Privacy Policy — CardMadeEasy.com
Version: 1.2 (Beta — Phase 8+ security + auctions + analytics) Effective from: May 29, 2026 Last updated: June 22, 2026
Changes since v1.0 (June 22, 2026): added sections on 2FA & login activity (§2.9), Web Push notifications (§2.10), Auctions data (§2.11), AI card recognition (§2.12); added Cloudflare Web Analytics to processors list (cookieless, no consent banner needed) and Sentry error monitoring. See Slovak version for full text; major substantive points are summarised here.
🇸🇰 The Slovak version of this Privacy Policy is the binding legal text. This English version is provided for international users and payment provider compliance review. In case of any discrepancy, the Slovak version prevails.
1. Controller
The personal data controller is:
Marketing support s.r.o. Registered seat: Studenohorská 67, 841 03 Bratislava, Slovak Republic Company ID (IČO): 36 823 937 VAT ID: SK2022437153 Email: [email protected]
(hereinafter the "Controller").
2. What data we process
2.1. Data you provide directly
When creating an account and using the Platform:
- Identification data: name, email, password (stored as bcrypt hash)
- Profile data: display name, city (optional, public-toggleable), short bio
- Locale preference: UI language (sk / en)
- Consumer acknowledgment timestamp: confirmation that you are a private individual (non-business)
- Communication content: in-platform chat messages, dispute submissions
- Listing data: photos, card descriptions, prices
2.2. Data collected automatically
- Technical data: IP address (anonymized for analytics), browser type, device type, language preference, time of access
- Activity logs: login events, listing creation/modification, transactions (security & audit log retained per Slovak tax law)
- Cookies: see Section 8 below
2.3. Data from third parties
- Stripe Connect KYC data: for Sellers — identity verification documents, bank account details (Stripe is the controller of this data, we only receive a verification status flag)
- TCG API metadata: card images and descriptions from Pokémon TCG API, Scryfall (MTG), YGOPRODeck (Yu-Gi-Oh!)
3. Purposes and legal bases of processing
| Purpose | Legal basis (GDPR Art. 6) | Retention period |
|---|---|---|
| Account creation and operation | Contract performance (6(1)(b)) | Lifetime of account + 30 days after deletion |
| Transaction processing | Contract performance (6(1)(b)) | 10 years (Slovak tax law) |
| Anti-fraud and security monitoring | Legitimate interest (6(1)(f)) | 2 years |
| Email notifications (transactional) | Contract performance (6(1)(b)) | Lifetime of account |
| Marketing emails | Consent (6(1)(a)) — opt-in | Until consent withdrawn |
| Analytics (anonymized) | Consent (6(1)(a)) — cookies | Until consent withdrawn |
| Accounting records | Legal obligation (6(1)(c)) | 10 years |
4. Recipients of personal data
We share your data only with the following processors, all bound by data processing agreements:
- Stripe Payments Europe Ltd. (Ireland) — payment processing, KYC, escrow (data location: EU)
- Zásilkovna s.r.o. ("Packeta", Czech Republic) — parcel delivery via Z-BOX / pickup branches, label generation, tracking notifications (DPA: https://www.zasilkovna.cz/gdpr)
- Packeta Slovakia s.r.o. (Slovakia) — regional delivery subsidiary
- Cloudflare, Inc. (USA, with EU SCCs) — CDN, edge runtime, DDoS protection
- Websupport s.r.o. (Slovakia) — server hosting, database
- Resend / Postmark — transactional email delivery
- Sentry, Inc. (USA, with EU SCCs) — error tracking (PII-stripped by default)
Data shared with Packeta (per shipment): Buyer's first + last name, email, phone number, ID of the selected pickup point (Z-BOX/branch). Purpose: deliver the parcel and send SMS/email tracking notifications. Data is not shared with Packeta before a successful payment.
We do not sell your data to third parties, nor do we share it for marketing purposes.
5. International data transfers
- Stripe processes some data outside the EU (e.g., card networks). This transfer is covered by Standard Contractual Clauses approved by the European Commission.
- Cloudflare may route requests through its global network. EU edge locations are preferred; data at rest stays in EU.
- Sentry: error reports are filtered to remove PII before transmission.
6. Your rights (GDPR Articles 15–22)
You have the following rights:
- Right of access (Art. 15): request a copy of your personal data → Profile → "Download data (ZIP)"
- Right to rectification (Art. 16): update your data in Profile settings
- Right to erasure (Art. 17 — "right to be forgotten"): Profile → "Delete account" (3-step confirmation)
- Right to restriction (Art. 18): request restriction of processing → contact [email protected]
- Right to data portability (Art. 20): ZIP export contains data in machine-readable JSON format
- Right to object (Art. 21): opt-out of marketing emails / analytics cookies anytime
- Right not to be subject to automated decision-making (Art. 22): we do not use automated decision-making with legal effects
You also have the right to lodge a complaint with the supervisory authority — Office for Personal Data Protection of the Slovak Republic (Úrad na ochranu osobných údajov SR), https://dataprotection.gov.sk.
7. Data security
- All data in transit is encrypted using TLS 1.3
- Passwords are stored as bcrypt hashes (work factor 12)
- Stripe handles card data — we never see or store full card numbers
- Database backups are encrypted at rest and retained for 30 days
- Access to production data is restricted to named administrators with 2FA
8. Cookies
We use the following cookie categories:
- Essential cookies (no consent required): session, authentication, CSRF tokens, cookie consent state, locale preference
- Analytics cookies (consent required): prepared for Plausible (privacy-friendly, no cross-site tracking) — not currently active
- Marketing cookies (consent required): not currently used
You can manage your consent any time via "Cookie settings" in the footer.
9. Children's data
The Platform is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has provided data, please contact [email protected] for immediate deletion.
10. Changes to this Privacy Policy
Material changes will be announced by email at least 30 days in advance. The most current version is always available at /en/legal/privacy.
11. Contact
For all privacy-related questions, requests, or complaints:
Marketing support s.r.o. Email: [email protected] Mail: Studenohorská 67, 841 03 Bratislava, Slovak Republic
We respond to GDPR requests within 30 days as required by Article 12(3).
The Operator does not have a designated Data Protection Officer (DPO) as we do not meet the criteria of Article 37 GDPR. The contact above serves as the primary privacy contact.