CardForge

Privacy Policy

Last updated: April 18, 2026

This Privacy Policy explains what information CardForge (“we”, “us”) collects when you use the Service, why we collect it, and how you can control it. By using the Service you agree to the practices described below.

1. Information we collect

Account information

  • Name (display name)
  • Email address
  • Username
  • Hashed password (only if you sign up with email + password)
  • OAuth provider id and avatar URL (only if you sign in with Google or Discord)
  • Optional profile bio and avatar image

Service data

  • Decks you create (cards, names, descriptions, visibility flags)
  • Favourites and friend connections
  • Feedback you submit through the in-app widget
  • Stripe customer id and subscription status if you upgrade to Pro (we never store full card numbers — Stripe handles that directly)

Technical data

  • IP address and approximate region (used for rate limiting and abuse prevention)
  • Browser user-agent string (used for feedback diagnostics)
  • Cloudflare Turnstile challenge results (passed when you create an account)
  • Aggregated, cookieless page-view counts via Vercel Analytics
  • Error reports (stack traces, request paths) via Sentry when something breaks; we do not intentionally include your personal data in these reports

2. How we use your information

  • To create and operate your account
  • To provide, maintain, and improve the Service
  • To process subscription payments (via Stripe)
  • To send essential transactional email (account verification, welcome, billing receipts) via Resend
  • To detect, investigate, and prevent abuse, fraud, and security incidents
  • To respond to your support requests

We do not sell your personal information and we do not use it for third-party advertising.

3. Cookies and similar technologies

CardForge uses a single first-party session cookie (authjs.session-token or its __Secure-prefixed variant in production) to keep you signed in. This cookie is strictly necessary to operate the Service. We do not use third-party tracking cookies. Vercel Analytics is cookieless and aggregated, so no consent banner is required.

4. Sub-processors

We share limited information with the following third-party providers so that they can perform services on our behalf:

  • Neon— managed PostgreSQL database (account, deck, favourite, friendship, feedback rows)
  • Vercel— web hosting, edge functions, cookieless analytics
  • Stripe— payment processing for Pro subscriptions
  • Anthropic— Claude API for AI deck features (we send the deck list and prompt; we do not send your name or email)
  • Resend— transactional email delivery
  • Upstash— Redis used for rate limiting and caching (stores hashed identifiers, never plaintext content)
  • Cloudflare— Turnstile captcha on registration
  • Sentry— error and performance monitoring

Each provider is contractually bound to handle your information in accordance with applicable data-protection law.

5. Retention and deletion

We retain your account information for as long as your account is active. You can delete your account at any time from Settings → Danger Zone; deletion immediately removes your decks, favourites, friendships, sessions, and OAuth links. Your Stripe subscription is cancelled as part of the same flow.

Feedback you previously submitted may be retained in anonymized form (with your user reference removed) so that we can continue to improve the Service. Backup copies of database state are retained for up to 30 days for disaster recovery and then expire automatically.

6. Security

We use HTTPS everywhere, hash passwords with industry-standard algorithms, scope database access via short-lived credentials, and rate-limit sensitive endpoints. No system is perfectly secure; if you suspect your account has been compromised, contact us immediately.

7. International transfers

Our infrastructure is hosted in the United States. If you access the Service from outside the US your information will be transferred to, and processed in, the United States.

8. Your rights

Depending on your jurisdiction you may have the right to access, correct, delete, or export your personal information, or to object to certain processing. You can exercise most of these rights directly from the settings page; for anything else, contact us at the address below and we will respond within a reasonable timeframe.

9. Children

The Service is not directed to children under 13 and we do not knowingly collect personal information from them. If you believe a child has provided us with information, please contact us so that we can delete it.

10. Changes

We may update this policy from time to time. Material changes will be announced via in-app notice or email.

11. Contact

Questions or requests? Email danryanchan@gmail.com.