CollectorsStashMarket
Privacy Policy
Last updated: 2026-05-06
Questa traduzione è fornita a scopo informativo. Le versioni olandese e inglese di questo documento sono giuridicamente vincolanti.
1. Introduction
CollectorsStashMarket.com ("we", "our") is a platform for trading-card-game (TCG) collectors. This privacy policy explains what personal data we process, why, and what rights you have under the EU General Data Protection Regulation (GDPR).
Data controller: CollectorsStashMarket, established in the Netherlands.
Contact: privacy@collectorstashmarket.com
2. Data we process
Account data
- Username (publicly visible)
- Email address (private; used for login and notifications)
- Password (stored only as a bcrypt hash)
- Account creation timestamp
Profile data (optional)
- Profile photo (publicly visible)
- Bio and location (publicly visible)
- For sellers: address, postal code, city, country, phone number, chosen shipping methods
User-generated content
- Collection items, wishlist, and price alerts
- Decks and deck cards
- Marketplace listings, including descriptions and photos you upload
- Bids on listings
- Direct messages between users
- Forum posts and replies
- Card-recognition photos (only when you actively use the scan feature)
Technical data
- IP address (used for rate limiting and abuse prevention; not linked to your account in logs)
- Session cookie (
tcg_session) — required to stay signed in - Language cookie (
cv_lang) — remembers your selected language - Browser user-agent and Accept-Language header
- API keys (only as hashes) and request usage counters for the developer API
3. Mobile app permissions (Android & iOS)
The CollectorsStashMarket mobile app requests the permissions below. Each permission is used only at the moment you trigger the related feature, never in the background. You can revoke any permission at any time in your device settings.
| Permission | Purpose |
|---|---|
CAMERA | Scan a card for recognition, take photos for marketplace listings, take a profile photo. Used only on demand; never accessed in the background. |
READ_MEDIA_IMAGES / READ_EXTERNAL_STORAGE | Pick photos from your gallery for your profile or a listing. We do not scan or upload other photos. |
POST_NOTIFICATIONS | Push notifications for price alerts, bid updates, and direct messages. |
INTERNET | HTTPS communication with our backend. |
VIBRATE | Brief haptic feedback on certain in-app actions. |
4. Purposes and legal bases
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Operating your account, marketplace and collection features | Contract performance — Art. 6(1)(b) |
| Preventing fraud, spam, and abuse | Legitimate interest — Art. 6(1)(f) |
| Push and email notifications | Consent — Art. 6(1)(a). Withdrawable in account settings. |
| Tax and fraud-reporting obligations | Legal obligation — Art. 6(1)(c) |
| Improving card-recognition accuracy | Consent — only on scans you explicitly confirm. |
We do not sell your personal data, do not use it to build advertising profiles, and do not share it with ad networks.
5. Who we share data with
- Other users: in a marketplace transaction, the buyer and seller see each other's username and the shipping details required to complete the transaction.
- EU-based hosting provider: processes data as a processor under a Data Processing Agreement compliant with Art. 28 GDPR.
- Public authorities: only when legally required (court order, fraud investigation).
Price data is sourced from public and commercial TCG providers (TCGPlayer, Cardmarket, eBay, PriceCharting, Scryfall, JustTCG and others). Traffic to those sources is server-to-server and does not include your personal data.
6. International transfers
Our servers and database are located in the European Economic Area (EEA). We do not transfer personal data outside the EEA without appropriate safeguards (Standard Contractual Clauses or adequacy decisions).
7. Retention periods
- Account data: kept while your account is active. After deletion: erased within 30 days, except where retention is legally required.
- Marketplace transactions: up to 7 years for tax-record purposes.
- Server and API logs: maximum 90 days.
- Confirmed card-recognition photos: pseudonymized (no link to account, username, or email). You can request deletion at any time.
- Forum posts: anonymizable or removable on request.
8. Your GDPR rights
You have the right to:
- Access your personal data.
- Rectify inaccurate or incomplete data.
- Erasure ("right to be forgotten"): delete your account and data — see /account-deletion.
- Restrict processing.
- Data portability: receive a machine-readable export.
- Object to processing based on legitimate interest.
- Withdraw consent, without affecting prior lawful processing.
Send a request to privacy@collectorstashmarket.com. We respond within 30 days. If you are unsatisfied, you have the right to lodge a complaint with the Dutch Data Protection Authority at autoriteitpersoonsgegevens.nl.
9. Security
- All traffic is encrypted via HTTPS/TLS.
- Passwords are stored only as bcrypt hashes.
- Sessions expire after 30 days of inactivity.
- API keys are stored only as hashes.
- The database is reachable only from the application server; no public ports are exposed.
In the event of a personal-data breach affecting your rights or freedoms, we notify the supervisory authority within 72 hours and inform affected users, as required by Articles 33-34 GDPR.
10. Children
The service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has registered, please contact us and we will delete the account immediately.
11. Changes to this policy
Material changes will be published on this page with an updated date at the top. For significant changes we additionally notify you by email or in-app message.
12. Contact
Questions, complaints, or requests: privacy@collectorstashmarket.com.