Privacy Policy

Last updated: May 24, 2026 · Operator: SpellRack LLC, 116 Agnes Rd, Ste 200, Knoxville, TN 37919, USA

1. Summary

SpellRack is a Magic: The Gathering deckbuilding and commerce platform operated by SpellRack LLC, a Tennessee limited liability company. We collect what we need to run your account and bill you for paid plans. We never sell your personal information. You can export, correct, or delete your data at any time from Settings or by emailing [email protected].

2. Categories of personal information we collect

For compliance with the California, Virginia, Colorado, Connecticut, and Utah privacy statutes, here is the matrix of categories we process:

Category	Examples	Source	Purpose
Identifiers	email, display name, account ID, Discord ID	you	account login, communication
Commercial	subscription tier, plan, billing history, cards in collection	you, Stripe	subscription management, feature gating
Internet activity	IP, User-Agent, pages visited, errors encountered	your browser, PostHog, Sentry	security, debugging, product analytics
Geolocation (approximate)	ZIP code (only if you opt in for local-store search)	you	find cards at nearby stores
Inferences	format preferences, deck archetypes, price tier	your activity	recommendations, personalized UX
User-generated content	decks, deck names, feedback, pod chat, game records	you	deliver the service
Card-scan images	JPEG photo of a Magic card you scanned with the camera, only when you tap the confirmation badge on a borderline scan	your device camera	improve the scanner's accuracy by retraining on real-world conditions; never shared with a third party

We do NOT collect or process:Social Security numbers, government IDs, biometric data, precise GPS, contacts, third-party advertising identifiers, payment-card numbers (handled exclusively by Stripe — see §4), or any "sensitive personal information" defined under CCPA without explicit consent.

3. How and why we use your information

For each processing activity, our legal basis under GDPR / UK GDPR is shown in parentheses:

Operate your account and the service (contract: Art. 6(1)(b))
Process payments and prevent payment fraud (contract + legitimate interest)
Send transactional email — receipts, password resets, security alerts (contract)
Send marketing email (savings alerts, weekly digest) — only if you opt in (consent)
Product analytics and session debugging via PostHog and Sentry (consent in EU/UK, legitimate interest elsewhere)
Local-store inventory search — your ZIP and card name are sent to store APIs to surface nearby listings (contract)
Rate limiting, abuse detection, profanity moderation on community features (legitimate interest)
Comply with legal obligations — tax reporting, lawful subpoenas (legal obligation)
Train or fine-tune third-party AI models on your data: we do not. Conversations with the Copilot feature are sent to Anthropic for inference only — Anthropic does not train on API traffic per their terms.
Train our own card-recognition (scanner) model on photos you explicitly confirm via the badge on a borderline scan. We store the JPEG on our own servers (no third-party hosting), keep it for up to 365 days, and delete every frame tied to your account when you delete your account. You can also request immediate erasure of all archived scan frames via [email protected]. Auto-committed high-confidence scans are not archived without that explicit tap. Disclosed in the scanner UI at the moment of consent.

4. Subprocessors and third-party services

We use the following providers to deliver the service. Each has its own privacy policy and data processing agreement. None receive more data than needed for their function.

Provider	Role	Data shared	Region
Stripe	Payment processing	name, email, billing address, payment-card data (we never see the card)	USA (GDPR-aligned)
PostHog	Product analytics, session replay	page views, click events, anonymized user ID	USA (consent required in EU/UK)
Sentry	Error tracking	stack traces, IP, browser info on errors only	USA
Resend	Transactional email delivery	your email address, message content	USA
Anthropic	AI Copilot inference	your conversation messages; for premium users, also a system-prompt block summarizing your top-100 owned cards, recent deck names + commanders, and nearby store inventory (no payment data, no email, no address)	USA (zero retention; not used for training)
Discord	OAuth sign-in (optional)	Discord ID, username, email, avatar	USA
RevenueCat	Mobile subscription management (iOS / Android in-app purchases)	Apple/Google receipt data, your user ID, subscription state	USA
Cloudflare	CDN, DNS, email routing	IP, request metadata	Global edge network
Hetzner	Server hosting	all account + app data at rest	Germany (GDPR home jurisdiction)
Scryfall	Card data + images	your queries (card names, set codes)	USA
EDHREC	Synergy + recommendation data	commander/card queries	USA
TCGplayer (via Impact)	Affiliate links + marketplace listings	click-through tracking pixel only	USA
OpenStreetMap	Local game store directory data (names, addresses, phones)	none — read-only public data	Global, ODbL

We maintain an append-only subprocessor changelog documenting every addition, removal, or region change. EU/UK customers, in particular: data is hosted in Germany (Hetzner) and transferred to US subprocessors under the EU-US Data Privacy Framework or Standard Contractual Clauses. See §9 for details.

5. Cookies and similar technologies

We use the following cookies:

Essential (always on): auth_session (HttpOnly, Secure, SameSite=Lax) keeps you signed in; discord_oauth_state + discord_oauth_verifier protect Discord OAuth (deleted on completion); cc_consent remembers your cookie preferences.
Analytics (consent required in EU/UK): PostHog ph_* cookies record anonymized session events. You can decline at any time via the consent banner or footer link.
Payments (essential when checking out): Stripe sets __stripe_* cookies on the checkout page to prevent payment fraud.
Affiliate tracking: Outbound clicks to TCGplayer pass through partner.tcgplayer.com which sets a 1×1 attribution pixel. We earn a commission on qualifying purchases (see §10).
CDN / bot detection: Cloudflare may set __cf_bm and cf_clearance cookies to block bots and malicious traffic.

6. Who can see what

Private by default: decks, collection, watchlists, billing history are visible only to you unless you mark them Public or share them.
Public by choice: community decks, public profile, feedback posts on /feedback. The form tells you when content will be public.
Pod members: see each other's display name, shared decks, recorded games, and pod leaderboard.
Friends: see your public decks and following activity.

7. Data retention

Account data: kept until you delete your account.
Deleted account: removed within 30 days; backups purged within 90.
Billing records: retained 7 years for tax compliance (US IRS requirement).
Public content (community decks, feedback): kept until you delete it or your account.
Rate-limit logs: rolled over within 30 days.
Sentry error data: 90 days.
PostHog analytics: 12 months.
Anthropic Copilot conversations: zero server-side retention at Anthropic; we keep your conversation history in our database until you delete it.
Card-scan frames: up to 365 days from the date of capture, then automatically purged. Deleted immediately on account deletion or on written request.

8. Your rights

Under GDPR (EU/UK), CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), and other comparable laws you have the right to:

Access a portable copy of your data — request via Settings → Export Data, or email [email protected]. Returned within 45 days.
Correctinaccurate data — edit your profile in Settings, or email us for fields you can't self-edit.
Delete your account — Settings → Delete Account. Deletion cascades to decks, collection, feedback, games. Email [email protected]if you can't access Settings.
Opt out of analytics— decline the cookie banner or click "Cookie preferences" in the footer.
Opt out of marketing email — unsubscribe link in every marketing email, or Settings → Notifications.
Right to non-discrimination (CCPA): we will not deny service, charge different prices, or provide a different quality of service because you exercised your privacy rights.
Do Not Sell or Share My Personal Information(CCPA): we do not sell personal information. PostHog analytics may qualify as "sharing" for cross-context behavioral context — opt out via the cookie banner or this link. We honor the Global Privacy Control (GPC) signal automatically.
Authorized agent: you may designate an authorized agent to make requests on your behalf. We require written authorization plus identity verification.
Appeal (Virginia, Colorado, Connecticut): if we deny a request, you may appeal to [email protected]. We respond within 60 days.
Lodge a complaint (EU/UK): with your national data protection authority if we fail to resolve your concern.

9. International data transfers

We're a US company hosting data primarily in Germany (Hetzner). EU/UK data is transferred to US-based subprocessors (Stripe, Resend, Anthropic, etc.) under the EU-US Data Privacy Framework or Standard Contractual Clauses where required.

10. Affiliate disclosures

Some outbound links to retailers (currently TCGplayer via the Impact network) are affiliate links. If you click through and make a qualifying purchase we may earn a commission at no extra cost to you. Affiliate links are tagged "(affiliate)" near the CTA. This disclosure is required by FTC 16 CFR Part 255.

11. Children

SpellRack is intended for users 13 and older. We do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions where that's the threshold). If you believe a child under that age has provided us data, contact [email protected] and we will delete it. Parents/guardians who believe their child has an account may request deletion at any time.

12. Security

We protect your data with industry-standard measures: encrypted database secrets, TLS 1.2+ in transit, hashed passwords (bcrypt), HttpOnly + Secure cookies, content security policy, rate limiting, and least-privilege database access. Payment-card data never touches our servers — Stripe handles it under PCI DSS SAQ-A scope. No system is perfectly secure; if we ever discover a breach affecting your data, we'll notify you within the timelines required by applicable law.

13. Changes to this policy

We'll update this page when practices change and bump the "Last updated" date. Material changes get an in-app banner at next sign-in and an email to active users. Prior versions available on request.

14. Contact

Privacy questions or rights requests: [email protected]
Mailing address: SpellRack LLC, 116 Agnes Rd, Ste 200, Knoxville, TN 37919, USA
DMCA notices: see our DMCA Policy.