# Scouter — Privacy Policy

**Effective date:** 2026-04-30
**Last updated:** 2026-04-30

> ⚖️ **Disclaimer.** This document is a working draft based on the data practices Scouter actually implements as of the effective date above. It is not legal advice. Before publishing this policy publicly or submitting it to the Google Play Store, have it reviewed by a qualified attorney in your jurisdiction. The author of this draft is the Scouter project owner and is not a lawyer.

---

## 1. Who we are

"Scouter" (the "App") is a personal trading-card-game collection tracker for the Dragon Ball Super Card Game. It is operated as a personal project by **Asaf Pras** ("we", "us"), based in Israel.

Contact for privacy questions: **aspras01@gmail.com**

## 2. What this Policy covers

This Policy describes:

- What information we collect when you use Scouter (web PWA at `https://dbscouter.com/` and the Android app);
- How we use that information;
- Who we share it with;
- The security measures we take;
- Your rights and how to exercise them.

It does **not** cover third-party services you reach by clicking a link in Scouter (for example, eBay listings). Their privacy practices are governed by their own policies.

## 3. Information we collect

### 3.1 Account information you provide

When you sign in to Scouter we receive, from your authentication provider (Google or email magic-link):

- Your email address;
- Your display name (if your provider supplies one);
- Your avatar URL (if your provider supplies one).

If you choose to set a `username`, share-link toggle, or display preferences in Settings, we store those values too.

### 3.2 Collection and usage data

When you use the App, we store:

- The cards you mark as owned (card code, condition, foil/graded status, quantity, date added);
- Cards you add to your wishlist (target price, alert preferences);
- Scan attempts metadata (which card was matched, the confidence level — but **not** the camera image itself);
- A push-notification token if you opt in to wishlist alerts (used only to deliver those alerts).

### 3.3 Information collected automatically

- Standard server logs (IP address, user-agent, timestamps) handled by our hosting providers (Supabase, Vercel) for the duration their respective policies allow;
- Anonymous service-worker telemetry (which screens loaded, errors encountered) used to fix bugs.

### 3.4 What we do NOT collect

- We do **not** upload your camera frames to any server. Card scanning is performed entirely on your device; only the resulting matched card code is sent (in order to look up its catalogue entry).
- We do **not** collect your contact list, location, microphone audio, SMS, or any data outside the App.
- We do **not** collect biometric data.
- We do **not** access photos, files, or media outside the camera view shown to you while the scanner is open.

## 4. How we use information

We use the information described above to:

- Provide the core App functionality (sync your collection across devices, render the price banner, send wishlist alerts you opted into);
- Authenticate your account;
- Show you a personalised dashboard;
- Diagnose and fix bugs;
- Comply with applicable law.

We do **not** sell your data to third parties.
We do **not** use your data to train AI/ML models.
We do **not** show third-party advertising inside the App.

## 5. Who we share information with

We use the following sub-processors strictly for the operation of Scouter:

| Sub-processor | Purpose | Region | Privacy policy |
|---|---|---|---|
| Supabase | Database, authentication, storage | EU (Frankfurt) | https://supabase.com/privacy |
| Vercel | PWA hosting + edge cache | Global | https://vercel.com/legal/privacy-policy |
| Lemon Squeezy | Subscription billing + Merchant of Record (only if you upgrade to Pro) | Global | https://www.lemonsqueezy.com/privacy |
| Firebase Cloud Messaging | Push-notification delivery (only if you opt in) | Global | https://firebase.google.com/support/privacy |
| TCGplayer / TCGCSV | Public card-price data ingest (data flows IN; no PII flows out) | US | https://help.tcgplayer.com/hc/en-us/articles/216463757 |
| eBay Browse API | Active card-listing prices ingest, used to compute the price ranges shown in the App. Data flows IN only — Scouter sends no user data to eBay. | Global | https://www.ebay.com/help/policies/member-behaviour-policies/user-privacy-notice-privacy-policy?id=4260 |
| Frankfurter (ECB) | Daily currency exchange rates so the price banner can display in your local currency | EU | https://www.frankfurter.app/ |

We share information with these providers only to the extent needed to deliver the service.

We will only disclose your information to law-enforcement when required by valid legal process and only to the extent strictly required.

## 6. International transfers

Some sub-processors above operate servers outside Israel/the EU. Where applicable, we rely on each provider's own Standard Contractual Clauses (or equivalent) for cross-border transfers.

## 7. Data retention

- Collection items, wishlist items, and account profile: retained as long as your account is active. Deleted within 30 days of account deletion.
- Scan logs: retained 90 days, then anonymised.
- Push tokens: retained until you uninstall the App or revoke notification permission.

You can request immediate deletion at any time (see §8).

## 8. Your rights

Depending on your jurisdiction (GDPR, CCPA, Israel Privacy Protection Law, etc.), you have the following rights:

- **Access** — see what personal data we hold about you;
- **Correction** — fix inaccurate data;
- **Deletion** — request that we delete your account and associated personal data;
- **Portability** — export your collection data in a machine-readable format (CSV / JSON);
- **Withdraw consent** — opt out of push notifications, share links, or marketing communications at any time.

### How to exercise these rights

- **Account deletion** — Settings → "Delete my account". This removes your collection, profile, wishlist, and push tokens within 30 days.
- **Export** — Settings → "Export collection". Returns CSV.
- **Revoke push notifications** — Settings → toggle "Wishlist alerts" off, or revoke notification permission at the OS level.
- **Email request** — for any other request, write to **aspras01@gmail.com**. We respond within 30 days.

## 9. Children's privacy

Scouter is not intended for use by children under 13. We do not knowingly collect personal data from children under 13. If a parent or guardian becomes aware that a child has provided personal data without consent, please email **aspras01@gmail.com** and we will delete the data promptly.

## 10. Security

We protect your data with industry-standard measures:

- HTTPS/TLS for all network traffic;
- Row-level security (RLS) on every database table — no user can read or modify another user's data;
- Column-level grants for sensitive columns (subscription state, beta flag, share token);
- Lemon Squeezy webhook signatures verified on every payment event;
- No production secrets bundled into the client.

No system is perfectly secure. Report a security issue to **aspras01@gmail.com** and we will respond within 72 hours.

## 11. Cookies and similar technology

The PWA uses `localStorage` and `IndexedDB` to remember:

- Your sign-in session (Supabase Auth);
- Your theme + currency preferences;
- A local cache of your collection so the App works offline.

We do not use cookies for advertising or cross-site tracking.

## 12. Changes to this Policy

We may update this Policy when our data practices change. The "Last updated" date at the top of this document reflects the most recent change. Material changes will be announced inside the App at least 14 days before they take effect.

## 13. Contact

Privacy questions, data requests, complaints:

> **Asaf Pras**
> Hatanaim 10, Tel Aviv 6920910, Israel
> **aspras01@gmail.com**