Privacy

Version 1.2 — last updated 3 May 2026

This page describes what personal data tcg-bay.com collects, why we collect it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR). We tried to keep it short and to write in plain English. If anything is unclear, get in touch — the email address is at the bottom.

Who is responsible

tcg-bay.com is operated by Lefief CommV, a Belgian commanditaire vennootschap. For the purposes of the GDPR, Lefief CommV is the controller of your personal data. Company details and press kit are available at lefief-powered.com. For privacy questions, write to timberlefief@gmail.com. The site is offered in English to a worldwide audience; we do not target a specific country other than meeting Belgian and EU law where they apply to us as the operator.

What we collect, why, and for how long

Each row below is one separate processing activity, with the legal basis we rely on and the retention period.

Letting you sign in and use your account

Data: Email address, display name, and profile photo received from Google when you sign in. OAuth tokens issued by Google.
Legal basis: Performance of the contract you enter into when you create an account (GDPR Art. 6(1)(b)).
Retention: For as long as the account exists. OAuth tokens are refreshed as needed and deleted on sign-out or account deletion.

Identifying cards from photos you upload (the scanner)

Data: The card image you upload. We send a cropped JPEG to Ximilar (recognition) and, if condition estimation is enabled, to Anthropic (vision model).
Legal basis: Performance of the contract (you asked us to identify the card) — GDPR Art. 6(1)(b).
Retention: The original image is processed in memory and discarded as soon as the response is returned. We keep a perceptual hash (a numeric fingerprint of the image, not the image itself) and the recognition result so that future identical scans are free; this hash is linked to the first user who scanned it for abuse-prevention purposes.

Storing the cards in your collection and the sets you follow

Data: Cards you add to your collection (set, number, printing, condition, your notes, acquisition price/date if you fill them in) and the sets you follow.
Legal basis: Performance of the contract — GDPR Art. 6(1)(b).
Retention: Until you delete the entry or close your account.

Billing, credits, and subscriptions

Data: Stripe customer ID, subscription tier and status, credit balance, and a per-action credit ledger (which scans / purchases used or added credits, and when).
Legal basis: Performance of the contract for the billing itself (GDPR Art. 6(1)(b)) and our legal obligation to keep accounting records (Art. 6(1)(c), Belgian Code of Economic Law).
Retention: Subscription state for as long as you have an account. Invoice and ledger records are kept for 7 years to comply with Belgian accounting law, even after account closure.

Showing live eBay listings on card pages

Data: Card identifier (set + number) is sent to the eBay Browse API. No information about you is sent. Listing links are tagged with our eBay Partner Network campaign identifier so that, if you click through and buy, eBay pays us a commission. The commission is paid by eBay out of the seller’s fees — you do not pay extra.
Legal basis: Performance of the contract — GDPR Art. 6(1)(b).
Retention: Listing results are cached briefly (minutes) and refreshed on demand.

Understanding how the site is used (analytics)

Data: Standard Google Analytics 4 events (page views, button clicks, scan / checkout funnels). The GA4 cookies described below are set only after you accept them.
Legal basis: Your consent — GDPR Art. 6(1)(a). You can withdraw it at any time using the button further down.
Retention: GA4 retains event-level data for 14 months and then automatically deletes it.

Cookies and similar storage

We use the small set of cookies and one piece of local storage listed below. Essential cookies are needed for the site to work and are not subject to consent. Analytics cookies are set only after you accept them in the banner. Until you accept, Google Analytics is loaded in a denied state (Google Consent Mode v2): no cookies are written and no measurement hits are sent.

Essential

Name	Purpose	Lifetime	Set by
__Secure-authjs.session-token	Keeps you signed in. Set after a successful Google sign-in.	30 days	tcg-bay.com (first-party)
__Host-authjs.csrf-token	Anti-CSRF token used during sign-in.	Session	tcg-bay.com (first-party)
__Secure-authjs.callback-url	Remembers where to send you after sign-in.	Session	tcg-bay.com (first-party)

Analytics (consent-gated)

Name	Purpose	Lifetime	Set by
_ga	Distinguishes unique visitors.	13 months	Google LLC (Google Analytics 4)
_ga_<container-id>	Persists session state for Google Analytics 4.	13 months	Google LLC (Google Analytics 4)

Local storage

Key	Purpose	Lifetime
tcgbay-consent	Remembers whether you accepted or declined the analytics cookie, so the banner does not reappear.	Until cleared

Change your mind? Resetting your choice will clear the stored answer and bring back the banner the next time you visit a page.

Who else processes your data

We use the following processors. Each one is bound by a written data-processing agreement. We do not sell your data to anyone, and we do not share it with anyone for advertising purposes.

Recipient	Role	Location	Transfer basis
Google LLC	Google sign-in (OAuth) and Google Analytics 4	United States	EU-U.S. Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795). Google LLC is self-certified.
Stripe Payments Europe Ltd. / Stripe, Inc.	Payment processing, subscription management, invoicing	Ireland and United States	EU-U.S. Data Privacy Framework. Stripe is self-certified for the DPF, with Standard Contractual Clauses as a fallback.
Anthropic, PBC	Vision model used for optional card-condition estimates	United States	Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) plus supplementary measures, as published in Anthropic’s privacy documentation.
Ximilar s.r.o.	Card recognition from your uploaded photo	Czech Republic (EU)	Intra-EU processing under a data-processing agreement; no third-country transfer mechanism required.
eBay Inc.	Live listings on card pages (no information about you is sent — only the card identifier).	United States	Not applicable — no personal data is transmitted to eBay by tcg-bay.com.
Amazon Web Services EMEA SARL	Hosting of the application server and PostgreSQL database (region eu-west-1, Ireland)	Ireland (EU)	Intra-EU processing.

eBay Partner Network

tcg-bay.com is a member of the eBay Partner Network (EPN), eBay's official affiliate program. We display live eBay listings on card pages so you can see what your cards are worth on the open market. Each listing link is tagged with our EPN campaign identifier so that, if you click through and buy, eBay pays us a small commission. The commission is paid by eBay out of the seller's fees — you do not pay extra, and the price you see is the price you pay.

We send eBay only the card identifier (set + card number, plus the printing's edition / finish / language so we return listings for the right version). No information about you, your account, or your collection is sent.
Click-out links open in a new tab and are marked rel="sponsored" — the FTC- and search-engine-canonical signal that they are paid affiliate links.
Listing results are cached on our server for ~15 minutes and refreshed on demand. We never display stale data: the cache is invalidated automatically before the TTL expires.
Every listing surface in the app shows an inline disclosure (“We're an eBay Partner Network affiliate and may earn a commission…”) immediately above the links — required by EPN's Code of Conduct so you know in advance you're being directed to eBay.
We are not eBay sellers and we do not post affiliate links on eBay properties. We do not modify the eBay logo or trademarks. We do not bid on “eBay” as a paid search term.

If you would like to opt out of click-out tracking on your interactions, your browser's tracking-protection or private-browsing modes will prevent the EPN tracking parameters from carrying through after you leave tcg-bay.com.

Your rights

Under the GDPR you can ask us, at any time, to:

Confirm what personal data we hold about you and give you a copy (right of access).
Correct anything that is inaccurate or out of date (right to rectification).
Delete your account and the personal data linked to it (right to erasure).
Receive your data in a portable, machine-readable format (right to data portability).
Restrict or object to a specific processing activity.
Withdraw your analytics consent — using the button in the cookies section above.

To exercise any of these rights you can also act directly: download a JSON copy of your data or permanently delete your account from account settings. For anything else, email timberlefief@gmail.com; we will reply within 30 days.

You also have the right to lodge a complaint with your supervisory authority. In Belgium, that is the Data Protection Authority, Rue de la Presse 35, 1000 Brussels — contact@apd-gba.be.

Security

The site runs on European infrastructure. Connections use HTTPS. Sign-in uses Google OAuth (we never see your Google password). Payment card data is collected directly by Stripe; it does not touch our servers. The application database is not accessible from the public internet.

Children

tcg-bay.com is not directed at children under 16 and we do not knowingly create accounts for them. If you believe a child has signed up, email us and we will delete the account.

Changes to this notice

When we change this page in a way that materially affects you, we bump the version above and note the change. Older versions are kept on request.

Questions? Email timberlefief@gmail.com. See also our terms of service.