CardToad

Privacy Policy

Last updated: April 25, 2025

Overview

CardToad ("we", "us", "our") is a fan-built, non-commercial tool for tracking Kayou trading card collections. We take your privacy seriously and collect only what we need to make the site work.

What We Collect

If you create an account

  • Email address — used to log in and send account-related emails only. We do not share it with third parties or send marketing emails.
  • Username — optional display name shown on public binder pages if you choose to make them public.
  • Collection data — the card IDs you mark as owned and the binders you create. Stored in our database (Supabase) and linked to your account.

Without an account

  • Collection and wishlist data is stored in your browser's local storage only. It never leaves your device unless you sign in.

Automatically collected

  • Analytics — We use Google Analytics 4 to understand how the site is used (page views, session duration, country-level location). This does not identify you personally. You can opt out via your browser's ad settings or a GA opt-out extension.
  • Server logs — Our hosting provider (Vercel) collects standard web server logs (IP address, user agent, URL). These are retained per Vercel's own privacy policy and are not accessible to us in identifiable form.

How We Use Your Data

  • To authenticate your account and save your collection across devices
  • To display your public binder if you have enabled public sharing
  • To understand how the site is used so we can improve it

We do not sell, rent, or share your personal data with any third party for commercial purposes.

Cookies

We use a small number of cookies:

  • Authentication cookie — set by Supabase when you log in. Required for the site to know who you are. Expires when you sign out.
  • Analytics cookies — set by Google Analytics. Used to distinguish unique visitors. You can block these without affecting site functionality.

We do not use advertising cookies or track you across other websites.

Data Storage & Security

Your account data is stored in a Supabase-managed PostgreSQL database hosted in the EU (Ireland). Supabase uses industry-standard security practices including encryption at rest and in transit. For more details see supabase.com/privacy.

Your Rights

You can:

  • Delete your account at any time from your profile page, which removes your email address and collection data from our database
  • Export your collection data (binder export feature)
  • Request a copy of any personal data we hold by emailing us

Children

CardToad is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has created an account, please contact us and we will delete it promptly.

Changes

We may update this policy as the site evolves. Material changes will be noted at the top of this page with a new "last updated" date.

Contact

Questions about this policy? Email us at hello@cardtoad.com.