Privacy Policy

• Your portfolio is yours. We don't sell it, and only you can read it.
• Public profiles only show what you explicitly mark public.
• We log normal web-server stuff (IP, user agent) for security.
• We use Supabase for auth + storage and Vercel for hosting.
• You can delete your account and data at any time.

When you use Poke Vendor we collect:

• Account info: email + password hash (managed by Supabase Auth — we never see plaintext passwords).
• Portfolio data: every buy/sell entry you log (card, quantity, price, date, notes, location, grade, condition). Stored in our Supabase database, scoped to your user ID.
• Profile data: optional username, display name, bio, contact email/Discord — only if you fill them in.
• Server logs: standard web traffic (IP address, user agent, page paths) retained briefly for security and debugging.

We do not use third-party advertising trackers, fingerprinters, or session-recording tools. We do not sell or rent your personal data to anyone, ever.

By default, your portfolio is private. Nothing is public until you opt in. When you create a public profile and mark a card "public" or "for sale," the public showcase page (/u/[username]) shows ONLY:

• The card itself (name, set, image, grade, condition, variant)
• Whether it's for sale, and your asking price (if you set one)
• Your username, display name, bio, and contact info you chose to publish

Your cost basis, profit margins, free-text notes, inventory location, and audit timestamps are never exposed on a public page. We use Supabase Row Level Security plus application-level column allowlisting to enforce this.

We rely on these services to run Poke Vendor:

• Supabase (auth + database) — their privacy policy
• Vercel (hosting) — their privacy policy
• pokemontcg.io / TCGCSV — public card-data APIs we query server-side for prices and metadata. They see the cards you query but not who you are.

We use cookies for authentication (managed by Supabase) and browser local storage to cache your portfolio for offline access and faster loads. We do not use tracking, advertising, or third-party cookies.

You can, at any time:

• Export your full portfolio as CSV (Portfolio → Export CSV).
• Delete individual entries or your entire account.
• Request a copy of all data we hold about you, or its full deletion, by contacting us.
• If you're in the EU/UK or California, you have additional rights under GDPR / CCPA — contact us and we'll honor them.

Poke Vendor is not directed at children under 13. We don't knowingly collect data from anyone under 13.

If we materially change how we handle data, we'll update the "Last updated" date above and notify signed-in users via an in-app banner before the change takes effect.

Questions about this policy or your data? Open an issue or contact the project maintainer through the link in your account settings.