Privacy Policy

The Short Version

Hobby Card Index ("HCI", "we") is a sports and trading card price-tracking and collection-management platform at hobbycardindex.com. We collect what we need to run your account and the features you use — and that's it. We do not sell your personal data, and we do not run advertising networks on the site.

What We Collect

Account information

• Email address and username
• Password — stored only as a one-way hash (bcrypt). We never store or see your actual password.
• Optional profile details you choose to add: display name, avatar, phone number, location, bio
• If you sign in with Google, Microsoft, Apple, or eBay, we receive your basic profile from that provider (email and name) and an account identifier so we can log you in. We never see your password for those services.

Things you create in the app

• Your card collection, watchlists, price alerts, and saved searches
• Card images you upload or scan (see "Card Scanning" below)
• Dealer inventory and related business data, if you use the dealer tools

Billing information

Payments are processed entirely by Stripe. Your card number goes to Stripe, not to us. We store only your subscription tier and status, billing interval, and Stripe's customer and subscription reference IDs so we know which plan you're on.

Waitlist signups

If you join our waitlist, we store the email address (and optional name) you give us, along with your IP address and browser type for spam prevention.

Technical and security data

• Server logs, including your IP address and browser user-agent — used for security, abuse prevention, and debugging
• A security audit log of sensitive account events (for example, logins and password changes)
• A login token kept in your browser so you stay signed in, and — if you choose "trust this device" during two-factor login — a cookie that remembers that choice for 30 days

Card Scanning

When you scan a card, the photo you take or upload is sent to Google's Gemini API so the card can be identified. The image and the identification result are stored with your account so you can review your scan history. Google processes the image under its own API terms; we only send the card photo itself, not your account details.

How We Use Your Data

• To run your account: sign-in, collection tracking, watchlists, alerts, scans, dealer tools
• To process subscriptions and billing (via Stripe)
• To send transactional email — things like email verification, password resets, price alerts, and receipts. We don't send marketing email you didn't ask for.
• To keep the service secure: detecting abuse, rate-limiting, investigating errors
• To understand aggregate usage of the site (see "Analytics" below)

Third-Party Services We Use

• Stripe — payment processing. Stripe receives your payment details directly; we never hold card numbers.
• Google Gemini API — identifies cards from photos you scan.
• eBay APIs — we display live eBay listing data inside the app. If you connect your eBay account (dealer features), eBay provides us access tokens for your account, which we store to act on your behalf when you ask us to.
• Email delivery provider — sends our transactional email (verification, resets, alerts, receipts).
• Error monitoring — when something breaks, technical error reports (which can include your IP address and details of the request that failed) may be sent to our error-monitoring tools so we can fix the problem.
• Licensed pricing data providers — the card pricing data shown in the app comes from licensed pricing data providers and public marketplaces. This is data flowing to us; we do not share your personal data with these providers.

We share personal data with these providers only as needed to provide the service. We do not sell your personal data to anyone.

Analytics & Cookies

We use Google Analytics (with IP anonymization turned on) and Clicky to understand aggregate site usage — which pages get visited, roughly where traffic comes from. These tools set their own cookies. We use this data to improve the product, not to build advertising profiles, and we don't run third-party ad networks on the site.

Beyond analytics, the only cookies and browser storage we use are functional: keeping you signed in and remembering preferences like your trusted-device choice for two-factor login.

How Long We Keep Data

We keep your data for as long as your account exists. When you delete your account, your personal data is removed from our systems (see Data Deletion for exactly what gets removed and how). Server logs and backups age out on a rolling schedule. Stripe retains payment records under its own policies, as payment processors are required to do.

Your Rights

• Access — ask us what personal data we hold about you
• Correction — most account details can be edited directly in Settings; for anything else, email us
• Deletion — delete your account yourself in the app, or ask us to. Full instructions: hobbycardindex.com/data-deletion
• Export — where the app offers an export (for example, collection exports), you can download your data yourself; for anything else, email us and we'll help

Security

Passwords are stored only as bcrypt hashes. Traffic to the site is encrypted with HTTPS. Sensitive account actions are logged, and two-factor authentication (authenticator app, email, or SMS codes) is available on every account. No online service can promise perfect security, but we take reasonable, standard measures to protect your data.

Children

Hobby Card Index is not intended for children under 13, and we do not knowingly collect personal data from anyone under 13. If you believe a child under 13 has created an account, email us and we'll delete it.

Changes to This Policy

If we change this policy, we'll post the updated version on this page and update the effective date at the top. For significant changes, we'll make the update visible in the app or by email.

Contact

Questions about this policy or your data: [email protected]