Privacy Policy
Last updated: May 28, 2026 · Effective immediately for all users.
Your privacy matters. This Privacy Policy explains what personal information Dragon's Claw Cards ("we", "us", "our") collects, how we use it, who we share it with, how long we keep it, and the rights you have under applicable laws (including GDPR for users in the EU/UK and CCPA/CPRA for users in California).
Plain-English summary: we collect what we need to run the marketplace — your account info, listings, orders, messages, shipping addresses, and basic usage data. We share data with the third-party services that help us operate (Stripe for payments, Shippo for shipping labels, Resend for email, Firebase/Google for hosting and auth, PriceCharting for market data). We don't sell your personal data, ever. You can access, correct, or delete your data from the Account page or by emailing us.
1. Scope & who this applies to
This Privacy Policy applies to information we collect through the Dragon's Claw Cards website at dragonsclawcards.com, related subdomains, our mobile-app builds (when launched), our emails, and any other digital surface we operate. It applies to visitors, registered users, buyers, sellers, and Premium subscribers.
It does not apply to third-party websites or services we link to (e.g., Stripe's payment forms, USPS tracking pages, social media). Those services have their own privacy policies and you should read them.
2. What we collect
2.1 You give us
- Account info: email address, username, password (stored hashed via Firebase Auth — we never see the plain text), and your chosen sign-in method (email/password or Google sign-in).
- Profile info: avatar/profile image you upload, display name, biography, location (city/state for local-trade matching), public vault preferences, social links you choose to add.
- Seller info: ship-from address, business name (if applicable), and the identity, tax, and bank information you provide to Stripe during Stripe Connect onboarding (held by Stripe, not us — we receive only a Stripe Connected Account ID and high-level status flags).
- Buyer info: shipping address you enter at checkout, the payment method you select (held by Stripe — we receive only a Stripe customer ID and last-4 / card brand for display).
- Collection data: cards, vaults, and wishlists you save. Public vaults are visible to anyone with the link. Private vaults are visible only to you.
- Listings & orders: items you list for sale, listing photos, prices, descriptions, transaction history, dispute messages and evidence, refund/chargeback records.
- Messages: conversations with other users on the platform, including text and any photos sent.
- Support correspondence: emails and messages you send to support@, privacy@, dmca@, or legal@ addresses.
2.2 We collect automatically
- Device & browser info: IP address, browser type and version, operating system, device type, language, time zone, and basic browser fingerprint signals (used for fraud detection, rate-limiting, and security).
- Usage data: pages viewed, features used, button clicks, search queries, errors, performance timings.
- Cookies & localStorage: see Section 6.
- Cloud Function logs: server-side request logs (URL path, status code, timing, anonymized error context) used to debug and operate the Site.
2.3 We receive from third parties
- Stripe: payment status, payout status, dispute/chargeback notifications, KYC completion status, last-4 of card, card brand. We never receive your full card number.
- Shippo: shipping rate quotes, label purchase confirmations, tracking-event webhooks (in transit, out for delivery, delivered).
- Resend: delivery, open, and bounce events for the transactional emails we send you.
- Firebase Authentication: sign-in events, session tokens, identity-provider metadata (e.g., your Google account email if you sign in with Google).
- Card-data APIs (Scryfall, apitcg.com, PriceCharting, etc.): public market and catalog data only; we do not send your personal data to these.
3. How we use it
We use the personal information we collect to:
- Operate the marketplace: display your listings to buyers, route messages, process orders and payouts, calculate fees, generate shipping labels, deliver dispute resolutions.
- Authenticate & secure your account: sign you in, prevent unauthorized access, detect and block fraud, enforce rate limits, screen against sanctions lists where required.
- Communicate with you: send transactional emails (order confirmations, shipping updates, dispute notices, refund confirmations, suspension notices, account changes, password resets); respond to support requests; send wishlist alerts you've opted into; send Premium subscription receipts.
- Improve the Site: analyze usage patterns, debug errors, A/B test features, prioritize roadmap.
- Comply with legal obligations: respond to subpoenas and lawful government requests, fulfill tax-reporting requirements, retain financial and dispute records, comply with anti-money-laundering and sanctions laws.
- Enforce our Terms: investigate violations, suspend or ban accounts, pursue indemnity claims under Section 15 of the Terms of Service.
We do not sell your personal information. We do not share your email address with third-party marketers. We do not use your data to train any AI model.
4. Who we share it with
We share data only with the parties listed below, and only the minimum necessary for them to perform their function:
| Provider | Purpose | Data shared |
|---|
| Other users | Buyer/seller communication and order fulfillment | Username, avatar, public profile; on a confirmed order: name, shipping address, and order details visible only to the matched buyer/seller |
| Stripe | Payment processing, payouts, fraud screening, identity verification | Email, name, address, transaction details, IP; for sellers: government ID, tax ID, bank info (collected directly by Stripe via Connect onboarding) |
| Shippo | Shipping label purchase, rate quotes, tracking | Ship-from + ship-to address, parcel dimensions, weight, order ID |
| Resend | Sending transactional email | Email address, message content (order confirmation, shipping update, etc.) |
| Google / Firebase | Hosting, database, auth, file storage, cloud functions, basic analytics | All operational data above is stored on Google Cloud (Firestore + Cloud Storage + Auth) |
| Scryfall, apitcg.com, PriceCharting, etc. | Market data + card catalog lookups | Search query strings only — no personal data |
| Law enforcement / regulators | Compliance with valid legal process | Whatever the lawful request requires |
| Successor entity | Merger, acquisition, or sale of Dragon's Claw Cards assets | All operational data (you'll be notified of any change of control) |
5. Legal basis for processing (GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, our legal bases for processing your personal data are:
- Contract (Art. 6(1)(b) GDPR): to provide the Site and fulfill the contract you enter into when you create an account or place an order.
- Legitimate interest (Art. 6(1)(f)): to operate the marketplace safely (fraud prevention, security, abuse detection, dispute resolution), to debug and improve the Site, to defend legal claims.
- Legal obligation (Art. 6(1)(c)): to retain financial records, comply with tax-reporting obligations, and respond to lawful government requests.
- Consent (Art. 6(1)(a)): for any optional marketing communications you opt into. You can withdraw consent at any time without affecting prior processing.
6. Cookies, localStorage & tracking
We use cookies and browser localStorage to:
- Keep you signed in (Firebase Auth session tokens — strictly necessary).
- Remember your light/dark theme preference.
- Preserve unsaved listing drafts and cart contents.
- Prevent CSRF attacks on form submissions.
- Detect and rate-limit abusive traffic.
We use Firebase Analytics for aggregated, anonymized usage stats. We do not use third-party advertising trackers, retargeting pixels, or cross-site tracking cookies.
You can clear cookies and localStorage at any time via your browser settings (you'll be signed out and your theme/cart preferences will reset). Most browsers also let you block cookies entirely, but the Site may not work properly if you do.
7. How long we keep it
- Active account data is kept as long as your account is active.
- Deleted-account data is removed within 30 days of a verified deletion request, except for records required to be retained by law.
- Financial & tax records (orders, refunds, payouts, 1099 data) are retained for at least 7 years per IRS guidance.
- Dispute & trust-and-safety records (chargebacks, suspensions, ban appeals) are retained as long as needed for fraud prevention and legal defense — typically 7 years.
- Server logs are retained 30–90 days, depending on log type.
- Transactional email metadata (delivered/bounced events) is retained 1 year by Resend.
8. Security
Data is stored on Google Firebase (Firestore + Cloud Storage), encrypted at rest by Google and in transit via TLS. Authentication is handled by Firebase Auth using industry-standard hashing (we never see your plain-text password). Payment information is handled by Stripe (PCI-DSS Level 1 certified) — we don't store credit-card numbers ourselves.
Operationally, we use the principle of least privilege for staff access, secrets are stored in Google Secret Manager, and all admin actions on user accounts are logged.
That said, no system is 100% secure. Use a strong, unique password and enable two-factor authentication where available. Notify us immediately if you suspect your account has been compromised.
If we discover a data breach affecting your personal data, we will notify you (and any required regulators) within the timeframes required by applicable law.
9. International data transfers
Dragon's Claw Cards is operated from the United States, and our infrastructure providers (Google/Firebase, Stripe, Shippo, Resend) primarily process data on servers in the United States and other countries where they operate. If you access the Site from outside the U.S., your data will be transferred to and processed in the U.S. and other countries that may have different data-protection laws than your jurisdiction.
For transfers from the EEA/UK/Switzerland, we and our subprocessors rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) as the lawful transfer mechanism.
10. Your rights (all users)
Subject to local law, you have the right to:
- Access the personal information we hold about you. Request a copy by emailing privacy@dragonsclawcards.com.
- Correct inaccurate information. Most fields can be edited from the Account Settings page; for the rest, contact us.
- Delete your account and personal data. Use the "Delete account" button in Account Settings, or email us. Some records (financial, tax, dispute) are retained as described in Section 7.
- Object to processing based on legitimate interest, or restrict processing while you contest accuracy.
- Port your data — receive an export in a machine-readable format.
- Withdraw consent for any consent-based processing.
- Lodge a complaint with your local data protection authority.
We will respond to verified requests within 30 days. We may need to verify your identity before fulfilling a request (typically by confirming control of the email address on the account).
11. California (CCPA / CPRA) rights
California residents have the rights described in Section 10 above. You also have the right to:
- Know the categories of personal information we collect, the sources, the purposes, and the categories of recipients (all described above).
- Know the specific personal information we collected about you in the previous 12 months.
- Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell or share personal information for advertising purposes, so this right does not currently apply, but the option remains available.
- Limit use and disclosure of "sensitive personal information." We do not use sensitive personal information for purposes other than what is necessary to provide the Site.
- Non-discrimination — we will not deny service, charge different prices, or provide a different level of quality because you exercise your rights.
To exercise these rights, email privacy@dragonsclawcards.com with the subject "California Privacy Request." You may designate an authorized agent to make a request on your behalf with proof of authorization.
12. EU / UK (GDPR) rights
Users in the EEA, the UK, and Switzerland have the rights described in Section 10. You can exercise them by emailing privacy@dragonsclawcards.com. Our legal bases for processing are listed in Section 5.
If you believe our processing of your personal data violates GDPR, you have the right to lodge a complaint with your national supervisory authority (a list is at edpb.europa.eu).
13. Children's privacy
The Site is not intended for children under the age of 13, and we do not knowingly collect personal information from children under 13. Browsing accounts are limited to users 13 or older; buying and selling are limited to users 18 or older (or the age of majority in your jurisdiction). If you believe we have collected personal information from a child under 13, contact privacy@dragonsclawcards.com and we will delete it promptly.
14. Do Not Track
Some browsers send a "Do Not Track" (DNT) signal. There is no industry-standard way to interpret DNT, so the Site does not currently respond to DNT signals. We do not engage in cross-site behavioral advertising regardless.
15. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be announced via in-app banner and via email at least 14 days before they take effect, except where a shorter timeframe is required by law.
Privacy questions, requests, or complaints: privacy@dragonsclawcards.com
General support: support@dragonsclawcards.com
For users in the EEA/UK without a separate EU representative listed: contact privacy@dragonsclawcards.com and we will engage an Article 27 representative if required.
See also our Terms of Service, Refund & Return Policy, and Shipping Policy.
