Privacy Policy — HitScanTCG

This Privacy Policy describes what personal data HitScanTCG LLC collects, how we use it, and the rights you have. Jurisdiction-specific sections (California, other U.S. states, EEA/UK) appear at the end. If you only read one section, read § 2 (what we collect), § 5 (subprocessors), and § 8 (your rights).

1. Who We Are

HitScanTCG LLC is a Washington State limited liability company ("HitScanTCG," "we," "our," or "us"). This Privacy Policy applies to personal data we collect through the HitScanTCG desktop application, the website at hitscantcg.com and affiliated subdomains, the HitScanTCG Marketplace, and any other service we offer that links to this Policy (collectively, the "Service"). For purposes of GDPR, we are the data controller of personal data we collect directly from you. Contact information for privacy requests is in § 11.

2. Personal Data We Collect

2.1 Information you provide

Account information: email address, password (stored as a PBKDF2-SHA256 hash with 600,000 iterations and a 32-byte random salt; never stored in plaintext), display name, avatar image, and role (Viewer or Streamer).
Date of birth: collected for paid subscriptions, Marketplace purchases, and Streamer onboarding to verify you are 18 or older. Stored in truncated form (year of birth and age-at-signup flag) after verification.
Streamer profile: biography, shipping policy description, social media handles, and any custom overlay branding you choose to upload.
Streamer payout information: collected and stored by Stripe, Inc. through Stripe Connect onboarding (legal name, tax identification number, bank account or debit card for payout). We do not store this data on our systems; we retain only a reference ID issued by Stripe.
Viewer purchase information: shipping address, order history, and any order-level notes you provide. Payment card details are entered directly into Stripe’s hosted checkout and are never seen or stored by us.
Communications: emails, support tickets, and in-app messages you send us.
Marketing consent: opt-in state for marketing emails and the timestamp of your consent.

2.2 Information collected automatically

Camera frames (Scanner Tool): while scanning, camera frames are processed locally on your device. Individual frames are transmitted to our cloud proxy and relayed to Google Gemini for AI identification. Frames are processed ephemerally and are not retained after the identification response is returned to your device.
Scan metadata: a log entry recording the timestamp, approximate token usage, tier budget deduction, and request ID for each scan. Used for billing, abuse prevention, and debugging. Does not contain the card image or identified card name beyond what is needed for aggregate analytics.
Order and queue events: order lifecycle state transitions, queue position assignments, and shipping updates.
Device and technical information: operating system, app version, IP address, browser user-agent, and request timestamps for security and rate limiting.
Cookies and similar technologies: see our Cookie Policy for details. We use strictly necessary cookies for authentication and session management, and a limited set of functional cookies for role-based UI routing. We do not use advertising cookies or third-party tracking pixels.

2.3 Information we do not collect or store

We do not store raw camera frames or stream recordings on our servers.
We do not store your payment card numbers, CVV, or banking credentials (Stripe handles all of this).
We do not use advertising cookies, retargeting pixels, or cross-site tracking technologies.
We do not sell your personal data, and have not in the preceding 12 months.

3. How We Use Personal Data

We process personal data for the following purposes, with the indicated legal bases under GDPR where applicable:

Service delivery (contract): account creation and authentication, card identification, order processing, queue management, payment collection, payout to Streamers, shipping, and customer support.
Platform security (legitimate interest): rate limiting, abuse detection, fraud prevention, account lockout, webhook idempotency, and incident response.
Legal and tax compliance (legal obligation): sales tax collection and remittance, 1099-K reporting, marketplace facilitator reporting, response to lawful legal process, and retention of financial records.
Product improvement (legitimate interest): aggregated, de-identified analytics of scan accuracy, conversion rates, and feature usage.
Marketing (consent): product announcements and early-access invitations sent only to users who have opted in. You may opt out at any time by clicking the unsubscribe link in any marketing email or adjusting your account settings.
Error monitoring (legitimate interest): captured exceptions and stack traces are sent to our error-monitoring vendor with PII scrubbed before transmission.

4. How We Share Personal Data

We share personal data only in the following circumstances:

With subprocessors and service providers listed in § 5, under written contracts that require them to process data only on our instructions and to implement appropriate safeguards.
Between Streamers and Viewers for transaction fulfillment — Streamers receive the shipping address you submit with each order so they can ship your items. Viewers do not receive Streamer contact details beyond the public Streamer profile.
With tax and regulatory authorities as required by marketplace facilitator laws, 1099-K reporting, and applicable tax codes.
In response to legal process (subpoena, warrant, court order, or lawful government request) when we believe disclosure is required by law. We will challenge overbroad or improper requests where reasonable.
To protect rights, property, or safety of HitScanTCG, our users, or the public, including fraud investigation and enforcement of our Terms.
In connection with a corporate transaction (merger, acquisition, asset sale, bankruptcy). We will notify you of any change in data controller and your rights before the transfer takes effect.

We do not sell personal data for money, and we do not "share" personal data for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA).

5. Subprocessors

We engage the following third-party services to process personal data on our behalf. Each has been evaluated for privacy and security posture, and each is bound by a data processing agreement. See our standalone Subprocessor List for the current authoritative list; the table below is kept in sync and may lag briefly.

Stripe, Inc. — payment processing, Stripe Connect payouts, 1099-K reporting. Data: name, email, payment card, tax ID, bank info (for Streamers). Privacy policy.
Google LLC (Gemini API) — AI card identification. Data: camera frame images (ephemeral). Privacy policy.
Resend, Inc. — transactional email delivery (verification, password reset, order confirmations). Data: email address, message content. Privacy policy.
Fly.io (Fly Software, Inc.) — cloud hosting for our proxy API. Data: all data processed by our application, at rest in our database region. Privacy policy.
Vercel, Inc. — website and API-route hosting; Web Analytics (cookieless page-view counts) and Speed Insights (Core Web Vitals). Data: request logs, session cookies, anonymized hashed visitor identifier (no client cookie set), aggregated performance metrics. Privacy policy.
PostHog Inc. — product analytics for funnel measurement (signup, checkout, onboarding) and aggregated feature usage. Data: first-party distinct_id cookie + localStorage, page URL, referrer, UTM parameters, event names with non-PII properties. Privacy policy.
Cloudflare, Inc. — DDoS protection, DNS, and edge caching. Data: IP address, request metadata, WAF events. Privacy policy.
Functional Software, Inc. d/b/a Sentry — error monitoring. Data: PII-scrubbed stack traces, release identifiers, request IDs. Privacy policy.
Backblaze, Inc. — encrypted off-site database backups via Litestream. Data: encrypted snapshots of our database. Privacy policy.
Neon, Inc. — managed PostgreSQL database (when enabled). Data: all data processed by our application. Privacy policy.
tcgcsv.com — public TCG pricing data source. No personal data is shared with this service.

6. Data Retention

Data retention periods by category
Data category	Retention
Account record	For the life of your account; deleted within 30 days of verified deletion request (see § 8).
Password hash and salt	Same as account; overwritten on password change.
Refresh tokens	Until revocation or expiry (7 days free tier, 30 days Pro); deleted on logout.
Camera frames (Scanner Tool)	Not retained. Ephemeral processing only.
Scan log metadata	90 days rolling window; then purged.
Order records	7 years (IRS recordkeeping requirements for business records); shipping addresses anonymized after 90 days post-delivery.
Order PII (email, name, address) after user deletion	Replaced with "[deleted]" placeholder; order total and timestamps retained for financial recordkeeping.
Queue entries	Lifecycle of the session; completed entries purged after 90 days.
Audit events	90 days rolling window; then purged.
Analytics events	90 days rolling window; then purged or aggregated.
Marketing consent record	Until consent withdrawn + 2 years (to demonstrate lawful consent for withdrawn records).
Support communications	12 months.
Financial transaction records	7 years (tax and audit retention).
Backups (encrypted)	Rolling 30-day retention; deleted records persist in backups up to 30 days after primary deletion.

We may retain data longer than the above when required to comply with a legal obligation, to enforce our Terms, or to resolve an active dispute.

7. Security

We implement administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. These include:

TLS 1.2+ encryption for all data in transit.
PBKDF2-SHA256 password hashing with 600,000 iterations and a unique 32-byte salt per account.
JWT access tokens with 15-minute expiry and single-use refresh tokens with family-based rotation and theft detection.
Rate limiting, account lockout, and bot detection on authentication endpoints.
Parameterized SQL queries throughout; no dynamic query construction with user input.
Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options, and Cross-Origin-Resource-Policy headers.
DDoS protection and Web Application Firewall through Cloudflare.
Encrypted off-site database backups with a 10-second Recovery Point Objective.
Multi-factor authentication on all administrative access to cloud infrastructure.
Tenant isolation: every Marketplace query is scoped by authenticated account ID; admin endpoints require explicit role claims.

No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact security@hitscantcg.com immediately. In the event of a data breach that materially affects your personal data, we will notify you as required by applicable law.

8. Your Privacy Rights

You have the following rights, subject to legal exceptions and verification of your identity:

Access: request a copy of the personal data we hold about you.
Correction: request correction of inaccurate or incomplete data.
Deletion / Right to be forgotten: request deletion of your personal data. We may retain limited data where required by law (tax records, prior financial transactions) or to resolve a dispute.
Portability: receive a copy of your data in a structured, machine-readable format (JSON).
Objection / Restriction: object to or request restriction of certain processing activities.
Opt-out of marketing: unsubscribe from marketing emails at any time via the link in any message or in your account settings.
Withdraw consent: withdraw any consent you have given, without affecting the lawfulness of prior processing.
Complaint to supervisory authority: lodge a complaint with your local data protection authority (EEA/UK residents) or state Attorney General (U.S. residents).

To exercise any right, email privacy@hitscantcg.com or use the privacy controls in your account settings. We respond within 30 days (or such shorter period as required by applicable law). For access and deletion requests, we will verify your identity by requiring you to authenticate to your account and confirm via email on the address of record.

Authorized agents: You may designate an authorized agent to make requests on your behalf. Agents must submit written authorization signed by you; we may still require you to verify your identity directly.

Non-discrimination: We will not deny service, charge different prices, or provide a different level of service because you exercised a privacy right.

9. Children’s Privacy

The Scanner Tool free tier is available to users aged 13 and older with parental consent where required. Paid subscriptions, Marketplace purchases, and Streamer accounts require the user to be at least 18 years old, and we verify date of birth at checkout or onboarding. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, contact privacy@hitscantcg.com and we will delete it promptly.

10. Jurisdiction-Specific Disclosures

10.1 California residents (CCPA / CPRA)

California residents have the rights described in § 8 plus:

Right to know the categories and specific pieces of personal data collected, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share data.
Right to opt out of "sale" or "sharing" of personal data. We do not sell or share personal data as those terms are defined under the CCPA/CPRA.
Right to limit use of sensitive personal information. We do not use sensitive personal information (as defined by CPRA) for any purpose other than providing the Service you requested.
Right to non-discrimination for exercising privacy rights.

Categories of personal information collected in the preceding 12 months: identifiers (email, account ID), commercial information (purchase history), internet or electronic network activity (IP, user-agent, request logs), geolocation (approximate, from IP), and inferences (none beyond what is described in this Policy).

10.2 Other U.S. state privacy laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA, which applies regardless of threshold), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (INCDPA), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA), Maine, Maryland (MODPA), Minnesota (MCDPA), Rhode Island, and Kentucky (KCDPA) have rights substantially similar to those in § 8, including the rights of access, correction, deletion, portability, and to opt out of targeted advertising, sale, and certain profiling.

We do not engage in targeted advertising or sale of personal data. We do not engage in profiling that produces legal or similarly significant effects. Exercise rights by emailing privacy@hitscantcg.com.

10.3 European Economic Area and United Kingdom (GDPR / UK GDPR)

If you are located in the EEA or UK, our legal bases for processing are described alongside each purpose in § 3. You have all of the rights in § 8, plus the right to lodge a complaint with your local data protection authority.

International transfers: Our infrastructure is located in the United States. Where we transfer EEA or UK personal data to the U.S., we rely on Standard Contractual Clauses (EU Commission Implementing Decision (EU) 2021/914) and the UK Addendum, together with supplementary measures including encryption in transit and at rest and access controls.

Data Protection Officer: We have not appointed a formal DPO because we do not meet the mandatory thresholds under GDPR Article 37. Privacy requests are handled by the HitScanTCG privacy team at privacy@hitscantcg.com.

10.4 Washington State — My Health My Data Act

The Washington My Health My Data Act (RCW 19.373) regulates consumer health data. HitScanTCG does not collect consumer health data as defined by the statute. This Policy describes the limited, non-health data we do collect.

11. Contact Us

Privacy requests and questions: privacy@hitscantcg.com
Security and account compromise: security@hitscantcg.com
Legal and arbitration notices: legal@hitscantcg.com
Mailing address: HitScanTCG LLC, Sammamish, Washington, United States (full address available on request for legal service).

12. Changes to This Policy

We may update this Policy. Material changes will be announced by email to registered users and by a notice on the Website at least 30 days before the effective date. Non-material changes take effect on posting, and we will update the "Last updated" date above. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.