Privacy Policy

Last Updated: May 27, 2026

This Privacy Policy describes how CardChain, Inc. ("Company," "we," "us," or "our") collects, uses, stores, and shares your information when you use the CardChain mobile application, website, and related services (collectively, the "Service"). By using the Service, you consent to the practices described in this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

• Account information (username, email address, password, or social login via Apple/Google)
• Date of birth for age verification
• Phone number (optional, for account recovery and notifications)
• Seller account information (full legal name, shipping address, bank account via Stripe)
• Portfolio and collection data (card details, images, purchase prices, notes, tags)
• Marketplace activity (listings, offers, transactions, shipping addresses, messages)
• Support messages, dispute information, and feedback

1.2 Information Collected Automatically

• Device type, model, operating system version, and app version
• IP address
• Device identifiers for push notifications (Expo push tokens)
• Advertising identifiers (IDFA on iOS, AAID on Android) used by Google AdMob to serve ads
• App performance data, error logs, and crash reports
• Usage data (features used, screens viewed, search queries)
• Photos of sports cards captured using the in-app scanner
• Barcode scans for graded cards (PSA, BGS, SGC, etc.)

1.3 Information from Third Parties

• Authentication — when you sign in with Apple or Google, we receive your name, email, and authentication tokens. We do not receive your password.
• Stripe — transaction status and payment confirmation. Stripe stores your bank account and card details; we do not have direct access to full account numbers.
• Card pricing services — we query market prices by card identifier. We do not send your portfolio data or personal information to these services.
• AI services — card images are sent for recognition and condition assessment. Results include card details and estimated grade.
• Shipping services — address validation, shipping rate quotes, and tracking information.

1.4 Location Information

We collect shipping addresses you manually enter for order fulfillment and shipping rate calculations. We do not collect precise GPS location, geolocation data, or track your physical location.

2. How We Use Your Information

We use your information to:

• Create, maintain, and authenticate your account
• Track your sports card portfolio and calculate real-time market values
• Analyze card images using AI for identification, condition assessment, and automated portfolio population
• Operate the marketplace (listings, offers, payments via Stripe, shipping via integrated services, order tracking)
• Send transactional notifications (order confirmations, shipping updates, price alerts, messages, offers)
• Respond to support inquiries and resolve disputes between buyers and sellers
• Display advertisements to free-tier users via Google AdMob
• Improve the app, fix bugs, and train AI models for better card recognition accuracy
• Monitor for fraud, prevent policy violations, and protect marketplace integrity
• Comply with legal obligations and enforce our Terms of Service

We do not send marketing or promotional communications at this time.

3. How We Share Your Information

We do not sell your personal information.

We may share your information with:

• Service providers — cloud hosting, Stripe (payments), shipping services, AI services (card analysis), push notification delivery, and subscription management. These providers only access your data as needed to perform services on our behalf.
• Google AdMob (advertising) — for free-tier users, we share limited device and usage information with Google AdMob to serve and measure advertisements. Our app is configured to request non-personalized ads only (requestNonPersonalizedAdsOnly: true), meaning Google does not use your data to build an ad personalization profile. AdMob may still collect device identifiers and IP address for ad delivery and measurement. Pro subscribers do not see ads, but the AdMob SDK may still initialize and share limited device data with Google until a future update fully disables it.
• Other users — if you enable Public Profile or Public Portfolio, your username, profile picture, seller rating, and card collection are visible to other users. Active marketplace listings are publicly visible. Offer details are only visible to the buyer and seller involved.
• Legal and safety — we may disclose information if required by law, legal process, or government request, or to protect rights and safety.
• Business transfers — in connection with a merger, acquisition, or sale of assets, your information may transfer to the acquiring entity.

Advertising Data Sharing

The sharing of device identifiers with Google AdMob may constitute "sharing" of personal information for cross-context behavioral advertising under certain state privacy laws (e.g., California's CPRA). You may opt out of this at any time (see Section 6).

4. Third-Party AI Platform Integrations

CardChain is available as an integration within third-party AI platforms, including ChatGPT (operated by OpenAI) and Claude (operated by Anthropic). When you use CardChain through these platforms:

• Your messages and queries are processed by the respective AI platform according to their own privacy policies. We do not control how these platforms handle your conversations.
• CardChain receives only the specific requests routed to our tools (e.g., card price lookups, portfolio queries, grading analysis) and returns sports card data in response. We do not receive or store your full conversation history on those platforms.
• We do not share your CardChain account data, portfolio information, or marketplace activity with these AI platforms.
• Usage through these platforms is subject to both this Privacy Policy and the privacy policy of the respective platform (OpenAI, Anthropic).

5. Data Storage, Retention, and Security

5.1 Storage and Encryption

Your data is stored on secure servers in the United States. We use industry-standard security measures including encryption of data in transit (HTTPS/TLS) and at rest, hashed and salted passwords, tokenized payment data via Stripe (PCI DSS compliant), and role-based access controls. We do not store credit card numbers or bank account numbers directly.

No method of electronic storage or transmission is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

5.2 Data Retention

• Account data — retained while your account is active. Delete your account at any time through app settings.
• Deleted accounts — all personal information, portfolio data, and messages are permanently deleted. Transaction records may be retained for up to 7 years for legal, tax, or fraud prevention purposes.
• Portfolio history — value snapshots and price history retained for up to 1 year for historical charts.
• Card images — images saved to your portfolio remain until deleted. Unsaved scan images are deleted after processing.
• Messages — in-app and support messages stored until you delete them or close your account.

6. Your Privacy Rights and Choices

6.1 Account Controls

• Access and update — view and edit profile information, shipping addresses, and preferences in Account Settings
• Delete — permanently delete your account via Settings > Privacy & Security > Delete Account
• Export — export your portfolio data through the app or request a copy of your data by contacting privacy@cardchain.ai
• Privacy settings — toggle Public Profile and Public Portfolio on/off
• Notifications — control push notification preferences in Settings > Notifications

6.2 Advertising Opt-Out

• Note: CardChain is configured to request non-personalized ads only from Google AdMob. Google does not build an ad personalization profile based on your CardChain usage.
• iOS: Go to Settings > Privacy & Security > Tracking, and disable "Allow Apps to Request to Track."
• Android: Go to Settings > Privacy > Ads, and select "Delete advertising ID" or "Opt out of Ads Personalization."
• Google Ad Settings: Visit adssettings.google.com to manage your preferences.

6.3 Do Not Track / Global Privacy Control

We honor Global Privacy Control (GPC) signals as a valid opt-out of the sharing of personal information for advertising purposes where required by applicable law.

6.4 California Privacy Rights (CCPA/CPRA)

If you are a California resident:

• You may request to know what personal information we collect, correct inaccuracies, and request deletion
• We do not sell personal information
• We do share limited device identifiers with Google AdMob for ad delivery, which may constitute "sharing" under CPRA. You may opt out by adjusting device settings or contacting us.
• We do not use sensitive personal information beyond what is necessary to provide the Service
• We will not discriminate against you for exercising your privacy rights

To exercise your rights, email privacy@cardchain.ai. We will respond within 45 days. You may designate an authorized agent with written authorization.

6.5 Other State Privacy Laws

We comply with applicable privacy laws in all U.S. states, including the Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and others. Contact privacy@cardchain.ai to exercise any additional rights.

7. Children's Privacy

• CardChain is intended for users 13 years of age and older
• We do not knowingly collect personal information from children under 13. If discovered, we will promptly delete it.
• Users ages 13-17 may browse, purchase, and manage portfolios. Seller accounts require parental consent and parent/guardian management.
• Users 18+ may independently create seller accounts and link bank accounts.

Parents or guardians may contact privacy@cardchain.ai to request access to, deletion of, or restrictions on their child's information.

8. International Users

CardChain is operated from and servers are located in the United States. The Service is currently only available to users in the United States. If we expand internationally, we will update this policy to address cross-border data transfers and comply with applicable laws (e.g., GDPR).

9. Third-Party Services

Our Service integrates with third-party services that have their own privacy policies:

• Stripe (Payments): stripe.com/privacy
• Google AdMob (Advertising): policies.google.com/privacy
• Google Ad Settings: adssettings.google.com
• Apple (Sign in with Apple): apple.com/legal/privacy
• Google (Sign in with Google): policies.google.com/privacy
• OpenAI (ChatGPT integration): openai.com/privacy
• Anthropic (Claude integration): anthropic.com/privacy

We are not responsible for the privacy practices of third-party service providers.

10. Cookies and Tracking Technologies

• CardChain is primarily a native mobile application. We use Google AdMob to serve non-personalized ads to free-tier users. AdMob may use device advertising identifiers, IP address, and device information for ad delivery and measurement.
• Our website (cardchain.ai) may use essential cookies for site functionality and basic analytics. We do not serve ads on the website.
• We use push notification services to deliver messages, order updates, and price alerts. You can disable push notifications in device settings.

11. AI and Automated Processing

• Card images are sent to AI services for identification, condition assessment, and grading estimates. Results are returned within seconds.
• Card images and scan data may be stored to improve AI accuracy. Future versions may allow opt-out of AI training contributions.
• AI analysis is for informational purposes only — not a substitute for professional grading. Verify details independently.
• Our AI chat provides automated assistance for common questions. Complex issues are escalated to human support.
• Market pricing uses algorithms to aggregate data from public sources. Prices are for reference only.
• You can request human review of any AI result by contacting support@cardchain.ai.

12. Data Breach Notification

In the event of a data breach, we will promptly investigate, contain the incident, and notify affected users within 72 hours (or sooner if required by law). Notification will include a description of what happened, types of information affected, steps we are taking, and actions you can take. We will report breaches to relevant authorities as required by law.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the "Last Updated" date, email, or in-app notification. Continued use after changes constitutes acceptance. You may request previous versions by contacting privacy@cardchain.ai.

14. Contact Us

For privacy questions, data requests, or to exercise your rights:

CardChain, Inc.
Privacy: privacy@cardchain.ai
Support: support@cardchain.ai
Legal: legal@cardchain.ai