TCGRadar

Privacy Policy

Last updated: March 2026

1. Data Controller

TCGRadar is operated by MAPROLL d.o.o., Strmecka cesta 4, 10020 Novi Zagreb, Croatia (OIB: 29363700668). Contact: hello@tcgradar.eu.

2. Data We Collect

We collect only the data necessary to provide our service:

  • Account data: Email address and name when you create an account. If you sign in via Google or Discord, we receive your name, email, and provider ID from the OAuth provider.
  • Session data: We store session tokens (in a secure HTTP-only cookie) to keep you signed in for up to 30 days. Session records include your IP address and user agent (browser type and version) for security purposes.
  • Notification preferences: If you set up restock alerts, we store your alert rules, notification channel preferences (email, Telegram, web push), and related identifiers: your Telegram chat ID (if you connect Telegram) and your web push subscription endpoint and encryption keys (if you enable push notifications).
  • Favorites: Products you mark as favorites are stored in your account.
  • Payment data: If you subscribe to Premium, payment processing is handled entirely by Stripe. We never receive or store your full credit card number. We store only your Stripe customer ID and subscription status.

We do not collect data from visitors who browse without an account, beyond standard server access logs (IP address, timestamp, requested URL) which are retained for a maximum of 30 days for security purposes.

3. How We Use Your Data

  • To create and manage your account
  • To deliver the stock tracking service and personalized features (favorites, filters)
  • To send restock notifications you have opted into (email, Telegram, web push)
  • To process payments and manage your subscription via Stripe
  • To send transactional emails (password reset, email verification)
  • To monitor and prevent abuse of the service

We do not sell, rent, or share your personal data with advertisers or data brokers.

4. Legal Basis for Processing (GDPR Art. 6)

  • Contract (Art. 6(1)(b)): Account creation, service delivery, payment processing — necessary to perform our contract with you.
  • Consent (Art. 6(1)(a)): Restock notifications and push subscriptions — you can withdraw consent at any time from your account settings.
  • Legitimate interest (Art. 6(1)(f)): Security logging (IP address and user agent in session records), fraud prevention, and service improvement.
  • Legal obligation (Art. 6(1)(c)): Retention of payment-related data as required by tax and accounting regulations.

5. Data Storage and Location

All personal data is stored in the European Union. Our primary database runs on Neon PostgreSQL in the Frankfurt, Germany datacenter (AWS eu-central-1).

6. Third-Party Processors

We use the following third-party services to operate TCGRadar. Each acts as a data processor under GDPR, and we have entered into Data Processing Agreements (DPAs) with each processor in accordance with GDPR Art. 28:

  • Neon (database hosting) — Frankfurt, Germany (EU). Stores all application data.
  • Vercel (application hosting) — Edge network with EU presence. Processes HTTP requests. Vercel does not store personal data beyond transient request processing. Vercel Inc. is certified under the EU-US Data Privacy Framework.
  • Stripe (payments) — Processes subscription payments. Stripe Payments Europe Ltd. (Dublin, Ireland) handles EU data. See Stripe's Privacy Policy.
  • Resend (transactional email) — Sends verification emails, password resets, and restock alert emails on our behalf. Resend Inc. is based in the United States and processes only the recipient email address and message content. Transfers are covered by Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c).
  • Google / Discord (OAuth) — If you choose to sign in via Google or Discord, your basic profile information (name, email) is transferred to us from these US-based providers. This transfer occurs at your explicit request and is necessary to perform the authentication you initiated (GDPR Art. 49(1)(b)). Google LLC and Discord Inc. are also certified under the EU-US Data Privacy Framework. We do not share your TCGRadar data back to these providers.
  • Telegram (notifications) — If you connect Telegram for restock alerts, your Telegram chat ID and notification messages are transmitted to Telegram's servers. This occurs at your explicit request and consent.

7. International Data Transfers

Our primary data storage is within the EU (Frankfurt, Germany). However, some of our third-party processors are based in the United States. When personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place:

  • EU-US Data Privacy Framework: Vercel, Google, and Discord are certified under the EU-US Data Privacy Framework (adequacy decision by the European Commission).
  • Standard Contractual Clauses (SCCs): For processors not covered by an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (GDPR Art. 46(2)(c)) as the transfer mechanism.

8. Cookies and Local Storage

TCGRadar uses only strictly necessary cookies:

  • Session cookie: A secure, HTTP-only cookie that keeps you signed in. Expires after 30 days of inactivity.
  • Locale preference: Stored in a cookie to remember your language choice (English or German).

If you enable web push notifications, your browser stores cryptographic keys (push subscription endpoint, p256dh key, auth secret) locally on your device. This storage is initiated only when you explicitly grant push notification permission through your browser's built-in permission prompt.

In addition to strictly necessary cookies (session, consent preference), we use optional advertising and analytics cookies from Google Ads and Reddit. These cookies are only set after you give explicit consent via our cookie banner. You can decline or withdraw consent at any time by clearing your browser cookies, which resets the consent banner.

9. Analytics & Advertising

We use Vercel Analytics for anonymous, cookie-free page view measurement. No personal data is collected by Vercel Analytics.

With your consent, we also use the following third-party services to measure advertising effectiveness:

  • Google Ads (Google Ireland Limited): We use Google Ads conversion tracking with Google Consent Mode v2. Without your consent, Google receives only anonymized, cookieless pings for conversion modeling. With consent, Google may set cookies to measure ad interactions and attribute conversions. Google's privacy policy: policies.google.com/privacy.
  • Reddit Pixel (Reddit, Inc.): With your consent, Reddit's pixel tracks page visits and conversions from Reddit Ads campaigns. No data is sent to Reddit without your consent. Reddit's privacy policy: reddit.com/policies/privacy-policy.

You can withdraw consent at any time by clearing your browser cookies for this site. The cookie consent banner will reappear, allowing you to make a new choice.

10. Data Retention

  • Account data: Retained until you delete your account.
  • Notification logs: Automatically deleted after 90 days.
  • Session tokens: Expire after 30 days of inactivity.
  • Server access logs: Deleted after 30 days.
  • Stripe data: We retain your Stripe customer ID and subscription status until account deletion. Stripe independently retains payment transaction records as required by tax, accounting, and financial regulations (typically 7–10 years). We cannot delete data held by Stripe under their own legal obligations.

When you delete your account, all personal data is permanently erased from our database immediately. This includes your profile, favorites, alert rules, notification preferences, and notification logs. Deletion is cascading and irreversible.

11. Your Rights (GDPR Art. 15–22)

As an EU resident, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — You can request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16) — Update your profile information at any time from your account page.
  • Right to erasure (Art. 17) — Delete your account and all associated data from your account page.
  • Right to restrict processing (Art. 18) — Contact us at hello@tcgradar.eu.
  • Right to data portability (Art. 20) — Request your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) — You may object to processing based on legitimate interest. Contact us at hello@tcgradar.eu.
  • Right to withdraw consent (Art. 7(3)) — Disable notifications at any time from your notification settings. Withdrawal does not affect the lawfulness of processing before withdrawal.
  • Right related to automated decision-making (Art. 22) — We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Should this ever change, you would have the right to obtain human intervention, express your point of view, and contest any such decision.

To exercise any of these rights, use the self-service options in your account or email us at hello@tcgradar.eu. We will respond within 30 days. In the case of complex or numerous requests, this period may be extended by a further two months — we will inform you of any such extension within the initial 30-day period, along with the reasons for the delay (GDPR Art. 12(3)).

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Art. 34. Notification will be sent to the email address associated with your account and will describe the nature of the breach, its likely consequences, and the measures we have taken or propose to take to address it.

13. Children

TCGRadar is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at hello@tcgradar.eu and we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users by email at least 30 days before the changes take effect. The “Last updated” date at the top of this page indicates when the policy was last revised.

15. Contact and Complaints

For data protection inquiries, contact us at: hello@tcgradar.eu

You have the right to lodge a complaint with a supervisory authority. The competent authority for Croatia is:

Agencija za zaštitu osobnih podataka (AZOP)
Selska cesta 136, 10000 Zagreb, Croatia
azop.hr

You may also contact the supervisory authority in your country of residence.