Privacy Policy
Effective: 5 July 2026
CardLoft (“CardLoft”, “we”, “us”) is a web application for identifying, valuing, organising, and trading collectible trading cards. It is operated by Matthew Barnes in Australia. This policy explains what information we collect, how we use it, who we share it with, and the choices you have. By using CardLoft at cardloft.app, you agree to this policy.
Information we collect
- Account information. When you sign in with Google, we receive your email address, display name, and profile photo through Firebase Authentication. You can also use some tools (such as Card Me) with an anonymous session that has no profile.
- Profiles. A display name for each profile you create, including supervised profiles that a guardian manages.
- Cards and collections. Photos you take of your cards (stored as compressed images), the card details you or the app record (such as player, set, year, and condition), and estimated valuations.
- Groups, trades, and offers. The invite-only groups you join, cards you post to them, and offers or trades you make.
- eBay connection. If you connect an eBay account, we store an eBay authentication token and records of the listings you create (see the eBay section below).
- Preferences and app state. Settings such as your display currency, theme, active profile, and news preferences.
- Usage and device data. Product-analytics events, approximate usage, and technical data (such as browser type) collected to run and improve the service and to prevent abuse.
How we use your information
- To provide the core features — identifying and valuing cards, organising your collection, and trading within your groups.
- To create eBay listings on your instruction, when you use the eBay integration.
- To operate, secure, debug, and improve the service, including preventing fraud and abuse.
- To communicate with you about the service where necessary.
eBay integration
Connecting eBay is optional. If you choose to connect your eBay account:
- We store an eBay authentication (OAuth) token so the app can create listings in your own eBay account on your instruction. This token is stored securely on our servers and is not visible to other users. CardLoft is not the seller — listings are created in your eBay account.
- When you list a card, the photos of that card are copied to our image hosting and made available at a public link so eBay can display them in your listing.
- We keep a record of the listings you create through CardLoft (such as the eBay listing ID and status) so we can show them to you and update their status.
- You can disconnect eBay at any time from within the app. This deletes the stored eBay token and our records of your CardLoft-created listings. Disconnecting does not remove listings already live in your eBay account — manage those in eBay.
- We honour eBay’s account deletion and closure notifications: when eBay tells us an account has been closed, we delete the related information we hold.
AI processing of card photos
To identify and value a card, the photo and card details you submit are processed by third-party AI services (including Google and Anthropic). We use these services only to return the identification, valuation, or generated image you requested. Photos submitted to the Card Me / Cardify image tools are sent to the model to generate your card and are not retained by us.
Who we share information with
We do not sell your personal information. We share it only with service providers that help us run CardLoft, and only as needed:
- Google Firebase — authentication, database, image storage, and hosting.
- Google and Anthropic — AI services for card identification, valuation, and image generation.
- eBay — only when you use the eBay integration, to create and manage your listings.
- PostHog — product analytics.
- Authorities or others where required by law, or to protect the rights, safety, and security of CardLoft and its users.
Cookies and local storage
CardLoft uses cookies and browser storage to keep you signed in, remember your active profile and preferences, cache data for performance, and support analytics and abuse prevention. You can clear these through your browser, though some features may stop working.
Data retention and your choices
- You can delete individual cards from your collection at any time.
- You can disconnect eBay to remove the stored eBay token and your CardLoft listing records.
- You can request deletion of your account and associated data by contacting us at contact@cardloft.app.
- We keep information for as long as needed to provide the service and for legitimate legal, security, and operational purposes.
Children and supervised profiles
CardLoft supports supervised profiles that a guardian creates and manages. Supervised profiles are intended to be set up and overseen by a responsible adult, who is responsible for the information added to them. CardLoft is not directed to children without guardian involvement.
Security
We use measures including access rules on our database, app-integrity checks, and server-side storage of sensitive tokens (such as your eBay token) to protect your information. No method of transmission or storage is completely secure, but we work to protect your data.
International data transfers
CardLoft is operated from Australia and runs on Google Cloud infrastructure. Your information may be stored and processed on servers located outside your country, including by the service providers listed above.
Changes to this policy
We may update this policy from time to time. When we do, we will change the effective date above, and significant changes may be highlighted in the app.
Contact
Questions about this policy or your data? Contact us at contact@cardloft.app.