Legal
Privacy Policy
Last updated June 23, 2026The short version
We collect the data we need to run VendOS TCG for you: your account, your inventory, your sales. We do not sell it, share it with marketers, or use it to train ad models. You can download it or delete it anytime from Settings → Security.
What we collect
Most of what is below is your data: your inventory, your sales, your shop. We hold it so the app works for you across your devices and survives a lost or stolen phone, the same way a cloud notebook keeps your notes. It is not a pool we mine. We do not read, analyze, or sell your individual business data, and nobody on our side browses your books. The only times a person on our team would open your data: when you ask us to while helping you with a support issue, or when we are strictly required to keep the service running, secure, or compliant with the law.
- Account: email, password (hashed, never stored in plain text), business name, optional phone, optional profile photo.
- Your vendor data: every inventory row, transaction, show, expense, and survey response you create. This is yours. We store it on your behalf so you can reach it from any device, and you can export or delete all of it anytime.
- Photos and camera: photos you take or upload for inventory items, plus card images you capture with the scanner. We ask for camera and photo-library access only when you use these features.
- Imports: if you import a spreadsheet (CSV), the rows you upload are processed to match cards to your inventory.
- Payment data: when you subscribe, our payment processors handle your card or store-account details. We never see or store full card numbers. We keep a record of your subscription status only.
- Technical data: IP address and user agent are logged by our hosting providers (Vercel, Supabase) for security and abuse prevention.
- Two-factor authentication: if enabled, the TOTP secret is stored encrypted at our auth provider (Supabase).
How we use it
- To run the product features you signed up for.
- To authenticate you on every visit.
- Card recognition: when you use the scanner or import a spreadsheet, the card image or rows are sent to Google's Gemini API to identify the card and fill in details. Per Google's API terms, this content is not used to train their models.
- Pricing: card identifiers (name, number, set) are sent to TCGplayer and PriceCharting to look up market prices. No personal data is included.
- To improve the product based on aggregate usage. We use Vercel Analytics for page-level performance and PostHog for product analytics, which includes occasional, sampled session replays of how the app's interface is used. Every piece of on-screen text is masked: prices, profit totals, card values, names, and anything you type are blanked out and never recorded. We only see anonymized interface activity (taps, scrolling, navigation), and we honor your browser's “Do Not Track” setting to switch this off entirely. We do not run advertising trackers and we do not sell your data.
- To communicate with you about your account (password resets, security alerts).
Your rights
- Access / export: download a full JSON copy of your data from Settings → Security.
- Deletion: delete your account and every row tied to it from Settings → Security. Cannot be undone.
- Correction: edit your profile and inventory directly. For anything you can't edit yourself, email us.
- Portability: the export is plain JSON. Open it in anything.
Security
VendOS TCG uses HTTPS for everything, encrypted-at-rest databases, row-level security so vendors can never read each other's data, and optional two-factor authentication. Our threat model is a small SaaS, not a bank, but we take real precautions and review them as we grow.
Children
VendOS TCG is not directed at anyone under 13. If you believe a child has created an account, contact us and we'll delete it.
Changes to this policy
When the policy changes, we update the date at the top and surface a notice in-app. Material changes that reduce your rights will include a 30-day notice before taking effect.
Contact
Questions, deletion requests we couldn't process automatically, or anything privacy-adjacent: vendoroshelp@gmail.com.