LEGAL

Privacy Policy

Last updated: June 2026

1. What we collect

When you create an account we store:

  • Name — displayed in your account
  • Email address — used to sign in and send release emails (if opted in)
  • Hashed password — never stored in plaintext (bcrypt)
  • OAuth identifiers and tokens — if you sign in with Google; tokens are used to maintain your session
  • Saved decklists — names, card lists, and tags you choose to save
  • Session metadata — IP address and browser user agent, retained for security and fraud prevention

If you submit a message via our contact form we store your name (optional), email (optional), and message text.

If you join our mailing list we store your email address and the IP address and timestamp of your opt-in for legal compliance purposes.

We do not collect payment information or location data.

2. How we use it

Your data is used solely to:

  • Authenticate you and maintain your session
  • Store and retrieve your saved decklists
  • Send transactional emails (account-related, mailing list confirmations)
  • Send occasional product update emails to mailing list subscribers (you can unsubscribe at any time)
  • Respond to contact form messages
  • Understand aggregate site usage (analytics — only with your consent)

We never sell, rent, or share your personal data with third parties for marketing purposes.

3. Authentication

Sessions are managed by Better Auth. A session cookie (better-auth.session_token) is set on sign-in and cleared on sign-out. Session records include your IP address and browser user agent for security auditing and are retained for the duration of the session.

4. Analytics and cookies

We use Google Tag Manager and Google Analytics to understand how the site is used (page views, navigation patterns). These tools set cookies and send data to Google's servers. Analytics are only loaded after you give consent via the cookie banner.

You can withdraw consent at any time by clearing your browser's local storage for this site or by declining in the cookie banner if shown again after clearing.

The only strictly-necessary cookie we set without consent is the session token (better-auth.session_token), which is required for account functionality.

5. Card images

Card images are fetched directly from Scryfall's API by your browser. We do not proxy or store card images. Scryfall's own privacy policy applies to those requests.

6. Third-party services

We use the following third-party services to operate the site:

  • Resend — transactional email delivery (account emails, mailing list)
  • Google OAuth — optional sign-in via Google account
  • Scryfall — card data and images
  • Sentry — error monitoring (we do not send personally identifiable information to Sentry)
  • Google Tag Manager / Google Analytics — usage analytics (consent required)
  • Amazon Associates — some blog post links are affiliate links that earn a small commission at no cost to you

These services may process data outside your country. Google and Amazon operate under Standard Contractual Clauses for data transfers from the EU.

7. Data retention

  • Account data — retained while your account is active
  • Session records — retained until the session expires or you sign out
  • Contact form messages — retained for 90 days, then deleted
  • Mailing list — retained until you unsubscribe; unsubscribed records are kept for 30 days then purged

You can permanently delete your account and all associated data yourself at any time from Account → Settings. You may also request deletion by contacting us, and we will action such requests within 30 days.

8. Your rights

If you are in the EU or UK you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request erasure of your data ("right to be forgotten")
  • Restrict or object to processing
  • Request a portable copy of your data
  • Withdraw consent for analytics at any time

You can exercise two of these rights instantly and without contacting us, from Account → Settings:

  • Data portability / access — download a machine-readable JSON copy of your account data (profile, saved decks, and consent records)
  • Erasure — permanently delete your account and all saved decks (we email a confirmation link to complete the deletion)

To exercise any other right, contact us and we will respond within 30 days.

9. California & US state privacy rights

If you are a California resident, the CCPA/CPRA gives you the right to know what personal information we collect, to request a copy of it, to request its deletion, and to not be discriminated against for exercising these rights. Residents of other US states with comparable privacy laws have similar rights.

We do not sell or share your personal information, and we do not use it for cross-context behavioral advertising. You can access and delete your data yourself from Account → Settings, or contact us to make a request. We will not discriminate against you for exercising any of these rights.

10. Security

Passwords are hashed using bcrypt. Connections are encrypted via HTTPS. We take reasonable measures to protect your data but cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you within 72 hours of becoming aware of it.

11. Changes

We may update this policy as the service evolves. Material changes will be communicated via email or a notice on the site. The date at the top of this page reflects the most recent revision.

12. Contact

Questions or deletion requests? Use our contact page.

# release notes
Get an email when we ship updates. No newsletter, no marketing.
$
© 2026 Deck GrimoireMade for kitchen-table Magic.