CardVault

Privacy Policy

Last updated: 2026-04-24

CardVault is a personal tooling layer over the CardTrader marketplace. This policy explains what we collect, why, how long we keep it, and how you can have it deleted. It is written in plain English. If any clause is unclear, email us at the address below and we will rewrite it.

1. Who we are

CardVault is operated by an individual data controller:

This policy describes CardVault beta (self-hosted, personal scale). Please contact us at the email above for any privacy question, access request, or deletion request before filing a complaint.

2. What we collect

We only collect what is necessary to operate the product. Nothing is sold, rented, or shared with advertising networks.

2.1 Account data

  • Email address (used for login and transactional email).
  • Display name (optional; shown only to you).
  • Password, stored as a bcrypt hash. We cannot read the original value.

2.2 Integration data

  • Your CardTrader JWT, if you choose to connect the integration. It is encrypted at rest with AES-256-GCM using a key held separately from the database. We never transmit it outside the requests we make to CardTrader on your behalf.
  • Optional third-party AI API keys (OpenAI, OpenRouter, Anthropic) if you enable AI-assisted features. Encrypted at rest with the same mechanism.

2.3 Product data

  • Wishlists, jobs, alerts, purchases, and notification preferences you create.
  • Catalog snapshots (games, expansions, blueprints) mirrored from CardTrader's public catalog — these are not personal data.

2.4 Security & operational data

  • Audit logs of authentication events (login, signup, failed login, logout) and administrative actions. These include your user ID, email, IP address, and user-agent string. They are retained to detect unauthorized access.
  • Request logs (HTTP method, path, status code, response time) — not tied to individual users in most cases.

2.5 What we do not collect

  • No advertising cookies, no tracking pixels, no third-party analytics scripts.
  • Essential cookies only: a single authentication token stored in your browser's localStorage to keep you signed in. No consent banner is required because we run no analytics.

3. Why we process it

  • Contract (GDPR Art. 6(1)(b)): operate the service you signed up for — account management, running your wishlists and jobs, delivering notifications.
  • Legitimate interest (GDPR Art. 6(1)(f)): security audit logs, abuse prevention, debugging, maintaining service integrity.
  • Consent (GDPR Art. 6(1)(a)): optional features — notifications, AI integrations. You can disable these any time in Settings.

4. Who processes it on our behalf

CardVault runs on infrastructure provided by the following processors. All have signed a GDPR-compliant Data Processing Agreement, and all relevant data stays in the EU.

  • Hetzner Online GmbH — hosting (server + database). Data centre: Nuremberg (NBG1), Germany.
  • Cloudflare, Inc. — CDN, tunnel, WAF, DDoS protection. Traffic routed via the Cloudflare EU network.
  • Mailgun (Sinch Email EU) — transactional email only (signup confirmation, notifications). EU endpoint (api.eu.mailgun.net). Only used if you enable email notifications.
  • CardTrader — when you use CardTrader features, we send API requests to them on your behalf using your CardTrader JWT. CardTrader is a separate data controller governed by their own privacy policy.

5. How long we keep it

  • Active accounts: indefinitely, until you delete your account.
  • Deleted accounts: every user-scoped record (wishlists, jobs, alerts, purchases, tokens, preferences) is purged immediately.
  • Audit logs after deletion: retained for up to 6 months in anonymized form (no user ID, no email) for security and abuse investigations under GDPR Art. 6(1)(f).
  • Backups: encrypted off-site snapshots retained for 30 days; restoration only occurs in recovery scenarios, after which deleted-account data is re-purged.

6. Your rights

Under GDPR (and equivalent laws in the UK, Switzerland, and elsewhere in the EEA) you have the right to:

  • Access — see what we store about you. Most of it is visible in Settings; for anything else, email us.
  • Rectification — correct inaccurate data. Edit your profile in Settings, or email us for fields that aren't editable in the UI.
  • Erasure (right to be forgotten) — delete your account and all associated data. Go to Settings → Account & privacy → Danger zone. Deletion is immediate and irreversible.
  • Portability — receive a machine-readable export of your data. Email us; we'll respond within 30 days.
  • Restriction / objection — email us to pause processing of your data for a specific purpose.
  • Complaint — lodge a complaint with your national data protection authority if you believe your rights have been violated. In Italy: Garante per la Protezione dei Dati Personali (garanteprivacy.it).

7. Security

We implement industry-standard measures appropriate to the scale of the service:

  • TLS 1.2+ for all traffic, HSTS enabled.
  • Passwords bcrypt-hashed; integration tokens AES-256-GCM encrypted at rest.
  • Origin server reachable only via Cloudflare Tunnel; no public TCP ports are open on the VPS.
  • Administrator access restricted to Tailscale-only SSH with hardware key authentication.
  • Rate limiting on authentication endpoints; WAF at the Cloudflare edge.
  • Audit logging of authentication and administrative events.

No system is perfectly secure. In the unlikely event of a breach affecting your data, we will notify you by email without undue delay and, where required, notify the competent supervisory authority within 72 hours.

8. Children

CardVault is not directed at children under 16. If you believe a child has provided us with personal data, contact us and we will delete the account.

9. International transfers

We only use processors that store and process EU user data within the EEA. If a processor transfers data outside the EEA (for example, Cloudflare's global edge network), the transfer is governed by Standard Contractual Clauses as approved by the European Commission.

10. Changes to this policy

We may update this policy as the product evolves. Material changes will be communicated via email to registered users at least 14 days before taking effect. Continued use of the service after the effective date constitutes acceptance.