Privacy Policy

This Privacy Policy explains how Scadex (“Scadex,” “we,” “us,” or “our”) collects, uses, shares, and protects information when you use the Scadex mobile application (the “App”) and the website at scadex.app (together, the “Service”). Scadex is operated by [OPERATOR_LEGAL_NAME], registered at the Dutch Chamber of Commerce (Kamer van Koophandel) under number [KVK_NUMBER], VAT identification [VAT_NUMBER], with its registered address at [OPERATOR_ADDRESS], the Netherlands.

We are committed to handling your information responsibly and in accordance with the EU General Data Protection Regulation (GDPR), the Dutch Telecommunications Act, and applicable consumer protection law. If you have any questions, you can reach our privacy lead at privacy@scadex.app.

1. Information we collect

1.1 Information you give us

• Account details — when you create an account we collect your email address, display name, optional username, and (if you choose) a profile photo. If you sign in with Apple or Google, we receive only the basic identifiers each provider returns; we do not receive your password.
• Scanned card images — photos you capture or upload of trading cards. Images are processed to detect, identify, and grade the card, and (with your permission) saved to your account's vault.
• Vault and collection data — the cards you add to your collection, prices, notes, condition assessments, and metadata you enter manually.
• Support correspondence — messages you send us via email or in-app feedback, along with any attachments.

1.2 Information we collect automatically

• Device information — device model, operating system version, app version, language, time zone, screen resolution, and a non-persistent installation identifier used to keep you signed in.
• Usage information — features you interact with, screens you visit, and timestamps. We use this to understand which parts of the App people find useful and to debug crashes.
• Diagnostic information — crash logs, error stack traces, and basic performance data (e.g. how long the scanner took to detect a card). This is collected via a privacy-respecting error reporter and is never sold or used to track you across other apps.
• Push notification tokens — if you opt into notifications, we store the push token Apple or Google issues for your device so we can send price alerts and account messages.

1.3 Information from third parties

• Purchase information — when you buy a subscription or scan pack, Apple (or Google) processes the transaction and shares with us the product purchased, the purchase identifier, the entitlement period, and (on renewal or cancellation) the renewal status. We never see your payment method.
• Card market data — current and historical card prices are sourced from public marketplaces (such as Cardmarket) and licensed catalog providers (such as Scrydex). These sources do not return any information about you.

2. How we use information

We use the information described above to:

• Provide, maintain, and improve the Service — including scanning, grading, pricing, and portfolio analytics;
• Create and manage your account, authenticate you, and recover access if you forget your credentials;
• Process subscriptions and one-time purchases through Apple and Google, including refunds and proration;
• Send transactional messages (purchase receipts, password resets, security alerts) and — only with your consent — marketing emails, which you can unsubscribe from at any time;
• Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms;
• Generate aggregated, non-identifying statistics about the Service (e.g. “X% of Pro users use the bulk scanner”);
• Comply with applicable legal obligations, including tax, accounting, and law-enforcement requests.

What we do NOT do: we do not sell your personal information, we do not show third-party advertising in the App, we do not track you across other apps or websites, and we do not use IDFA / advertising identifiers.

3. Legal bases for processing (EU/EEA users)

Under the GDPR we rely on the following legal bases:

• Performance of a contract — to provide the Service you signed up for;
• Legitimate interest — to keep the Service secure, prevent fraud, and improve product quality;
• Consent — for optional features such as marketing emails and push notifications (you can withdraw at any time);
• Legal obligation — to retain records for tax, accounting, or law-enforcement purposes.

4. Sharing your information

We share information only with the following categories of recipients, and only to the extent necessary:

• Apple Inc. — sign in with Apple, in-app purchase processing, push notifications, and TestFlight beta distribution.
• Google LLC — Google Sign-In, Play Store purchases (Android), and push notifications.
• Supabase, Inc. — our authentication, database, and storage provider. Hosted in the EU.
• RevenueCat, Inc. — manages subscription state and webhooks. We send RevenueCat your Scadex user ID; they receive purchase events from Apple and Google.
• Cardmarket (Sammelkartenmarkt GmbH) and Scrydex — provide card price and catalog data. We do not share user data with them.
• Sentry, Inc. — error reporting and crash diagnostics. Stack traces and device metadata only; no personal content.
• Our hosting provider — runs the Scadex API. Data in transit is encrypted with TLS; data at rest is encrypted on Supabase's side.
• Law enforcement or regulators — only when we are required to disclose information under a valid legal order.

A full and up-to-date list of subprocessors with their countries of operation is available on request at privacy@scadex.app.

5. International transfers

Some of the service providers listed above are based outside the EU/EEA (notably in the United States). When we transfer your data to those providers we rely on the European Commission's Standard Contractual Clauses or equivalent safeguards. Where a provider participates in the EU-U.S. Data Privacy Framework we rely on that framework in addition.

6. Data retention

We keep your information for as long as your account is active and for a reasonable period afterwards to comply with our legal obligations:

• Account profile — until you delete your account, then permanently deleted within 30 days.
• Vault & scan history — until you delete your account or remove the individual entries.
• Purchase records — retained for 7 years to comply with Dutch tax law (Algemene wet inzake rijksbelastingen art. 52).
• Diagnostic logs — retained for 90 days, then automatically purged.

7. Your rights

Under the GDPR you have the right to:

• Access — get a copy of the personal data we hold about you;
• Rectification — correct inaccurate or incomplete data;
• Erasure — delete your account and the associated data (see Section 9);
• Restriction — temporarily limit how we use your data;
• Portability — receive your data in a machine-readable format;
• Objection — object to processing based on legitimate interest;
• Withdraw consent — at any time, where consent is the legal basis;
• Lodge a complaint — with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

To exercise any of these rights, email privacy@scadex.app. We will respond within one month.

8. Children

Scadex is not directed at children under the age of 13 (or under 16 in the EU). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us so we can delete it.

9. Account deletion

You can delete your account at any time directly inside the App: Profile → Settings → Account → Delete account. Deletion is permanent and removes your profile, vault, scan history, and any user-generated content within 30 days. Active subscriptions are not automatically cancelled when you delete your account — you must cancel them in the App Store / Play Store separately to stop future charges.

You can also request deletion by emailing privacy@scadex.app from the address associated with your account.

10. Security

We use industry-standard safeguards to protect your information, including TLS 1.2+ for all network traffic, encryption at rest for database and storage, row-level security on per-user data, and strict access controls for staff. No system is perfectly secure, but if a breach occurs that affects you we will notify you and the Dutch Data Protection Authority as required by law.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will notify you through the App and update the “Last updated” date at the top of this page. Continued use of the Service after a change means you accept the updated policy.

12. Contact

For privacy questions, data-subject requests, or anything else covered by this policy, contact us at privacy@scadex.app or by post at [OPERATOR_LEGAL_NAME], [OPERATOR_ADDRESS], the Netherlands.