Pulled ItPulled It

Legal

Privacy Policy

What we collect, why we collect it, and how you can control it.

Last updated: April 18, 2026

This Privacy Policy describes how Derek Osmun(“Pulled It”, “we”, “us”) collects, uses, and protects personal information when you use pulledit.shop and its related services (the “Service”).

1. Information We Collect

Information You Provide

  • Account data — email address, password (hashed), display name, optional bio and avatar URL.
  • OAuth data — if you sign in with Google or GitHub, we receive your email address, profile picture, and name from the provider.
  • Collection and want list data — the cards you add, including quantities, conditions, notes, and tags.
  • Marketplace listings and offers — prices, messages, and transaction status between buyers and sellers.
  • Location data (optional) — if you enable location features for marketplace proximity search, we store your city, region, country, postal code, and approximate latitude/longitude. You can remove this at any time from your profile.
  • Communications — if you email us, we keep your messages to respond and troubleshoot.

Information Collected Automatically

  • Usage data — pages you visit, time spent, buttons clicked, referrer, device type, browser, approximate region (IP-based). Collected via Vercel Web Analytics and Vercel Speed Insights in a privacy-friendly, cookie-less way.
  • Session cookies — used by Supabase Auth to keep you logged in. These are necessary for the Service to function.
  • Log data — our hosting provider (Vercel) and database (Supabase) automatically log request metadata (IP address, timestamp, URL) for security and debugging.

Information From Third Parties

We fetch card metadata (names, images, prices, set info) from third-party card APIs (Pokémon TCG API, Scryfall, Lorcast, YGOPRODeck, OPTCG API). This is public data about trading cards, not about you.

2. How We Use Your Information

  • To create and maintain your account.
  • To provide core features: collection tracking, want lists, marketplace, offers, notifications.
  • To display your public profile and collection when you share your profile link or list cards.
  • To send transactional emails (signup confirmation, password reset, offer notifications if enabled).
  • To improve the Service by analyzing aggregated usage patterns.
  • To detect and prevent fraud, abuse, and security incidents.
  • To comply with legal obligations.

3. Who We Share With

We do not sell your personal information. We share limited data with:

  • Supabase — our database and auth provider. Processes your account data and User Content.
  • Vercel — our hosting and analytics provider. Processes request metadata and aggregated analytics.
  • Google / GitHub — if you sign in via OAuth, we receive data from them; we do not share data back beyond the OAuth handshake.
  • Stripe (if/when you subscribe) — payment method details are collected and stored by Stripe, not by us.
  • Other users — when you make your profile public, share a profile link, or list on the marketplace, the visible portions of your data (display name, bio, location city/region, collection, listings) become visible to other users and unauthenticated visitors.
  • Law enforcement — if required by valid legal process, or to protect our rights, safety, or the safety of others.

4. Cookies and Tracking

We use a minimal set of cookies:

  • Authentication cookies — set by Supabase Auth so you stay logged in. Essential for the Service to function.
  • Vercel Analytics — cookieless by design. Collects aggregate, anonymized usage data without tracking individuals across sites.

We do not use third-party advertising cookies, behavioral re-targeting, or cross-site trackers.

5. Data Retention

We retain your account data as long as your account is active. If you delete your account, we delete your personal data from our active systems within 30 days, except:

  • Aggregated analytics data that no longer identifies you may be retained indefinitely.
  • Data we're required to retain for legal, tax, or security reasons.
  • Public marketplace transaction history with other users may be retained in pseudonymized form to preserve their records.

6. Your Rights

Depending on your location, you may have the following rights:

  • Access — request a copy of your personal data.
  • Correction — update inaccurate information (you can edit most data directly in your account settings).
  • Deletion — request deletion of your account and associated data.
  • Portability — request a machine-readable export of your collection and want list data.
  • Opt-out of marketing— we currently don't send marketing emails; transactional emails are required for the Service to function.

To exercise these rights, email support@pulledit.shop.

California Residents (CCPA / CPRA)

California residents have the right to know what personal information we collect, to request deletion, and to opt out of the “sale” or “sharing” of their personal information. We do not sell or share personal information as those terms are defined under California law.

EU/UK Residents (GDPR / UK GDPR)

Our legal bases for processing your data are: (a) contract — to provide the Service you signed up for; (b) legitimate interests — to operate, secure, and improve the Service; and (c) consent — where we ask for it (e.g. location features). You may lodge a complaint with your local data protection authority.

7. Security

We use industry-standard security measures including TLS encryption in transit, hashed passwords, row-level security (RLS) on our database, and restricted admin access. However, no system is 100% secure. You're responsible for keeping your password safe and using a strong, unique password.

8. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

9. International Transfers

Our providers (Vercel, Supabase) may process data in the United States and other countries. By using the Service from outside the United States, you consent to transfer of your data to the US.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we'll post the updated policy on this page and update the “Last updated” date. We encourage you to review this page periodically.

11. Contact

Privacy questions, data requests, or concerns? Email support@pulledit.shop.

This Privacy Policy was generated as a starting template. Depending on your jurisdiction and business activities, additional requirements may apply. Consult a licensed attorney before launching paid features or operating at scale.