This page explains which personal data CardSwap processes, why it is needed, which third parties may be involved, and how you can submit deletion or privacy requests.
Last updated: June 2026
Benjamin Lieberwirth
benjamin.lieberwirth@gmail.com
91 CAMP STREET, 4066 TOOWONG
CardSwap currently relies primarily on technically necessary mechanisms such as session cookies for login, security, and form protection. The web interface may also store small convenience preferences locally in the browser, for example UI states via local storage.
If the Reddit Pixel is configured, CardSwap only loads it after your explicit marketing consent. Your choice is stored locally in your browser and can be changed through the "Privacy choices" link in the footer.
You can sign in to CardSwap with email and password or through Google or Facebook. When you use a social login, CardSwap only receives the account data that the provider shares with us for that sign-in flow.
If you use the optional passport MRZ check, CardSwap processes an uploaded passport page image only for an immediate in-memory OCR and MRZ consistency test. The flow is designed not to retain that image as part of your account afterward.
CardSwap may use AWS for hosting, databases, logs, and infrastructure. Google or Meta receive data when their sign-in flows are used. Emails may be sent through Resend. Card and pricing reference data may be requested from third-party sources such as Scryfall, TCGdex, YGOPRODeck, CardTrader, JustTCG, or other game-specific data providers. If you allow marketing cookies and the Reddit Pixel is actively configured, usage and device information may be shared with Reddit to measure and improve Reddit ads.
CardSwap currently runs in an AWS region in the United States (us-east-1). Personal data of users from the EU/EEA is therefore transferred to and processed in the United States. Where such a transfer to a third country takes place, it relies on appropriate safeguards such as the EU Standard Contractual Clauses and, where applicable, the relevant provider's participation in the EU-US Data Privacy Framework. We provide further information about the safeguards used on request.
Accounts, messages, trade data, and moderation data may be retained as long as necessary for service operation, security, abuse prevention, or legal traceability. Archived or suspended accounts may remain stored for safety and audit purposes.
If you delete or archive your account, some trade and security data may continue to be retained for audit, anti-fraud, or legal reasons even though your profile is no longer actively usable.
You can request deletion of your CardSwap account directly inside the app on the Delete account page. If you no longer have access to your account, the Data Deletion page explains the alternative process for privacy and deletion requests.
Depending on applicable law, you may have rights of access, correction, deletion, restriction, objection, or data portability. Privacy requests can be sent to the contact address listed above.
If you are in the EU/EEA, you also have the right under Art. 77 GDPR to lodge a complaint with a data protection supervisory authority, in particular in the member state of your habitual residence, place of work, or the place of the alleged infringement. In Germany this is usually the state data protection authority of the relevant federal state.
If you are in Australia or Australian privacy law applies to your request, privacy complaints should first be sent directly to CardSwap. Please explain as clearly as possible which data is affected, what happened, and what outcome you are seeking.
CardSwap should respond to such complaints within a reasonable period; Australian OAIC guidance commonly uses 30 days as a practical benchmark.
If your complaint is not resolved that way, you may complain to the Office of the Australian Information Commissioner (OAIC). Official guidance is available at oaic.gov.au.
To the extent the California Consumer Privacy Act, as amended, applies to CardSwap, California residents may have rights including the right to know, delete, correct, data portability, and non-discrimination.
If CardSwap sells personal information, shares it for cross-context behavioral advertising, or uses sensitive personal information beyond permitted purposes, additional opt-out or limitation rights may apply. The Reddit Pixel is loaded only after your marketing consent; you can change that choice through "Privacy choices" in the footer.
Requests under California privacy law can be sent to the contact email listed above or, for deletion requests, through the Data Deletion page. CardSwap may request reasonable information to verify your request before acting on it.
An official overview of California privacy rights is available from the California Department of Justice at oag.ca.gov/privacy/ccpa.
CardSwap uses technical and organizational safeguards such as password hashing, login protections, rate limits, secure cookies, and separated infrastructure. However, no internet service can be perfectly secure.
If CardSwap is intended only for adults or for users acting with parental or guardian consent, the service should be used accordingly. Parents or guardians may contact us if they believe a minor has used the service in an unauthorized way.