The Short Version
TrackingTCG (“we,” “us,” or “our”) operates trackingtcg.com (the “Service”). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have over your data.
- We collect only the minimum data needed to run the Service — through email registration or Google/Discord sign-in
- We use only strictly necessary first-party cookies — for your login session, your saved theme, and (if you opt in) a 2FA “remember this device” token. We do not use any tracking, advertising, or analytics cookies.
- We do not sell, rent, or share your personal data with advertisers or data brokers
- You have full rights over your data under GDPR, including access, deletion, and portability
1. Who We Are
TrackingTCG is operated from the Netherlands. For all privacy-related enquiries, you can contact us at:
Email: legal@trackingtcg.com
Where this policy refers to “GDPR,” we mean the EU General Data Protection Regulation (Regulation 2016/679).
2. Information We Collect
Account information you provide
We offer two ways to create an account:
Email & password registration:
- Email address
- Display name / username
- Password (stored only as a securely hashed value — we never store your password in plain text)
Google Sign-In:
- Google account ID (unique identifier)
- Display name
- Email address
- Profile picture URL
Discord Sign-In:
- Discord user ID (unique identifier)
- Username and display name
- Email address
- Avatar URL
For OAuth sign-ins, we request only the minimum scopes necessary: basic profile information and email address. We do not request access to your contacts, messages, friends lists, server memberships, or any other data from Google or Discord.
Collection and profile data
When you use the Service, we store the data you create and manage:
- Your trading card collection data (cards owned, quantities, conditions, sets tracked)
- Wishlists, tags, and any notes you attach to your collection
- Profile preferences and display settings
- Subscription status and tier (free or premium)
This data exists because you actively enter it. It is the core purpose of the Service.
Technical, security, and audit data
We collect limited technical data necessary to operate and secure the Service:
- Session data maintained through a session cookie (
PHPSESSID) - Your IP address and browser/user-agent information in server access logs, session records, security logs, account audit logs, legal-notice acknowledgements, and consent or age-attestation records where needed to prove account security, consent, or legal compliance
- Approximate country derived from your IP address for session security and anonymous aggregate statistics; we use a local GeoIP database and do not send your IP address to the GeoIP provider for this lookup
- Device labels and trusted-device records if you use two-factor authentication and choose “Remember this device”
3. How and Why We Use Your Information
We process your personal data only when we have a lawful basis to do so under GDPR Article 6:
| Purpose | Data used | Legal basis (Art. 6) |
|---|---|---|
| Creating and maintaining your account | Registration or OAuth profile data (name, email, user ID, avatar) | Contract performance (Art. 6(1)(b)) |
| Storing and displaying your card collections | Collection data you enter | Contract performance (Art. 6(1)(b)) |
| Maintaining tax and financial records | Transaction records, invoices | Legal obligation (Art. 6(1)(c)) |
| Keeping the Service secure and functional | Session data, IP address, user agent, server logs, security logs, trusted-device records | Legitimate interests (Art. 6(1)(f)) |
| Maintaining legal and account audit records | Policy acknowledgements, consent records, age attestations, account-security events, IP address, user agent, timestamps | Legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)) |
| Sending essential service communications | Email address | Contract performance (Art. 6(1)(b)) |
| Sending optional marketing or feature updates | Email address | Consent (Art. 6(1)(a)) — only with your explicit opt-in |
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
4. Cookies and Local Storage
For full details, see our Cookie Policy. In summary:
Cookies
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
PHPSESSID |
Strictly necessary | Maintains your session so you stay logged in | Session (deleted when you close your browser) |
theme_pref_mode |
Strictly necessary (functional) | Mirrors your saved light/dark theme so the correct theme is applied immediately on every page load and across our subdomains, without flashing the wrong theme. Contains only the values light or dark. |
1 year |
__Secure-device_trust (production)device_trust (development) |
Strictly necessary (security) | Set only if you tick “Remember this device” during two-factor authentication. Lets you skip the 2FA prompt on subsequent logins from the same device. Contains an opaque random token tied to your account; it is not a login session by itself. | 30 days, or until you log out everywhere, change your password, change your email, or change your 2FA settings — any of which revokes it |
We do not use any tracking, advertising, analytics, or third-party cookies. All of the cookies above are strictly necessary for the site to function or to keep your account secure, and are exempt from consent requirements under the ePrivacy Directive and Dutch Telecommunicatiewet.
Local storage
We store a small number of preferences in your browser’s localStorage. These contain no personal data and are never sent to our servers:
- theme-preference — Your chosen light/dark theme
- view-preference-* — Your preferred layout (grid vs. list)
- collapsed-series — Which card series sections you have collapsed or expanded
- sidebar-collapsed — Whether you have collapsed the dashboard sidebar
5. Third-Party Services
We work with a limited number of third-party services, each selected for its privacy practices and compliance standards:
Google (OAuth sign-in)
We use Google’s OAuth 2.0 service to authenticate your account. We receive only the profile data described above. We do not access your Gmail, Google Drive, contacts, or any other Google services. Google LLC is certified under the EU-US Data Privacy Framework.
Discord (OAuth sign-in)
We use Discord’s OAuth2 service to authenticate your account. We receive only the profile data described above. We do not access your messages, server memberships, friends lists, or any other Discord data. Discord Inc. is certified under the EU-US Data Privacy Framework.
We do not use any advertising networks, social media tracking pixels, remarketing tools, or third-party analytics platforms that collect personal data.
6. Data Storage and Security
Your data is stored on servers located within the European Union. We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS/HTTPS
- Encrypted database connections — communication between our application servers and database is encrypted
- Secure password storage — passwords are hashed using industry-standard algorithms; we never store plain-text passwords
- Access controls — database access is restricted to authorised systems and personnel only
- Regular backups — collection data is backed up regularly to prevent data loss
- Minimal data collection — we collect only the data necessary to provide the Service
No system is 100% secure. If we become aware of a security breach affecting your personal data, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, and will notify affected users without undue delay where the breach poses a high risk to your rights and freedoms.
7. International Data Transfers
Your personal data is primarily stored and processed within the European Economic Area (EEA). However, some of the third-party services we use are based in the United States:
EU to US transfers (Google, Discord): Both providers are certified under the EU-US Data Privacy Framework (DPF), adopted by the European Commission on 10 July 2023. This framework provides an adequate level of protection for personal data transferred to certified US organisations. Additionally, both providers maintain Standard Contractual Clauses (SCCs) as a supplementary transfer mechanism.
| Provider | DPF Certified | Additional safeguards | EU entity |
|---|---|---|---|
| Google LLC | Yes | SCCs | Google Ireland Limited |
| Discord Inc. | Yes | SCCs | — |
8. Your Rights Under GDPR
Under the GDPR, you have the following rights over your personal data. These rights apply regardless of whether you are a free or premium user:
Right of access (Art. 15) — You can request a copy of all personal data we hold about you, including your collection data, in a structured format.
Right to rectification (Art. 16) — You can ask us to correct any inaccurate personal data or complete any incomplete data. You can also update most information directly through your account settings.
Right to erasure (Art. 17) — You can ask us to delete your account and all associated personal data. We will comply unless we have a legal obligation to retain certain data (e.g., financial transaction records for tax purposes).
Right to restriction of processing (Art. 18) — You can ask us to temporarily restrict how we use your data while we resolve a concern.
Right to data portability (Art. 20) — You can request your personal data and collection data in a structured, commonly used, machine-readable format (such as JSON or CSV) so you can transfer it to another service.
Right to object (Art. 21) — You can object to processing based on our legitimate interests. If you object to direct marketing, we will stop immediately — this right is absolute.
Rights related to automated decision-making (Art. 22) — We do not make any automated decisions about you that produce legal or similarly significant effects.
Right to withdraw consent — Where we process data based on your consent (e.g., marketing communications), you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
How to exercise your rights
To exercise any of these rights, email us at legal@trackingtcg.com with the subject line “Data Rights Request.” Please include enough information for us to verify your identity (e.g., the email address associated with your account).
We will respond within one month. If your request is complex, we may extend this by up to two additional months, but we will inform you of any extension within the first month.
Right to lodge a complaint
If you believe we have not handled your data correctly, you have the right to lodge a complaint with a supervisory authority:
For EU / Netherlands residents:
Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Postbus 93374, 2509 AJ Den Haag, The Netherlands
Telephone: +31 (0)70 8888 500
Website: autoriteitpersoonsgegevens.nl
We encourage you to contact us first at legal@trackingtcg.com so we can try to resolve your concern directly.
9. Children’s Privacy
TrackingTCG is designed for trading card game collectors aged 13 and older, and we take the protection of children’s data seriously.
Minimum age: You must be at least 13 years old to create an account on TrackingTCG.
No date of birth storage: We do not ask for or store your date of birth. During account creation, we ask you to confirm that you are at least 13 years old. We store the Terms, Privacy Policy, and Cookie Policy acknowledgements with the timestamp, IP address, and user agent of the request.
What we do if we learn a user is under 13: If we become aware that we have collected personal data from a child under 13, we will take steps to delete that data as quickly as possible. If you believe a child under 13 has created an account, please contact us immediately at legal@trackingtcg.com.
Public collection profiles: Public collection profiles, public statistics, and any other public-by-URL features may expose collection data to anyone with the URL. Before enabling public sharing, we ask the user to confirm that they are 16 or older or that they have parent/guardian permission. We store that confirmation in our consent log with the timestamp, IP address, and user agent of the request.
10. Data Retention
We retain your data only for as long as necessary to provide the Service and fulfil the purposes described in this policy:
| Data type | Retention period | Reason |
|---|---|---|
| Account profile data (name, email, password hash, OAuth IDs, avatar) | Until you delete your account | Necessary to maintain your account |
| Collection data (cards, wishlists, notes) | Until you delete your account or remove the data | Core service data you control |
| Server access logs (IP, browser, timestamps) | 90 days | Security monitoring and incident investigation |
| Active session records (session ID, IP, browser, device, approximate location) | Until the session expires, is replaced, or you log out | Account security and session management |
| Trusted-device records for two-factor authentication | 30 days, or until revoked by logout everywhere, password/email change, or 2FA settings change | Remembering trusted devices when you opt in |
| Consent, policy acknowledgement, and age-attestation records (including IP, user agent, and timestamp) | Until account deletion | Proof of legal notices, consent choices, and 16+ public-sharing attestation |
| Account security logs | Indefinite, anonymised on account deletion | Fraud prevention, abuse investigation, and proof of account-protection actions |
| Identity and account audit logs | Until account deletion | Account security and compliance history |
When you delete your account, we will erase your personal data within 30 days, except where retention is required by law (e.g., financial records). Backups containing your data will be overwritten according to our backup rotation schedule, typically within 90 days.
Anonymised platform statistics. We retain anonymised aggregate statistics about platform usage across all TCG modules supported by the platform — such as collection size distributions, churn cohorts, and feature usage — that cannot be linked to individual users, including after account deletion. These statistics use coarse-grained buckets and apply a k-anonymity threshold to prevent re-identification. As anonymous data, they fall outside the scope of GDPR data subject rights.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make changes:
- Minor changes (clarifications, formatting, updated contact details): We will update the “Last updated” date at the top of this page.
- Material changes (new data collection, new third parties, changes to legal bases): We will notify you by email and/or through a prominent notice on the Service at least 30 days before the changes take effect. You may delete your account before the changes take effect if you do not agree, and we will help you export your data beforehand.
If you continue to use the Service after changes take effect, you acknowledge the updated policy. If you disagree with the changes, you may delete your account at any time.
12. Contact Us
If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us:
Email: legal@trackingtcg.com
We aim to respond to all enquiries within 5 business days and to formal data rights requests within one month.