privacy policy

Last updated: June 2026. CardDropX is a TCG hub for collectors, sellers, and streamers — not a retailer.

Data controller

The data controller is [Legal entity name TBC] trading as CardDropX. Privacy contact: [email protected]. Data Protection Officer: [TBC].

What we collect

Lawful bases (UK GDPR)

How we use data

Retention

Sub-processors

Under UK GDPR we must tell you which organisations process personal data on our behalf. The table below is our published sub-processor list. We do not use Google AdSense or other third-party display ad networks. We may update this list when we add or change suppliers; material changes will be noted on this page.

ProcessorPurposeLocation
StripeSubscriptions, payments & Connect payoutsUS / EU
HetznerApplication hosting & databaseGermany (EU)
Resend (or equivalent)Transactional emailUS / EU
Cloudflare (if used)CDN, DDoS protection, DNSUS / global
Twitch, YouTube, TikTok, KickOAuth & streaming APIs (when you connect)US / global
ShopifySeller order sync (when you connect)US / global
Telegram / DiscordOrder alerts (credentials or webhooks you provide)global

Optional analytics (e.g. privacy-friendly page metrics) may be added on a deployment with notice and consent where required — we do not use AdSense. Machine-readable summary: GET /compliance/privacy-summary.

International transfers

Some sub-processors are based outside the UK/EEA (notably the United States). Where required, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions. Details available on request.

Stream OAuth tokens

When you connect a streaming platform, we store OAuth access and refresh tokens encrypted at rest. We use them only to provide stream connector features (live status, chat commands, overlay URLs). You may revoke access by disconnecting the platform in the Streaming hub or by deleting your account.

What we do not do

Your rights (UK GDPR)

Under the UK GDPR and Data Protection Act 2018 you have the following rights in relation to your personal data (subject to legal exceptions):

We aim to respond within one calendar month of a verified request. We may extend by up to two further months for complex or multiple requests, and will tell you why.

We will not normally charge a fee. We may refuse manifestly unfounded or excessive requests, or charge a reasonable fee, as permitted by UK GDPR.

How to exercise your rights

Easiest route — email us: Send your request from your account email to [email protected] with the subject line Privacy request. Say what you want (copy of data, correction, deletion, etc.). We will verify your identity before acting.

Signed-in workspace owners — self-service API: If you are comfortable using the API while logged in (session cookie or bearer token):

Public metadata: GET /compliance/privacy-summary describes export/deletion endpoints and retention without authentication.

In-appAccount settings (profile, password, preferences) and Privacy & data (download JSON, request deletion).

You may lodge a complaint with the ICO (ico.org.uk) if you believe we have not handled your data correctly.

Children and young people

CardDropX is a trading-card hub that may be used by collectors of different ages. We apply the UK GDPR and ICO guidance on children’s data.

We design features with the ICO Children’s Code in mind (high privacy by default, clear terms, no third-party display ads). Independent legal review of age gates is ongoing.

Cookies & similar technologies

CardDropX does not use third-party display ads. A future native advertising programme (approval-based) is documented in our roadmap for businesses and creators.

Fraud prevention

We process limited account, payment, and usage data to detect abuse, enforce bans, and protect integrations (OAuth tokens for streaming platforms are encrypted at rest and scoped to features you enable).

Security

We use encryption for sensitive credentials (OAuth tokens, integration secrets), HTTPS in transit, and audit logs with hashed IP addresses rather than raw IPs. No system is perfectly secure; report concerns to [email protected].

Contact

Data questions: [email protected]

Terms of use · Pricing · Home