Privacy Policy

This Privacy Policy describes how PokeScreener ("PokeScreener", "we", "us", or "our") collects, uses, shares, and protects personal data when you use the PokeScreener website (pokescreener.com) and the PokeScreener Card Scanner mobile application (together, the "Service"). This policy is written to comply with the EU General Data Protection Regulation (GDPR) and the Dutch implementing act (UAVG).

1. Who We Are (Data Controller)

The data controller for personal data processed through the Service is:

• Mertcan Dundar Esmergul, operating as PokeScreener
• Amsterdam, the Netherlands
• Contact: contact@pokescreener.com

2. Data We Collect

2.1 Account data

When you sign up or sign in, we receive the following from our identity provider (Auth0) depending on which sign-in method you choose:

• Email address
• Name and profile picture (if provided by your Google, Apple, or other social login)
• A unique user identifier (Auth0 "sub" ID)
• Authentication timestamps and tokens

If you use Sign in with Apple with email relay enabled, Apple provides us with a private relay email address instead of your real email. Email forwarding is managed by Apple.

2.2 Card scans and images

When you use the card scanner, frames captured by your device camera are transmitted to our backend servers for card recognition. These images are processed to identify the card and are not retained for longer than necessary to complete the recognition and log associated events. Images are linked to your account via your authentication token.

2.3 Collection and portfolio data

Cards you add to collections, collection metadata, purchase prices and conditions you enter, and aggregated portfolio value history are stored on our servers so you can access them across devices.

2.4 Subscription and payment data

If you subscribe to PokeScreener Pro:

• Web (Stripe): Stripe processes your payment and provides us with your subscription status, plan, renewal date, customer ID, and country. We do not receive or store your full card number.
• iOS (Apple In-App Purchase): Apple processes the payment. We receive a signed transaction receipt from StoreKit containing the product ID, transaction ID, subscription status, and an anonymous app account token used to link the purchase to your account. We do not receive your Apple ID or payment details.

2.5 Usage and device data

We collect the following through our product analytics provider (PostHog) and, on the website, through Google Analytics and Amplitude:

• Pages viewed, screens opened, features used, buttons tapped
• Card searches, scan events, collection edits, paywall views
• Device model, operating system version, app version, language, country (inferred from IP)
• An anonymous device/session identifier assigned by the analytics SDK
• Approximate IP address (truncated where possible)

PostHog session replay is enabled in the iOS app with text inputs and images masked at the SDK level so sensitive content is not recorded.

2.6 Camera permission (iOS)

The app requests access to your camera to scan physical Pokémon cards. The camera is only active while the scanner screen is open. We do not access your photo library unless you explicitly import an image.

2.7 Cookies and local storage

The website uses cookies and similar technologies. See our separate Cookie Policy for details and to manage your preferences. The mobile app uses on-device local storage (UserDefaults) for session state, onboarding progress, language preference, and cache metadata.

3. Why We Process Your Data (Legal Bases)

Under GDPR Article 6, we rely on the following legal bases:

• Contract (Art. 6(1)(b)) — to create and maintain your account, process card scans, store your collections, deliver Pro features, and handle subscription billing.
• Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent fraud and abuse, debug issues, and improve the product using aggregated analytics. We have balanced our interests against your rights and believe this processing is proportionate.
• Consent (Art. 6(1)(a)) — for non-essential cookies, third-party analytics on the website, and any optional marketing communications. You can withdraw your consent at any time.
• Legal obligation (Art. 6(1)(c)) — to retain invoicing, tax, and transaction records for the period required by Dutch and EU law.

4. Who We Share Data With

We do not sell your personal data. We share it only with the following categories of processors and only to the extent necessary to operate the Service:

We may also disclose data where required by law, regulation, legal process, or governmental request, and to protect our rights, property, or safety or that of our users.

5. International Transfers

Some of our processors are located in the United States or other countries outside the European Economic Area (EEA). Where data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses, on the EU–U.S. Data Privacy Framework where applicable, and on additional technical and organizational measures to protect your data.

6. Data Retention

• Account data and collections: retained for as long as your account exists. Deleted within 30 days of account deletion, except where longer retention is required by law.
• Card scan images: retained only as long as needed for recognition and short-term debugging (typically 30 days maximum).
• Subscription and billing records: retained for up to 7 years as required by Dutch tax law.
• Analytics events: retained for up to 24 months in aggregated form.
• Server logs: up to 90 days, then deleted or fully anonymized.

7. Your Rights (GDPR)

If you are in the EU, UK, or EEA, you have the following rights:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure — request deletion of your data. You can delete your account directly in Profile → Delete Account.
• Restriction — ask us to pause processing while a dispute is resolved.
• Portability — receive your data in a machine-readable format. You can also export your collections to CSV directly from the app.
• Objection — object to processing based on legitimate interests, including for analytics.
• Withdraw consent — at any time, for any processing that relies on consent.
• Complain — lodge a complaint with your local supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens.

To exercise any of these rights, email contact@pokescreener.com. We will respond within one month.

8. Children's Privacy

The Service is not directed at children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal data from children under that age. If you believe we have inadvertently collected data from a child, contact us and we will delete it.

9. Security

We use industry-standard technical and organizational measures to protect your data, including TLS in transit, encryption at rest for sensitive fields, access controls, and regular security updates. No system is 100% secure; if we ever experience a breach that affects your data, we will notify you and the relevant supervisory authority in accordance with GDPR.

10. Automated Decision-Making

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects on you.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Effective Date" at the top and, for material changes, notify you by email or in-app notice before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

12. Contact

For any privacy-related questions or requests: contact@pokescreener.com