Privacy Policy
Last updated: March 2026
MetaScout TCG ("we", "our", or "us") is committed to protecting your privacy. This policy explains what information we collect, how we use it, the legal basis for processing, and your rights.
1. Information We Collect
We collect the following information when you use MetaScout:
- Camera images: Photos you take within the app are sent to our AI scanning service to identify the card. Images are not stored after processing.
- Collection data: Cards you add to your collection are stored locally on your device and, if you create an account, synced to our secure servers.
- Email address: If you sign up for launch notifications or create an account, we store your email address.
- Usage analytics: If you consent, anonymous data about which screens and features you use, to help us improve the app. No personally identifiable information is collected.
- Crash reports: If you consent, anonymous error reports (stack trace, device model, OS version) are sent to Sentry for debugging. No personal data is included.
- Audit logs: We record authentication events and API usage for security monitoring and abuse prevention. These logs are automatically deleted after 90 days.
- Login activity: We record a hashed (non-reversible) version of your IP address, approximate country, and device type when you log in. This data is used solely to detect unauthorized account sharing and protect your account. Login records are automatically deleted after 90 days.
- Device identifiers: The app generates a random device identifier stored locally on your device. This is used for rate limiting and security purposes only — it is not linked to advertising or tracking profiles.
- Usage pattern monitoring: We monitor for unusual usage patterns (such as high scan velocity or device rotation) to detect fraud and prevent account abuse. If anomalies are detected, your account may be reviewed. This processing is based on our legitimate interest in preventing fraud.
2. Legal Basis for Processing (GDPR Art. 6)
We process your personal data under the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Account creation and authentication | Performance of contract (Art. 6(1)(b)) |
| Collection and deck sync | Performance of contract (Art. 6(1)(b)) |
| Card scanning and AI identification | Performance of contract (Art. 6(1)(b)) |
| Usage analytics (PostHog) | Consent (Art. 6(1)(a)) — opt-in on first launch |
| Crash reporting (Sentry) | Consent (Art. 6(1)(a)) — opt-in on first launch |
| Login activity and IP hash logging | Legitimate interest (Art. 6(1)(f)) — account security and fraud prevention |
| Usage anomaly detection | Legitimate interest (Art. 6(1)(f)) — fraud prevention |
| Audit logs | Legitimate interest (Art. 6(1)(f)) — security monitoring |
| Marketing emails | Consent (Art. 6(1)(a)) — opt-in only |
For processing based on legitimate interest, we have conducted an assessment to ensure our interests do not override your rights and freedoms. You may object to legitimate interest processing by contacting us.
3. How We Use Your Information
- To identify trading cards using AI vision services
- To fetch and display live market price data from third-party APIs
- To sync your collection across devices (if you create an account)
- To send launch notifications and product updates (only if you opted in)
- To improve app performance and fix bugs (only with your consent)
- To provide AI-powered battle strategy analysis and deck recommendations
- To detect and prevent unauthorized account sharing and abuse
- To monitor for fraudulent usage patterns and protect the platform
4. Third-Party Services
MetaScout uses the following third-party services:
- AI Vision API (Google Gemini) — processes card images for identification. Subject to Google's privacy policy.
- Scryfall — provides MTG card price data. Scryfall API.
- YGOProDeck — provides Yu-Gi-Oh! card data. YGOProDeck API.
- TCGTracking — provides card price data for multiple games.
- Supabase — provides backend database and authentication services. Supabase privacy policy.
- Sentry — collects crash reports (with your consent). Sentry privacy policy.
- PostHog — collects usage analytics (with your consent). PostHog privacy policy.
- eBay — external marketplace links. Some links may be affiliate links; MetaScout may earn a commission at no extra cost to you. eBay privacy policy.
5. Data Storage and Security
Your collection data is stored securely using Supabase (hosted on AWS). We use industry-standard encryption for data in transit (TLS 1.2+) and at rest. Card images are processed in real-time and are not permanently stored on our servers. IP addresses are hashed using SHA-256 before storage and cannot be reversed to identify you.
6. Data Sharing
We do not sell your personal data. We only share data with third parties as necessary to provide the service (as described in Section 4). All third-party processors are bound by data processing agreements.
7. Your Rights
Under GDPR and applicable privacy laws, you have the right to:
- Access — request a copy of all personal data we hold about you. You can export your data directly from the app.
- Rectification — request correction of inaccurate personal data.
- Erasure — request deletion of your account and all associated data. You can delete your account from the app settings, or contact us.
- Data portability — receive your data in a structured, machine-readable format (JSON). Use the "Export My Data" feature in the app.
- Restriction — request that we limit processing of your data.
- Object — object to processing based on legitimate interest (e.g., fraud detection logging).
- Withdraw consent — withdraw consent for analytics and crash reporting at any time via app settings. This does not affect the lawfulness of processing before withdrawal.
- Opt out of marketing emails at any time.
We will respond to all data subject requests within 30 days. Contact us at privacy@metascouttcg.com.
8. Children's Privacy
MetaScout is not directed at children under 13 (or 16 in the EU/EEA). We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us immediately and we will delete it.
9. Data Retention
We retain your data as follows:
| Data Type | Retention Period |
|---|---|
| Account data (email, collection, decks) | Until you delete your account |
| Card images | Processed in real-time, never stored |
| Audit and login logs | Automatically deleted after 90 days |
| Crash reports (Sentry) | 90 days |
| Usage analytics (PostHog) | Per PostHog's retention policy |
| Usage anomalies | Deleted after resolution or 90 days, whichever is sooner |
10. International Data Transfers
Your data may be processed in countries outside your country of residence, including the United States (where our infrastructure providers operate). For transfers from the EU/EEA/UK to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission with our data processors (Supabase, Sentry, PostHog). We implement supplementary measures including encryption in transit and at rest to ensure your data remains protected.
11. Automated Decision-Making
We use automated systems to detect unusual usage patterns (e.g., account sharing, fraud). These systems may flag your account for review but do not make fully automated decisions that significantly affect you. Any account restrictions are reviewed by a human before being applied permanently.
12. California Privacy Rights (CCPA)
If you are a California resident, you have the right to know what personal information we collect, request its deletion, and opt out of its sale. We do not sell personal information. To exercise your rights, contact us at privacy@metascouttcg.com.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of significant changes via the app or email. Continued use of the app after changes constitutes acceptance of the updated policy.
14. Contact
If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at privacy@metascouttcg.com.
If you are in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.