must retain records for tax, accounting, or regulatory purposes.
How we use data
- Provide catalog, scan, portfolio, battles (entertainment), Explore browse, and Hub seller tools.
- Show price estimates — not buy or sell guarantees.
- Route affiliate and marketplace links where your plan allows.
- Operate the stream connector (live detection, chat commands, overlay URLs).
- Send transactional email (verification, password reset, order alerts when configured).
- Improve reliability and prevent abuse (rate limits, audit logs).
Retention
- Uploads default to process-and-delete unless you purchase a scan retention add-on.
- After subscription cancellation or account deletion request, workspace data is scheduled for deletion within 14 days unless a longer retention add-on or legal hold applies.
- Audit and security logs are retained for a limited period necessary for investigation and compliance.
Sub-processors
Under UK GDPR we must tell you which organisations process personal data on our behalf. The table below is our published sub-processor list. We do not use Google AdSense or other third-party display ad networks. We may update this list when we add or change suppliers; material changes will be noted on this page.
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Subscriptions, payments & Connect payouts | US / EU |
| Hetzner | Application hosting & database | Germany (EU) |
| Resend (or equivalent) | Transactional email | US / EU |
| Cloudflare (if used) | CDN, DDoS protection, DNS | US / global |
| Twitch, YouTube, TikTok, Kick | OAuth & streaming APIs (when you connect) | US / global |
| Shopify | Seller order sync (when you connect) | US / global |
| Telegram / Discord | Order alerts (credentials or webhooks you provide) | global |
Optional analytics (e.g. privacy-friendly page metrics) may be added on a deployment with notice and consent where required — we do not use AdSense. Machine-readable summary: GET /compliance/privacy-summary.
International transfers
Some sub-processors are based outside the UK/EEA (notably the United States). Where required, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions. Details available on request.
Stream OAuth tokens
When you connect a streaming platform, we store OAuth access and refresh tokens encrypted at rest. We use them only to provide stream connector features (live status, chat commands, overlay URLs). You may revoke access by disconnecting the platform in the Streaming hub or by deleting your account.
What we do not do
- We do not sell your customer email lists from Hub checkout.
- We do not operate live auctions or wagering on the platform.
- We do not buy or hold your inventory as principal.
Your rights (UK GDPR)
Under the UK GDPR and Data Protection Act 2018 you have the following rights in relation to your personal data (subject to legal exceptions):
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure — ask us to delete your data in certain circumstances (“right to be forgotten”).
- Right to restrict processing — ask us to limit how we use your data in certain cases.
- Right to object — object to processing based on legitimate interests or for direct marketing.
- Right to data portability — receive your data in a structured, machine-readable format where processing is by automated means and based on contract or consent.
- Rights related to automated decision-making — we do not make solely automated decisions with legal or similarly significant effects.
- Right to withdraw consent — where we rely on consent (e.g. optional cookies), you may withdraw it at any time without affecting lawfulness of prior processing.
We aim to respond within one calendar month of a verified request. We may extend by up to two further months for complex or multiple requests, and will tell you why.
We will not normally charge a fee. We may refuse manifestly unfounded or excessive requests, or charge a reasonable fee, as permitted by UK GDPR.
How to exercise your rights
Easiest route — email us: Send your request from your account email to [email protected] with the subject line Privacy request. Say what you want (copy of data, correction, deletion, etc.). We will verify your identity before acting.
Signed-in workspace owners — self-service API: If you are comfortable using the API while logged in (session cookie or bearer token):
- In-app — Account settings (profile, password, preferences) and Privacy & data (download JSON, request deletion).
- Export (portability) —
GET /privacy/exportreturns a JSON download of your account, workspaces, entitlements, and summary counts. - Deletion —
POST /privacy/delete-requestwith JSON body{"confirm_email": "[email protected]"}schedules erasure after a 14-day grace period (configurable in our retention policy). Email support to cancel a pending deletion.
Public metadata: GET /compliance/privacy-summary describes export/deletion endpoints and retention without authentication.
In-app — Account settings (profile, password, preferences) and Privacy & data (download JSON, request deletion).
You may lodge a complaint with the ICO (ico.org.uk) if you believe we have not handled your data correctly.
Children and young people
CardDropX is a trading-card hub that may be used by collectors of different ages. We apply the UK GDPR and ICO guidance on children’s data.
- Under 13: Our service is not directed at children under 13. We do not knowingly collect personal data from children under 13 without appropriate parental consent. If you believe we have, contact us and we will delete it promptly.
- Ages 13–17: Under UK law, children aged 13 or over may consent to processing of their personal data for information society services in many cases. You may create a Free account for catalog, portfolio, and entertainment features if you meet our Terms.
- Creator monetisation (18+ or parental consent): Paid/Max seller tools, public creator profiles, affiliate monetisation, and related features require you to be 18 or older, or under 18 with verified parental consent (parent/guardian email + admin review of our parental-consent flow). Date of birth is collected in the creator dashboard for this purpose only.
- Parental responsibility: If you are a parent or guardian and want to exercise rights on behalf of a child, email [email protected] from an address you control.
We design features with the ICO Children’s Code in mind (high privacy by default, clear terms, no third-party display ads). Independent legal review of age gates is ongoing.
Cookies & similar technologies
- Essential — session cookies for sign-in and security (no consent required for strictly necessary cookies).
- Preferences — theme choice stored locally or in your account where enabled.
- Analytics — if enabled on a deployment, we use analytics only with appropriate notice/consent where required by UK PECR / EU ePrivacy rules.
CardDropX does not use third-party display ads. A future native advertising programme (approval-based) is documented in our roadmap for businesses and creators.
Fraud prevention
We process limited account, payment, and usage data to detect abuse, enforce bans, and protect integrations (OAuth tokens for streaming platforms are encrypted at rest and scoped to features you enable).
Security
We use encryption for sensitive credentials (OAuth tokens, integration secrets), HTTPS in transit, and audit logs with hashed IP addresses rather than raw IPs. No system is perfectly secure; report concerns to [email protected].
Contact
Data questions: [email protected]
Terms of use · Pricing · Home