Privacy Policy

Last Updated: February 4, 2025

CardFlow ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our card scanning and identification service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address
• Password (stored securely using industry-standard hashing)
• Name (optional)

1.2 Card Images and Data

When you use our scanning service, we collect:

• Images of trading cards you upload
• Card identification data (player names, years, sets, etc.)
• Pricing information you add to cards

1.3 Payment Information

Payment processing is handled by Stripe. We do not store your full credit card numbers. Stripe's privacy policy governs their handling of your payment information.

1.4 API Keys

If you provide your own API keys (e.g., Anthropic Claude API key), these are stored securely and used solely to process your card identification requests. We do not share your API keys with any third parties.

1.5 Usage Data

We automatically collect:

• Log data (IP address, browser type, pages visited)
• Device information
• Usage patterns and feature interactions

2. How We Use Your Information

We use the collected information to:

• Provide and maintain our card scanning and identification service
• Process your transactions and manage your subscription
• Send you service-related communications
• Improve and optimize our service
• Detect and prevent fraud or abuse
• Comply with legal obligations

3. Third-Party Services

We use the following third-party services:

• Anthropic (Claude AI): For card identification. Card images are sent to Anthropic's API for processing. See Anthropic's Privacy Policy.
• Stripe: For payment processing. See Stripe's Privacy Policy.
• Cloudinary: For image storage (if configured). See Cloudinary's Privacy Policy.
• SlabTrack: If you link your SlabTrack account, we exchange authentication tokens. See SlabTrack's Privacy Policy.

4. Data Retention

We retain your data as follows:

• Account data: Until you delete your account
• Card images and data: Until you delete them or your account
• Usage logs: Up to 12 months
• Payment records: As required by law (typically 7 years)

5. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption of data in transit (HTTPS/TLS)
• Secure password hashing (bcrypt)
• Regular security assessments
• Access controls and authentication

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

6. Your Rights

You have the right to:

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate data
• Deletion: Request deletion of your data
• Portability: Export your card data
• Opt-out: Unsubscribe from marketing communications

To exercise these rights, contact us at huddleeco@gmail.com.

7. Children's Privacy

CardFlow is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

8. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers in compliance with applicable data protection laws.

9. California Privacy Rights (CCPA)

California residents have additional rights under the CCPA, including:

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of the sale of personal information
• Right to non-discrimination for exercising privacy rights

We do not sell personal information to third parties.

10. European Privacy Rights (GDPR)

If you are in the European Economic Area, you have rights under GDPR including access, rectification, erasure, restriction, portability, and objection. Our legal basis for processing is contract performance and legitimate interests.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last Updated" date. Continued use of the service after changes constitutes acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: