CardSwap CardSwap
  • How it works
  • Help
  • en
    • English
    • German
  • Login
  • Sign up
Privacy Policy

CardSwap Privacy Policy

This page explains which personal data CardSwap processes, why it is needed, which third parties may be involved, and how you can submit deletion or privacy requests.

Last updated: June 2026

1. Controller / operator

Benjamin Lieberwirth

benjamin.lieberwirth@gmail.com

91 CAMP STREET, 4066 TOOWONG

2. Legal bases

  • Account use, trade organization, and messaging may rely on Art. 6(1)(b) GDPR where the processing is necessary to provide the platform.
  • Security measures, abuse prevention, technical stability, and logs may rely on Art. 6(1)(f) GDPR where there is a legitimate interest in running a secure and functioning service.
  • Optional features such as a voluntarily requested passport MRZ check may rely on your explicit request, consent, or a similar voluntary action; the precise legal classification should be reviewed before a broader launch.

3. Cookies and similar local storage

CardSwap currently relies primarily on technically necessary mechanisms such as session cookies for login, security, and form protection. The web interface may also store small convenience preferences locally in the browser, for example UI states via local storage.

If the Reddit Pixel is configured, CardSwap only loads it after your explicit marketing consent. Your choice is stored locally in your browser and can be changed through the "Privacy choices" link in the footer.

4. Google and Facebook sign-in

You can sign in to CardSwap with email and password or through Google or Facebook. When you use a social login, CardSwap only receives the account data that the provider shares with us for that sign-in flow.

  • For Google sign-in, CardSwap may receive a Google account ID, your name, your email address, and an avatar image.
  • For Facebook sign-in, CardSwap may receive an app-scoped Facebook user ID, your name, your email address if Facebook shares it, and an avatar image.
  • If Facebook does not provide an email address and you finish sign-in by entering one manually, CardSwap stores and uses that address as the normal contact email for your account.
  • This data is used to sign you in, create or link your account, prevent duplicate or abusive sign-ins, and display basic identity information inside CardSwap.
  • CardSwap does not post to your Google or Facebook account and does not access broader social data unless separately disclosed.
  • If you later remove CardSwap from Google or Facebook, future social sign-ins through that provider will stop, but your existing CardSwap account is not automatically deleted.

5. Data CardSwap processes

  • Account data such as username, email address, password hash, or linked Google or Facebook sign-in data
  • Trade data such as offers, wishlist entries, card attributes, match suggestions, trade states, ratings, and issue reports
  • Support data such as help tickets, feedback, contact email, related page URL, and technical context such as browser information
  • Messages exchanged between users inside a trade match
  • Technical data such as security and error logs, rate-limit state, and basic usage metadata

6. Why the data is used

  • To provide login, registration, and account security
  • To store and display card lists
  • To compute match suggestions and trade workflows
  • To apply game-specific price caches, shipping filters, and partly automated matching or safety logic
  • To moderate misuse and handle issue reports
  • To handle support requests, bug reports, feedback, and feature ideas
  • To keep the service stable, troubleshoot incidents, and improve security

7. Optional passport MRZ check

If you use the optional passport MRZ check, CardSwap processes an uploaded passport page image only for an immediate in-memory OCR and MRZ consistency test. The flow is designed not to retain that image as part of your account afterward.

  • Only minimal result data is retained, such as status, timestamp, issuing country, the last four document characters, an expiry signal, and a technical MRZ score.
  • The app intentionally does not keep the passport image or the full passport number as normal account profile data.
  • A successful check may appear as a small trust badge on your profile areas inside the app.

8. Third parties and processors

CardSwap may use AWS for hosting, databases, logs, and infrastructure. Google or Meta receive data when their sign-in flows are used. Emails may be sent through Resend. Card and pricing reference data may be requested from third-party sources such as Scryfall, TCGdex, YGOPRODeck, CardTrader, JustTCG, or other game-specific data providers. If you allow marketing cookies and the Reddit Pixel is actively configured, usage and device information may be shared with Reddit to measure and improve Reddit ads.

CardSwap currently runs in an AWS region in the United States (us-east-1). Personal data of users from the EU/EEA is therefore transferred to and processed in the United States. Where such a transfer to a third country takes place, it relies on appropriate safeguards such as the EU Standard Contractual Clauses and, where applicable, the relevant provider's participation in the EU-US Data Privacy Framework. We provide further information about the safeguards used on request.

9. Retention

Accounts, messages, trade data, and moderation data may be retained as long as necessary for service operation, security, abuse prevention, or legal traceability. Archived or suspended accounts may remain stored for safety and audit purposes.

If you delete or archive your account, some trade and security data may continue to be retained for audit, anti-fraud, or legal reasons even though your profile is no longer actively usable.

10. Deletion requests and removing connected apps

You can request deletion of your CardSwap account directly inside the app on the Delete account page. If you no longer have access to your account, the Data Deletion page explains the alternative process for privacy and deletion requests.

  • Facebook users can also remove CardSwap in Facebook under Settings & Privacy > Settings > Apps and Websites. This revokes future Facebook sign-ins but does not by itself delete your CardSwap account.
  • Google users can remove the connected access in their Google account as well; this stops future social sign-ins but does not automatically delete the CardSwap account.
  • When a deletion request is processed, CardSwap removes active listings and archives or disables the account. Limited security, moderation, anti-fraud, or legally required records may still be retained.

11. Your rights

Depending on applicable law, you may have rights of access, correction, deletion, restriction, objection, or data portability. Privacy requests can be sent to the contact address listed above.

If you are in the EU/EEA, you also have the right under Art. 77 GDPR to lodge a complaint with a data protection supervisory authority, in particular in the member state of your habitual residence, place of work, or the place of the alleged infringement. In Germany this is usually the state data protection authority of the relevant federal state.

12. Australia: privacy complaints

If you are in Australia or Australian privacy law applies to your request, privacy complaints should first be sent directly to CardSwap. Please explain as clearly as possible which data is affected, what happened, and what outcome you are seeking.

CardSwap should respond to such complaints within a reasonable period; Australian OAIC guidance commonly uses 30 days as a practical benchmark.

If your complaint is not resolved that way, you may complain to the Office of the Australian Information Commissioner (OAIC). Official guidance is available at oaic.gov.au.

13. California: CCPA/CPRA notice

To the extent the California Consumer Privacy Act, as amended, applies to CardSwap, California residents may have rights including the right to know, delete, correct, data portability, and non-discrimination.

If CardSwap sells personal information, shares it for cross-context behavioral advertising, or uses sensitive personal information beyond permitted purposes, additional opt-out or limitation rights may apply. The Reddit Pixel is loaded only after your marketing consent; you can change that choice through "Privacy choices" in the footer.

Requests under California privacy law can be sent to the contact email listed above or, for deletion requests, through the Data Deletion page. CardSwap may request reasonable information to verify your request before acting on it.

An official overview of California privacy rights is available from the California Department of Justice at oag.ca.gov/privacy/ccpa.

14. Security

CardSwap uses technical and organizational safeguards such as password hashing, login protections, rate limits, secure cookies, and separated infrastructure. However, no internet service can be perfectly secure.

15. Use by minors

If CardSwap is intended only for adults or for users acting with parental or guardian consent, the service should be used accordingly. Parents or guardians may contact us if they believe a minor has used the service in an unauthorized way.

Related legal pages

  • Terms of Service
  • Privacy Policy
  • Data Deletion
  • Legal Notice
CardSwap
Trade, browse and share your card lists across Magic, Pokemon and Yu-Gi-Oh!.
Trading
Dashboard Add cards Matches Tutorial Help What's new
Account
Login Register Forgot Password
Legal
Terms of Service Privacy Policy Data Deletion Legal Notice
© 2026 CardSwap
English ยท German
Allow marketing cookies?
We only load the Reddit Pixel after your consent to measure and improve Reddit ads. Learn more in our Privacy Policy.