CardWisp - Privacy Policy

CardWisp ("we," "us," or "our") operates the CardWisp mobile application (the "App"), a tool for organizing and tracking Magic: The Gathering card collections. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have. By using CardWisp, you agree to the collection and use of information as described here. If you do not agree, please do not use the App.

1. Who We Are

CardWisp is an independent application. The controller of your personal data for the purposes of applicable data protection law is the operator of CardWisp. You can reach us at:

Email: cardwisp@gmail.com

If a more specific contact (such as an EU representative or Data Protection Officer) becomes required as we scale, we will update this policy.

2. Information We Collect

We collect only what we need to run the App and provide the features you use.

2.1 Information you provide directly

Account information. When you sign in with Google or Apple, we receive basic profile information from that provider: your name, email address, and a unique user identifier. You can see exactly what is shared in the consent screen presented by Google or Apple.
Collection data. Cards, decks, binders, notes, and any other content you add to your collection inside the App.
Support messages. If you contact us, we will receive your email address and the content of your message.

2.2 Information created by your use of the App

Card scan images. When you use the in-app card scanner, the image you capture is sent to a third-party optical character recognition (OCR) service (see Section 4) solely to identify the card. We do not retain the image after identification.
Usage state. Local preferences (such as onboarding completion, sort settings, and filters) are stored on your device using secure local storage (AsyncStorage). This data stays on your device and is not sent to us.
Subscription and purchase data. If you subscribe to a paid tier, purchase data (receipts, entitlement status) is processed by Apple or Google and by our subscription provider (see Section 4). We do not receive or store full payment card numbers.

2.3 Information collected automatically

Device and diagnostic information. Basic device type, operating system version, App version, and crash or error logs. This helps us keep the App stable and compatible.
No advertising identifiers. CardWisp does not serve third-party advertisements and does not use the iOS Advertising Identifier (IDFA) for tracking. If this ever changes, we will update this policy and request your permission through Apple's App Tracking Transparency framework.

3. How We Use Your Information

We use your information to:

Create and maintain your account.
Store, sync, and display your card collection across your devices.
Identify cards you scan using OCR.
Provide customer support.
Operate paid subscriptions, if you choose to subscribe.
Monitor stability, detect bugs, and prevent abuse or fraud.
Comply with legal obligations.

We do not sell your personal information. We do not share your collection data with other users unless you use a future social or sharing feature that you explicitly opt into.

Legal bases (GDPR)

If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data on the following legal bases:

Performance of a contract — to operate the App and provide features you sign up for.
Legitimate interests — to keep the App secure, debug errors, and prevent abuse.
Consent — where required (for example, for optional features you turn on). You can withdraw consent at any time.
Legal obligations — to comply with applicable laws.

4. Third-Party Services

CardWisp relies on a small number of third-party services to operate. Each of these providers has its own privacy policy, and we encourage you to review them.

Service	Purpose	Data shared	Privacy policy
Google Firebase Authentication, Firestore	Account sign-in and cloud sync of your collection	Account identifier, email, collection data	firebase.google.com
Google Sign-In	Authentication via Google account	Name, email, Google user ID	policies.google.com
Apple Sign-In when available	Authentication via Apple ID	Name (optional), Apple-relay email, user ID	apple.com/legal/privacy
OCR.space	Card image recognition	The card image you scan, temporarily	ocr.space/privacypolicy
App Store / Google Play	App distribution and in-app purchases	Purchase receipts, subscription status	apple / google
RevenueCat planned	Subscription status and entitlement checks	Anonymous app user ID, subscription status	revenuecat.com/privacy

We require any third party with whom we share your data to protect it to a standard at least equal to ours. We do not share your data with third parties for their own marketing purposes.

5. Data Storage, Security, and International Transfers

Your collection data is stored on Google Firebase infrastructure, which may process data in the United States and other countries. If you are located in the EEA, UK, or Switzerland, your data may be transferred outside your country. Google relies on approved mechanisms (such as Standard Contractual Clauses) for these transfers. See Firebase's documentation for details: firebase.google.com/support/privacy.

We use reasonable technical and organizational safeguards to protect your information, including encryption in transit (HTTPS/TLS) and Firebase's built-in access controls. No system is perfectly secure, and we cannot guarantee absolute security.

6. Data Retention and Deletion

We keep your account and collection data for as long as your account is active.
Card scan images are not retained after OCR processing completes.
If you delete your account, we will delete your personal data within a reasonable period, except where we are required to keep it to comply with legal obligations, resolve disputes, or enforce our agreements.
Backups may persist for a short period after deletion before being overwritten.

You can request deletion at any time by emailing cardwisp@gmail.com, or by using the in-app account deletion option when available.

7. Your Rights

Depending on where you live, you may have some or all of the following rights. To exercise any of them, contact us at cardwisp@gmail.com. We will respond within the timeframes required by applicable law (generally 30 days under GDPR, 45 days under the CCPA).

If you are in the EEA, UK, or Switzerland (GDPR / UK GDPR)

Access — request a copy of the personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure — ask us to delete your personal data.
Restriction — ask us to limit how we use your data.
Portability — receive your data in a structured, machine-readable format.
Objection — object to processing based on our legitimate interests.
Withdraw consent — where processing is based on consent.
Complain to a supervisory authority — you can lodge a complaint with your local data protection authority.

If you are a California resident (CCPA / CPRA)

Right to know what personal information we collect, use, and disclose.
Right to delete personal information we have collected.
Right to correct inaccurate personal information.
Right to opt out of sale or sharing — CardWisp does not sell or share personal information as those terms are defined under the CCPA.
Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond providing the service.
Right to non-discrimination — we will not treat you differently for exercising any of these rights.

If you are elsewhere

Many other jurisdictions grant similar rights. Contact us and we will honor them to the extent required by applicable law.

8. Children's Privacy

CardWisp is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at cardwisp@gmail.com and we will delete it promptly.

If you are in the EEA or UK, the minimum age is 16 unless your country allows a lower age under GDPR Article 8.

9. Analytics and Tracking

CardWisp does not currently use third-party analytics or tracking SDKs beyond the basic crash and error reporting provided by Firebase. We do not use advertising identifiers and do not track you across other apps or websites. If we add any analytics service in the future, we will update this policy and, where required, request your consent.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App or by email where practical, and we will update the "Last updated" date at the top. Your continued use of the App after the change takes effect means you accept the updated policy.

11. Contact Us

Questions, requests, or complaints? Contact us at:

Email: cardwisp@gmail.com

CardWisp is an independent fan project. Magic: The Gathering and all related card names and images are trademarks and copyrights of Wizards of the Coast LLC. CardWisp is not produced, endorsed, supported, or affiliated with Wizards of the Coast.