CollectVaultr

Privacy Policy

Last updated: May 30, 2026 · Effective: May 30, 2026 · Türkçe

At CollectVaultr we value your privacy. This document fulfills our disclosure obligation under Turkey's Personal Data Protection Law No. 6698 (KVKK), Article 10 and the European Union General Data Protection Regulation (GDPR).

In short: Your data belongs to you. We only keep it to operate the service, and you can delete it at any time.

1. Data Controller Identity

• Service: CollectVaultr (PWA — Progressive Web App)
• Website: collectvaultr.com
• Data controller: Cansın Çetinkaya (individual developer / sole proprietor)
• Controller status: Citizen of the Republic of Türkiye, individual/personal development — below the VERBİS (Data Controllers' Registry) thresholds (fewer than 50 employees and an annual balance sheet below the Board-defined threshold), therefore exempt from VERBİS registration. This exemption covers registration only; all other KVKK obligations (disclosure, data security, data-subject rights) apply in full.

1.1. How to Exercise Your Rights (KVKK Article 13)

To exercise your rights under KVKK Article 11 / GDPR (erasure, rectification, portability, etc.), you can reach us through:

• 📧 Direct email (recommended, fastest): [email protected] — put "KVKK Request" in the subject line. Written response within 30 days (KVKK Article 13/2).
• ⚡ Self-service (instant): In-app Account → Delete My Account — your data is erased immediately and irreversibly (Article 7).
• 📂 Data export (Article 11/d — portability): Account → Download My Data — a JSON export of all your personal data, instantly.
• 💬 In-app form: the "Feedback" button at the bottom of every page (for general questions).
• 📝 GitHub Issues (public alternative): github.com/CilekliNesquik/tcg-vault/issues — for requests that do not contain personal data.

⚠️ Note: We do not maintain a KEP (Registered Electronic Mail) address (not mandatory for individual use). Your right to complain to the Turkish Data Protection Board (Article 14) is always reserved: kvkk.gov.tr.

2. Categories of Personal Data Processed

• Identity data: Username (you choose, optional)
• Contact data: Email address (for sign-in/authentication and transactional email)
• Usage data: Cards you add, your collection (including TCG cards + Hot Wheels/diecast car collection), trades, folders, notes, price history
• Visual data: Photos you upload for card scanning (NO content containing your face or ID — only card images accepted)
• Transaction security data: IP address (stored only as a hash — never in plain form — for rate-limit + security logs), user-agent (browser family only, e.g. "Safari/iOS"; full string not stored), session token (Supabase Auth)
• Technical data (optional): Anonymous stack traces sent to Sentry when an application error occurs (no PII)

Categories NOT processed: Location, financial data (credit card / account), health data, biometric data, race / ethnicity, religious belief, political opinion, sexual orientation.

3. Purpose & Legal Basis of Processing

Your personal data is processed based on KVKK Article 5/2-c (performance of a contract), 5/2-ç (legal obligation), 5/2-e (establishment / defense of rights), and 5/2-f (legitimate interest):

• Creating your account and authenticating you (email/password, email magic-link, or Google sign-in)
• Displaying your collection and letting you edit it
• Sending photos to the AI service (Anthropic Claude Vision) for card recognition
• Querying third-party APIs (PriceCharting, Scryfall, eBay, etc.) for price data using only card/product set + name
• Keeping operational audit logs for service security
• Complying with legal obligations (KVKK, GDPR requests)

WE DO NOT SELL your data to third parties. WE DO NOT USE it for advertising. WE DO NOT PROFILE you to make decisions on your behalf.

4. Automated Processing (AI)

The app performs some operations using automated (AI) systems:

• Card recognition: The photo you upload is sent to Anthropic Claude Vision API; set code, name, and rarity are detected. This is not a decision that affects your rights — it is purely informational extraction.
• Smart Insights: A summary of your collection (card counts, values) is sent to Claude, which generates recommendation text. It has NO decision-making authority.
• Auto-tagging: Suggests keywords from card names; you approve them.

If you're unhappy with AI outputs, you can reject them, edit manually, or disable AI features.

5. Where and With Whom We Share Your Data

Your data is transferred to the following data processors only for service quality:

• Supabase Inc. (USA) — Database + Auth + Storage. Data is stored on EU and US servers. supabase.com/privacy
• Render Inc. (USA) — Backend hosting. render.com/privacy
• Google LLC (USA) — optional "Sign in with Google" (OAuth) authentication. Your email is obtained via Google only if you choose this method. policies.google.com/privacy
• Resend, Inc. (USA / EU-Ireland) — transactional email delivery (sign-in link, email verification, price alerts). Only your email address is shared. resend.com/legal/privacy-policy
• eBay Inc. (USA) — sold/active listing price queries (Browse API). Only the card/product name & set code are sent — no personal info.
• Anthropic PBC (USA) — AI card recognition + insights. Anthropic does not use API data for model training; retention periods are governed by Anthropic's current commercial agreement. anthropic.com/legal/privacy
• Cloudflare Inc. (USA) — CDN + DDoS protection. cloudflare.com/privacypolicy
• PriceCharting / Scryfall / Pokémon TCG API / Lorcast / YGOPRODeck / Digimon API / Limitless — Price & metadata queries. Only card set code & name are sent — no personal info.
• Sentry.io (optional, USA) — Anonymous error reports. sentry.io/privacy

International transfer: Due to the nature of the service (the data processors above are based in the US/EU), your data is transferred abroad. When you register with email/password, we obtain your separate, explicit consent for this transfer via a checkbox on the registration form, in line with KVKK Article 9; registration via this method cannot be completed without it. If you choose Google sign-in or the email link (magic-link), this Privacy Policy is available to you before you are redirected, and by continuing you consent to the international transfer described here. Regardless of method, you can withdraw consent and have your data erased at any time via Account → Delete My Account.

6. Data Retention

• Data is retained as long as your account is active
• Deleted cards stay in the trash for 30 days (recoverable), then permanently deleted automatically
• When you delete your account, all your data is immediately and permanently deleted (KVKK Article 7 — erasure / destruction / anonymization)
• Audit logs (security records) are retained for 1 year as required by legal obligation, then deleted
• The card-recognition cache (Vision result — set code/name/rarity extraction) is kept for at most 90 days, then deleted automatically

7. Data Subject Rights (KVKK Article 11 / GDPR)

You have the following rights:

• Right to be informed: Learn what data is processed
• Right of access: Settings → "Download JSON" to export all your data (data portability)
• Right to rectification: Edit incorrect data anytime
• Right to erasure ("right to be forgotten"): Settings → "Delete My Account" — one click, irreversible
• Right to object to processing: You can disable AI features; if you object to all processing, you must stop using the service
• Right to restriction: Request to halt specific processing
• Right to compensation: Seek damages if data is processed unlawfully
• Right to complain: File a complaint with the Personal Data Protection Authority of Turkey (KVKK)

How to submit a request: Use the in-app "Feedback" form or open a ticket on GitHub Issues. We respond free of charge within 30 days (KVKK Article 13).

8. Cookies and Local Storage

CollectVaultr does NOT use third-party advertising/tracking cookies. We only use the following:

• localStorage / IndexedDB: Stored on your device, not sent to the server. Contents: theme preference, short-term cache, offline support.
• Session token (Supabase Auth): Placed on your device after sign-in; only you can access it (HttpOnly, SameSite).
• Referral cookie: If you arrive via an invite link, kept for 30 days, then deleted. Not for ads.

You can delete this data anytime via browser settings (Settings → Privacy → Clear Site Data).

9. Data Security

For the security of your data:

• HTTPS (TLS 1.3) enforced — Strict-Transport-Security (1 year)
• Content Security Policy (CSP), X-Frame-Options DENY, COOP/CORP headers
• Database access protected by Row Level Security (RLS) per-row per-user
• Optional 2FA (TOTP) support
• Regular security audits (advisor + dependency security scan)
• Sign-in methods: email/password, email magic-link, and Google sign-in. Passwords are stored by Supabase Auth using strong hashing (bcrypt) — never in plain text.

10. Children's Privacy

We do not knowingly collect data from users under 13 (COPPA / GDPR Article 8). If you are a parent and believe your child has uploaded data, contact us and we will delete it immediately.

11. Changes to This Policy

Material changes are announced via the in-app notification system at least 7 days before they take effect. The date at the top of this page is updated accordingly. If you do not accept a change, you can delete your account.

12. Contact & Requests

For all KVKK / GDPR requests:

• Send a message via the in-app "Feedback" button (response: 30 days)
• Open a ticket on GitHub Issues
• Delete your account: Settings → "Delete My Account" (instant)