Privacy Policy

We respect your privacy. This policy explains how we collect, use, and protect your personal data.

1. Data Controller

CollectHolo ("we", "us") operates the CollectHolo platform. For questions about this Privacy Policy or your personal data, please contact us.

2. Data We Collect

Account data: When you sign up, we collect your email address and password (stored in hashed form). We may also store your display name if you provide one.

Collection and portfolio data: You voluntarily add cards, sealed products, purchase details, notes, and related information. This data is stored to provide the portfolio and wishlist features.

Usage data: We may collect technical information such as IP address, browser type, device type, and pages visited to improve the Service and prevent abuse. We use Cloudflare Turnstile for bot protection on authentication forms.

Cookies and local storage: We use cookies and local storage for authentication, preferences (e.g. theme, currency), and session management.

3. How We Use Your Data

We use your data to: provide and improve the Service; authenticate you; store and display your collection and wishlist; process contact form submissions; send notifications (e.g. feature request updates) if you have opted in; comply with legal obligations; and prevent fraud or abuse.

4. Legal Basis (GDPR)

If you are in the European Economic Area: we process your data based on your consent (where applicable), the performance of our contract with you, our legitimate interests (e.g. security, improving the Service), and legal obligations.

5. Third-Party Services and Data Processors

We rely on the following third-party providers to operate the Service. Each maintains its own privacy policy, and we engage them under written Data Processing Agreements where the GDPR requires one.

Hosted in the European Union

Supabase: Authentication and primary database. Stores account credentials (passwords are hashed), profile, collection, wishlist, and transactional metadata. Hosted in eu-central-1 (Frankfurt, Germany).
Amazon Web Services (SES): Transactional email delivery (account, billing, alerts, contact replies). Receives recipient email addresses and message content. Region: eu-central-1 (Frankfurt, Germany).
Cloudflare R2: Object storage for card images, set covers, sealed-product imagery, and user avatars. EU jurisdiction (endpoint host *.eu.r2.cloudflarestorage.com).

Global infrastructure and United States

Vercel: Application hosting and global CDN. Processes IP addresses and request logs for delivery and abuse prevention.
Cloudflare: Edge CDN, DDoS protection, and Turnstile CAPTCHA on authentication, contact, and feature-request forms. Processes IP address, user agent, and CAPTCHA challenge data.
Stripe: Payment processing for web subscriptions. Stores customer ID, payment-method details, and subscription events. Card data is collected by Stripe directly and never touches our servers.
Google Analytics 4 and Google Tag Manager: Web analytics and tag delivery. Collects page views, interaction events, and anonymized client identifiers. Activated only after you grant analytics consent in the cookie banner.
Meta (Facebook) Pixel: Conversion tracking for marketing campaigns. Sends sign-up and similar conversion events. Activated only after you grant advertising consent.
Reddit Pixel: Conversion tracking for marketing campaigns. Sends sign-up and similar conversion events. Activated only after you grant advertising consent.
Google Gemini API: AI vision used by the optional card-scan feature. Receives the card photo you upload (as Base64-encoded image) solely to identify the card.
RevenueCat: Subscription management for in-app purchases on iOS. Stores Apple in-app-purchase identifiers and entitlement state.

Optional integrations (only active if you enable them)

Discord: Optional account linking that grants the CollectHolo PRO role to subscribers. Stores your Discord user ID and an OAuth token. Active only after you connect your Discord account.
Apple Push Notification service (APNs): Push notifications to the iOS app. Uses the Apple-issued device token and the notification payload.
Web Push (VAPID): Browser push notifications. Uses the push endpoint provided by your browser vendor and the notification payload.

6. Data Retention

We retain your data only as long as necessary for the purposes described above:

Account and collection data: for as long as your account is active. After you delete your account, your data is removed from active systems immediately and from encrypted backups within 30 days.
Server and security logs: up to 14 days, then automatically purged.
Email delivery logs (Amazon SES): delivery metadata retained for up to 14 days.
Payment records (Stripe / RevenueCat): retained for the statutory bookkeeping period (up to 10 years under German tax law, §147 AO / §257 HGB).
Analytics data (GA4): retained at the GA4 default of 14 months in anonymized form.

7. Your Rights

Depending on your jurisdiction, you may have the right to: access your personal data; rectify inaccurate data; request erasure ("right to be forgotten"); restrict or object to processing; data portability; withdraw consent; and lodge a complaint with a supervisory authority. To exercise these rights, please contact us.

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (HTTPS), secure authentication, and access controls. No system is completely secure; please use a strong password and do not share your credentials.

9. Children

The Service is not intended for users under 13 (or 16 in the EU without parental consent). We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us so we can delete it.

10. International Transfers

Several processors listed in Section 5 are based in the United States (Stripe, Google Analytics 4, Google Tag Manager, Meta Pixel, Reddit Pixel, Google Gemini, RevenueCat, Discord) or operate globally (Vercel, Cloudflare). When we transfer personal data to those processors, we rely on the following safeguards under Articles 44–49 GDPR:

The EU-US Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023), where the processor is certified.
Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for processors not certified under the Data Privacy Framework.
Supplementary technical and organizational measures, including encryption in transit and access controls.

Data that does not need to leave the EU (Supabase database, Amazon SES email delivery, Cloudflare R2 image storage) is hosted in EU regions and does not rely on these transfer mechanisms.

11. Changes

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the "Last updated" date. For material changes, we may notify you via email or a notice on the Service.

12. Contact

For privacy-related requests or questions, please contact us.

Last updated: 21 May 2026