Stock tracking goes live in a few days — stay tuned!
TCGRadar

Privacy Policy

Last updated: March 2026

1. Data Controller

TCGRadar is operated by MAPROLL d.o.o., Strmecka cesta 4, 10020 Novi Zagreb, Croatia (OIB: 29363700668). Contact: hello@tcgradar.eu.

2. Data We Collect

We collect only the data necessary to provide our service:

  • Account data: Email address and name when you create an account. If you sign in via Google or Discord, we receive your name, email, and provider ID from the OAuth provider.
  • Session data: We store session tokens (in a secure HTTP-only cookie) to keep you signed in for up to 30 days.
  • Notification preferences: If you set up restock alerts, we store your alert rules, notification channel preferences (email, Telegram, web push), and push subscription endpoints.
  • Favorites: Products you mark as favorites are stored in your account.
  • Payment data: If you subscribe to Premium, payment processing is handled entirely by Stripe. We never receive or store your full credit card number. We store only your Stripe customer ID and subscription status.

We do not collect data from visitors who browse without an account, beyond standard server access logs (IP address, timestamp, requested URL) which are retained for a maximum of 30 days for security purposes.

3. How We Use Your Data

  • To create and manage your account
  • To deliver the stock tracking service and personalized features (favorites, filters)
  • To send restock notifications you have opted into (email, Telegram, web push)
  • To process payments and manage your subscription via Stripe
  • To send transactional emails (password reset, email verification)
  • To monitor and prevent abuse of the service

We do not sell, rent, or share your personal data with advertisers or data brokers.

4. Legal Basis for Processing (GDPR Art. 6)

  • Contract (Art. 6(1)(b)): Account creation, service delivery, payment processing — necessary to perform our contract with you.
  • Consent (Art. 6(1)(a)): Restock notifications and push subscriptions — you can withdraw consent at any time from your account settings.
  • Legitimate interest (Art. 6(1)(f)): Security logging, fraud prevention, and service improvement.

5. Data Storage and Location

All personal data is stored in the European Union. Our primary database runs on Neon PostgreSQL in the Frankfurt, Germany datacenter (AWS eu-central-1).

6. Third-Party Processors

We use the following third-party services to operate TCGRadar. Each acts as a data processor under GDPR:

  • Neon (database hosting) — Frankfurt, Germany (EU). Stores all application data.
  • Vercel (application hosting) — Edge network with EU presence. Processes HTTP requests. Vercel does not store personal data beyond transient request processing. Vercel Inc. is certified under the EU-US Data Privacy Framework.
  • Stripe (payments) — Processes subscription payments. Stripe Payments Europe Ltd. (Dublin, Ireland) handles EU data. See Stripe's Privacy Policy.
  • Resend (transactional email) — Sends verification emails, password resets, and restock alert emails on our behalf. Receives only the recipient email address and message content.
  • Google / Discord (OAuth) — If you choose to sign in via Google or Discord, these providers share your basic profile information (name, email) with us. We do not share your TCGRadar data back to these providers.

7. Cookies and Local Storage

TCGRadar uses only strictly necessary cookies:

  • Session cookie: A secure, HTTP-only cookie that keeps you signed in. Expires after 30 days of inactivity.
  • Locale preference: Stored in a cookie to remember your language choice (English or German).

We do not use advertising cookies, tracking cookies, or third-party cookies. No cookie consent banner is required because we only use cookies that are strictly necessary for the functioning of the service (ePrivacy Directive Art. 5(3) exemption).

8. Analytics

We use Umami, a cookie-free, privacy-preserving analytics tool hosted in the EU. Umami does not collect personally identifiable information, does not use cookies, and does not track users across websites. All data is aggregated and anonymous.

9. Data Retention

  • Account data: Retained until you delete your account.
  • Notification logs: Automatically deleted after 90 days.
  • Session tokens: Expire after 30 days of inactivity.
  • Server access logs: Deleted after 30 days.
  • Stripe data: Retained by Stripe per their retention policy and applicable tax/accounting regulations.

When you delete your account, all personal data is permanently erased from our database immediately. This includes your profile, favorites, alert rules, notification preferences, and notification logs. Deletion is cascading and irreversible.

10. Your Rights (GDPR Art. 15–22)

As an EU resident, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — You can export all your data as JSON from your account page.
  • Right to rectification (Art. 16) — Update your profile information at any time from your account page.
  • Right to erasure (Art. 17) — Delete your account and all associated data from your account page.
  • Right to restrict processing (Art. 18) — Contact us at hello@tcgradar.eu.
  • Right to data portability (Art. 20) — Use the JSON export function on your account page.
  • Right to object (Art. 21) — Contact us at hello@tcgradar.eu.
  • Right to withdraw consent (Art. 7(3)) — Disable notifications at any time from your notification settings. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, use the self-service options in your account or email us at hello@tcgradar.eu. We will respond within 30 days.

11. Children

TCGRadar is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at hello@tcgradar.eu and we will delete it promptly.

12. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you (GDPR Art. 22).

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email. The “Last updated” date at the top of this page indicates when the policy was last revised.

14. Contact and Complaints

For data protection inquiries, contact us at: hello@tcgradar.eu

You have the right to lodge a complaint with a supervisory authority. The competent authority for Croatia is:

Agencija za zaštitu osobnih podataka (AZOP)
Selska cesta 136, 10000 Zagreb, Croatia
azop.hr

You may also contact the supervisory authority in your country of residence.