Privacy Policy
Last updated: July 9, 2026
The short version
Your card photos are never stored — they are processed in memory for the duration of your scan and discarded. We keep the minimum needed to run the service: your email (if you buy scan credits), your credit balance, and anonymous usage events.
Card photos
When you submit photos for analysis, they are sent from your browser to our server and forwarded directly to Google's Gemini API to produce the authenticity analysis. The photos exist only in memory during that single request. We do not write them to disk, store them in any database, or use them for any other purpose. Google processes them as our service provider to generate the analysis.
What we do collect
- Email address — only if you purchase scan credits or sign in. Used to credit your purchases, let you sign in via magic link, and send transactional emails (sign-in links, receipts). We do not send marketing emails.
- Credit balance and usage — how many scans you have purchased and used.
- Funnel events — basic events such as “scan started” or “payment completed”, used in aggregate to understand whether the product works. These are not used for advertising.
- Technical data — your IP address is used transiently for rate limiting (abuse prevention). Our infrastructure providers keep standard server logs.
Payments
Payments are processed by Stripe. Your card details go directly to Stripe and never touch our servers. We receive only a confirmation of payment, the pack you bought, and the email you provided at checkout. See Stripe's privacy policy at stripe.com/privacy.
Cookies
We use a small number of strictly functional cookies: one to recognize your browser session and one to track whether your free scan has been used. If you sign in, our authentication provider (Supabase) sets cookies to keep you signed in. We do not use advertising or cross-site tracking cookies.
Service providers
We rely on the following processors to operate the service: Cloudflare (hosting), Google (Gemini API, image analysis), Supabase (database and authentication), and Stripe (payments). Each receives only the data necessary for its role.
Legal basis and retention
We process your data to perform the service you request (analyzing your card, crediting your purchases) and on the basis of our legitimate interest in preventing abuse and understanding aggregate usage. Account and purchase records are kept for as long as your credits remain usable and as required for accounting; event data is kept in aggregate form.
Your rights
Under the GDPR you can request access to, correction of, or deletion of your personal data, and you can object to or restrict its processing. Email us at support@tcgverdict.com and we will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
Contact
Questions about this policy: support@tcgverdict.com.