Skip to content
SpellRack

Privacy Policy

Last updated: April 20, 2026

1. Summary

Spellrack is a Magic: The Gathering deckbuilding tool. We collect the minimum data needed to run your account and features. We don't sell your data. You can export or delete your account at any time from Settings.

2. What we collect

  • Account info: email address, display name, password hash (if you register with email) or Discord ID + avatar URL (if you sign in with Discord).
  • App data: decks, card collection, watchlists, friend list, pod memberships, games you record, feedback submissions.
  • Technical data: session cookies, IP address (used only for rate-limiting — not stored long-term), browser User-Agent on login.
  • We do NOT collect: payment details (no billing yet), precise location, contacts, third-party advertising identifiers.

3. How we use it

  • Operate your account (sign-in, saving decks, sharing with friends/pods).
  • Provide the card tracker — your state/city + card name are sent to store search endpoints.
  • Send transactional email if you enable it (account verification, notifications you opt into).
  • Prevent abuse (rate-limiting, profanity moderation on community feedback).

4. Who sees what

  • Private by default: decks, collection, and watchlists are visible only to you unless you mark them Public or share to a friend/pod.
  • Public by choice: community feedback on /feedback is visible to all users with your display name — the form tells you this before you submit.
  • Pod members: see each other's display name, shared decks, recorded games, and leaderboard stats for that pod.

5. Third parties

  • Scryfall — card data and images (we query their public API).
  • Discord — OAuth sign-in (if you choose it).
  • EDHREC — card-synergy data used for deck-building recommendations.
  • Local game stores — when you use the card tracker, your query (state + city + card name) is sent to store search endpoints to build deep links. No personal data beyond IP is shared.
  • Hetzner — our server host (EU data center).

We do not use advertising networks or third-party analytics trackers.

6. Cookies

We use a single essential cookie (auth_session) to keep you signed in. It's HttpOnly, Secure, and SameSite=Lax. A short-lived discord_oauth_state cookie is used during Discord login and deleted on completion. No advertising or analytics cookies.

7. Retention

  • Account data: kept until you delete your account.
  • Feedback submissions: kept publicly unless you delete your account.
  • Rate-limit / request logs: rolled over within 30 days.
  • Card data cache: card inventory prices refresh every 6 hours.

8. Your rights

Under GDPR (EU), CCPA (California), and similar laws you can:

  • Access — email us for a copy of your data.
  • Delete — use the Delete Account button in Settings, or email us. Deletion is permanent and cascades to decks, collection, feedback, games, etc.
  • Correct — edit your profile directly in Settings, or email us.
  • Opt out — of any notifications in Settings.

9. Children

Spellrack is not directed at children under 13. If we learn we've collected data from a child under 13 without parental consent, we'll delete it.

10. Changes

We'll update this page when practices change and bump the "Last updated" date. Material changes get an in-app banner at next sign-in.

11. Contact

Questions, data requests, or concerns: support@spellrack.com.