Privacy Policy

Last updated: April 3, 2026

This Privacy Policy describes how CardPulse (cardpulse.club) collects, uses, stores, and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

1. Data Controller

The data controller responsible for your personal data is:

• [Company Name]
• [Company Address]
• Email: privacy@cardpulse.club

For all data protection inquiries, you may contact us at the email address above.

2. What Data We Collect

We collect the following categories of personal data:

2.1 Account Data

• Email address — required for account creation, authentication, and communication.
• Username — chosen by you, used as your public identifier on the platform.
• Password — stored in hashed form only; we never store or have access to your plaintext password.
• Country — optionally provided during onboarding, used to tailor marketplace recommendations.

2.2 Collection Data

• Card collection data — information about trading cards you add to the platform, including player names, set names, brands, seasons, card types, prices, grading details, and print runs.
• Uploaded images — photographs of trading cards you upload for identification and cataloging purposes.
• Transaction records — purchase costs, sale prices, and sale dates you enter for portfolio tracking.

2.3 Usage Data

• Log data — IP address, browser type, device information, pages visited, and timestamps.
• Feature usage — interactions with platform features such as Pulse Check, price scans, and sell signals.

2.4 Payment Data

Payment information (credit card numbers, billing addresses) is collected and processed directly by Stripe. We do not store your full payment details on our servers. We may receive from Stripe a truncated card number, card type, and billing country for record-keeping purposes.

3. How We Use Your Data

We process your personal data for the following purposes and legal bases:

Purpose	Legal Basis (GDPR)
Providing and operating the service	Performance of contract (Art. 6(1)(b))
Account creation and authentication	Performance of contract (Art. 6(1)(b))
Processing payments	Performance of contract (Art. 6(1)(b))
Sending transactional emails (password resets, account notifications)	Performance of contract (Art. 6(1)(b))
Sending marketing emails and newsletters	Consent (Art. 6(1)(a))
Analytics and service improvement	Legitimate interest (Art. 6(1)(f))
Fraud prevention and security	Legitimate interest (Art. 6(1)(f))
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))

4. Third-Party Data Processors

We share your data with the following third-party service providers who process data on our behalf:

4.1 Stripe

Purpose: Payment processing for subscription plans. Data shared: email, billing information. Stripe's privacy policy: stripe.com/privacy.

4.2 SendGrid

Purpose: Transactional email delivery (password resets, account notifications, system alerts). Data shared: email address, username. SendGrid's privacy policy: twilio.com/legal/privacy.

4.3 Google Analytics

Purpose: Website analytics to understand how users interact with the platform. Data shared: anonymized usage data, IP address (anonymized), browser and device information. Google Analytics' privacy policy: policies.google.com/privacy.

4.4 Heap

Purpose: Product analytics to understand feature usage and improve the user experience. Data shared: anonymized interaction data, session information, feature usage patterns. Heap's privacy policy: heap.io/privacy.

4.5 MailChimp

Purpose: Email marketing campaigns and newsletters. Data shared: email address, username (only if you opt in to marketing communications). MailChimp's privacy policy: intuit.com/privacy/statement.

5. Data Retention

We retain your personal data for as long as necessary to provide the service and fulfill the purposes described in this policy:

Data Category	Retention Period
Account data (email, username, country)	Duration of your account + 30 days after deletion
Card collection data and images	Duration of your account + 30 days after deletion
Payment records	7 years (legal/tax obligation)
Usage logs and analytics	26 months
Marketing consent records	Duration of consent + 3 years
Support communications	3 years after last interaction

When you delete your account, we will erase or anonymize your personal data within 30 days, except where longer retention is required by law.

6. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15) — You may request a copy of all personal data we hold about you.
• Right to rectification (Art. 16) — You may request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17) — You may request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
• Right to restriction (Art. 18) — You may request that we restrict the processing of your data in certain circumstances.
• Right to data portability (Art. 20) — You may request your personal data in a structured, commonly used, machine-readable format (JSON or CSV).
• Right to object (Art. 21) — You may object to the processing of your data based on legitimate interests, including profiling and direct marketing.
• Right to withdraw consent (Art. 7(3)) — Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at privacy@cardpulse.club. We will respond to your request within 30 days.

You also have the right to lodge a complaint with a supervisory authority. If you are located in Spain, the relevant authority is the Agencia Espanola de Proteccion de Datos (AEPD) at aepd.es.

7. International Data Transfers

Some of our third-party service providers (Stripe, SendGrid, Google Analytics, Heap, MailChimp) are based in the United States. Where personal data is transferred outside the European Economic Area (EEA), we ensure adequate protection through one or more of the following mechanisms:

• EU-U.S. Data Privacy Framework (where the recipient is certified).
• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions by the European Commission for the recipient country.

You may request a copy of the safeguards in place by contacting us at privacy@cardpulse.club.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (HTTPS/TLS).
• Passwords stored using bcrypt hashing.
• HTTP-only, SameSite session cookies.
• Regular security reviews and access controls.
• Principle of least privilege for internal data access.

No system is completely secure. While we take reasonable precautions, we cannot guarantee the absolute security of your data.

9. Children's Privacy

CardPulse is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will promptly delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the platform at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

11. Contact

For any questions or requests related to your personal data or this Privacy Policy, please contact us at:

• Email: privacy@cardpulse.club
• [Company Name]
• [Company Address]