CardDealer.AI← Home

Privacy Policy

Last updated: May 24, 2026

CardDealer (“we”, “our”, the “Service”) helps trading-card collectors and dealers identify, price, and list their cards on online marketplaces. This Privacy Policy describes what information we collect, how we use it, and the limited circumstances under which we share it. It covers both our website at carddealer.ai and our iOS and Android mobile applications (the “Mobile Apps”).

Information we collect

  • Account information — the name, email address, and password (stored hashed) you provide when you sign up.
  • Card data you provide — photographs, scans, descriptions, prices, grades, certification numbers, and inventory location notes for the cards you import into your collection.
  • Marketplace OAuth tokens — if you connect a marketplace account (such as eBay), we store the OAuth access and refresh tokens issued by that marketplace so we can list and manage your inventory on your behalf. We never see or store your marketplace password.
  • Operational data — basic logs of actions taken in the Service (e.g. “identify request submitted”, “listing published”) used for troubleshooting and billing.

How we use your information

  • To run the Service: identify cards, look up prices, build listings, print labels, and sync inventory with the marketplaces you choose.
  • To bill you for usage of metered AI features (identify calls, grading runs).
  • To respond to your support requests.
  • To comply with legal obligations and to protect against abuse of the Service.

Mobile applications

Our iOS and Android Mobile Apps interact with the same backend as the website. In addition to the data described above, the Mobile Apps may collect or store the following:

  • Device identifiers — when you enable push notifications, we receive your operating system’s push token along with your device name (as you set it in your OS settings) and the installed app version, so we can route notifications to the right device and debug delivery issues.
  • Authentication token — when you sign in, the Mobile App stores a bearer token in the device’s secure keychain (iOS Keychain / Android Keystore). The token is only sent to our servers to authenticate your API requests; we never transmit it to third parties.
  • App-level diagnostic logs — basic crash signals and request errors, used to fix bugs. We do not embed third-party analytics SDKs in the Mobile Apps.

Camera and photo access

The Mobile Apps request camera access so you can scan card barcodes (PSA, CGC, BGS, TAG slabs) and photograph cards for AI identification. They request photo-library access so you can attach an existing image to a card. Photos you capture or select are uploaded to our servers only when you explicitly trigger an identify, save, or attach action — never in the background. If you deny either permission, the corresponding feature is disabled but the rest of the app continues to work.

Push notifications

With your permission, we send push notifications about events on your account (new orders to ship, sync issues, low credits). The Mobile App registers an Expo push token with our servers; we use it solely to send you these notifications and to coordinate with Apple Push Notification Service (APNs) or Firebase Cloud Messaging (FCM). You can disable notifications at any time in your device settings; doing so does not affect any other functionality.

Account deletion

You can delete your account and all associated data at any time:

  • From the Mobile App: open Settings → Account → Delete Account, confirm the prompt, and your account plus all associated card, listing, image, and order data will be queued for deletion immediately.
  • From the website: open Settings → Account → Delete Account.
  • By email: contact [email protected] from the email address on the account.

Deletion removes your account from our active systems within 24 hours and from backups within 30 days. Anonymized aggregate usage statistics may be retained where they no longer identify you.

Who we share information with

We share the minimum necessary data with the third parties that power the Service:

  • Marketplaces you connect (eBay, and in future releases TCGPlayer, Whatnot, CollX, Shopify) — we send your listing data, images, and policy selections to publish on your behalf.
  • Card-data providers — PriceCharting and similar pricing/catalog services receive card photographs or set metadata for identification and price lookup.
  • AI providers (Anthropic, Google, OpenRouter) — receive card photographs and prompts when you run an identification or grading task.
  • Infrastructure providers — our database, object storage, and hosting providers, used only to operate the Service.

We do not sell your personal information.

Your choices

  • You may disconnect any connected marketplace from the Service at any time, which revokes the OAuth tokens we hold for it.
  • You may delete cards, images, and listings from your collection at any time. Deleted data is removed from active storage and purged from backups within 30 days.
  • To request a full export or deletion of your account, email [email protected].

Data retention

We retain account and card data for as long as your account is open. Operational logs are retained for up to 12 months for troubleshooting and abuse-prevention purposes.

Security

We use HTTPS for all traffic, store passwords as bcrypt hashes, encrypt marketplace OAuth tokens at rest, and limit internal access to authorized personnel. No system can be guaranteed perfectly secure; please use a strong, unique password for your account.

Children

The Service is not intended for use by children under 13, and we do not knowingly collect personal information from them.

Changes to this Policy

We will update this page when our practices change. Material changes will be announced by email or in-app notice.

Contact

Questions about this Policy: email [email protected].