Privacy Policy
Last updated: June 2, 2026
The Card Ledger ("we", "our", or "us") is committed to protecting your privacy. This policy explains what information we collect, how we use it, and your rights regarding your data.
1. Information We Collect
We collect information you provide directly and information generated by your use of the app:
- Account information — email address and password (stored securely via Supabase Auth)
- Collection data — cards you add, scan images, pricing history, wishlists, and grading submissions
- Camera usage — photos captured during card scanning are uploaded to process your request and stored in your account; we do not use them for any other purpose
- Purchase information — subscription tier and scan pack purchases are processed by Apple or Google; we receive only confirmation of your entitlements via RevenueCat, not your payment details
- eBay connection data — if you connect your eBay seller account via OAuth (Collector and Pro tiers), we securely store your eBay OAuth access and refresh tokens in our database. We access your eBay seller identity (username) solely to confirm the connection and create listings on your behalf. We do not store your eBay password or payment details.
- Usage analytics — anonymized event data (features used, screens visited) collected via PostHog to help us improve the app
- Crash reports — error data collected via Sentry when the app crashes, including device type and OS version, to help us fix bugs
- Email signups — if you submit your email on our website, we store it to send product updates
2. How We Use Your Information
- Provide, operate, and improve The Card Ledger app and services
- Process AI card scanning and pricing requests on your behalf
- Manage your subscription and scan quota
- Send push notifications you have opted into (price alerts, feature updates)
- Respond to support requests
- Detect and prevent fraud or abuse
- Analyze aggregate usage patterns to improve features (data is anonymized)
We do not sell your personal information to third parties.
3. Third-Party Services
We use the following third-party services to operate the app. Each has its own privacy policy:
- Supabase — database, authentication, and file storage (supabase.com/privacy)
- RevenueCat — subscription and in-app purchase management (revenuecat.com/privacy)
- Google Gemini / OpenAI — AI models used to analyze card images and generate pricing; card images and metadata are sent to these services to process your scan requests
- SportsCardsPro — to identify a card, we send card details (player, set, card number) to the SportsCardsPro API to retrieve its canonical set, year, and market pricing. No card images or personal information are sent. We cite SportsCardsPro with a linkback wherever their data appears. See SportsCardsPro's Terms.
- PostHog — anonymous product analytics (posthog.com/privacy)
- Sentry — crash and error reporting (sentry.io/privacy)
- eBay — when you connect your eBay account (Collector and Pro tiers), we use eBay's OAuth 2.0 API to authenticate you and create listings on your behalf. Your eBay tokens are stored in our secure database and used only to fulfill listing requests you initiate in the app. See eBay's Privacy Notice.
- Apple / Google — in-app purchases and push notifications are handled through their respective platforms
- Affiliate partners — some links to external marketplaces (Amazon, eBay, TCGPlayer, and grading services) are affiliate links provided through programs such as the Amazon Associates Program, eBay Partner Network, and Impact. When you click these links, the partner may set cookies or receive a referral identifier to attribute any resulting purchase to us.
Affiliate disclosure. The Card Ledger participates in affiliate programs. Some links in the app and on this website are affiliate links, meaning we may earn a commission if you make a purchase through them — at no additional cost to you. As an Amazon Associate, The Card Ledger earns from qualifying purchases. Affiliate relationships never influence the market values, comparable sales, or pricing data we show you; those are derived from real sold-listing data independently of any commission.
4. eBay Integration
Collector and Pro subscribers may connect their eBay seller account to The Card Ledger to create listings directly from the app. When you connect your eBay account:
- We initiate an OAuth 2.0 authentication flow with eBay. You log in directly on eBay's website — we never see or store your eBay password.
- Upon successful authentication, eBay grants us access and refresh tokens, which are stored securely in our database, encrypted at rest.
- We use these tokens only to perform actions you explicitly request within the app (creating listings, checking connection status).
- We access limited eBay seller data — your eBay username and business policies — used solely to configure and create listings.
- You may disconnect your eBay account at any time from within the app. Disconnecting revokes our access and removes your tokens from our database.
- If you close your eBay account, eBay notifies us via a secure webhook and we automatically delete your stored tokens.
We do not share your eBay tokens or seller data with any third party other than eBay's own API services.
5. Data Retention
We retain your account and collection data for as long as your account is active. You may delete your account at any time from the app (Profile → Settings → Delete Account), which permanently removes all your data from our systems within 30 days.
Crash reports and analytics data are retained for up to 90 days in aggregated or anonymized form.
6. Your Rights
Depending on your location, you may have the following rights:
- Access — request a copy of your personal data
- Correction — request correction of inaccurate data
- Deletion — request deletion of your account and data
- Portability — request your collection data in a portable format
- Opt-out — opt out of marketing emails at any time via the unsubscribe link
To exercise any of these rights, contact us at contact@thecardledgerapp.com.
7. Children's Privacy
The Card Ledger is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete it promptly.
8. Your Rights in the EEA, UK & Switzerland (GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, The Card Ledger (operated by its owner, a sole proprietor based in Texas, USA) is the data controller of your personal data. Our legal bases for processing are:
- Performance of a contract — to provide the core features you request (account, collection, scanning, pricing).
- Legitimate interests — to operate, secure, and improve the Service (e.g. crash reporting, abuse prevention), balanced against your rights.
- Consent — for optional marketing emails, which you may withdraw at any time.
- Legal obligation — where we must retain or disclose data to comply with the law.
In addition to the rights in Section 6, you may restrict or object to processing, withdraw consent at any time, and lodge a complaint with your local data-protection authority. We do not carry out automated decision-making that produces legal effects concerning you.
9. California Privacy Rights (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we collect, to request its deletion or correction, and not to be discriminated against for exercising these rights.
We do not sell or share your personal information (as "sell" and "share" are defined under the CCPA/CPRA), and we do not use sensitive personal information beyond providing the Service. The categories we collect (identifiers such as your email; commercial information such as your collection and purchases; photos you upload; and usage/device data) are described in Section 1 and used for the purposes in Section 2.
To exercise your California rights, contact us at contact@thecardledgerapp.com. You may use an authorized agent to submit a request on your behalf.
10. International Data Transfers
We operate from the United States, and our service providers (including Supabase, Google, and RevenueCat) may process and store your data in the United States and other countries. Where personal data is transferred out of the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses. By using the Service, you understand your data may be processed in countries whose data-protection laws differ from those where you live.
11. Data Security
We use industry-standard security measures including encrypted connections (HTTPS/TLS), row-level security on our database, and secure credential management. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the "Last updated" date at the top of this page and, where appropriate, by sending an in-app notification. Continued use of the app after changes constitutes acceptance of the updated policy.
13. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us at:
- Email: contact@thecardledgerapp.com
- Website: thecardledgerapp.com