Privacy Policy

Effective date: January 1, 2025

1. What We Collect

We collect only what we need to run the Service:

  • Email address — used for account authentication (magic link login) and sending pop alerts
  • PSA cert numbers — the card certificate numbers you choose to monitor
  • Telegram chat ID — only if you choose to connect your Telegram account for notifications
  • Billing information — processed entirely by Stripe; we never see or store your payment card details
  • Usage data — basic server logs (IP address, pages visited) for security and debugging

2. How We Use It

  • Authenticate you and manage your account
  • Monitor PSA population data for your watchlisted cards
  • Send pop change alerts via email and/or Telegram
  • Process subscription payments through Stripe
  • Respond to support requests
  • Improve the Service and fix bugs

We do not sell your data. We do not use your data to train AI models. We do not serve advertising.

3. Third-Party Services

We use a small number of third-party services to operate Cardboard Cove:

  • Stripe — payment processing. Stripe's privacy policy applies to payment data.
  • Resend — transactional email delivery (magic links, pop alerts)
  • Telegram — optional push notifications if you connect your account
  • Vercel — hosting and infrastructure. Server logs may be retained by Vercel per their policy.
  • PSA — we query PSA's public population data on your behalf to check your watchlisted cards

4. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or financial compliance (e.g., billing records for up to 7 years).

Pop count history for your watchlisted cards is retained for the life of your account to power historical comparisons.

5. Cookies

We use a single session cookie to keep you logged in. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner needed.

6. Security

We use HTTPS for all data in transit. Your password is never stored — we use magic link authentication (no passwords). Database access is restricted to the application. Stripe handles all payment data in their PCI-compliant environment.

7. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your account and associated data
  • Export your watchlist data
  • Opt out of non-essential communications

To exercise any of these rights, email us at hello@cardboardcove.com.

8. Children's Privacy

Cardboard Cove is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email. The "effective date" at the top of this page indicates when the policy was last updated.

10. Contact

Privacy questions or data requests: hello@cardboardcove.com