Privacy Policy

Last updated: January 25, 2026

Effective Date: January 25, 2026

Data Controller: Aurasoft UK

Contact: contact@aurasoft.co.uk (Subject: Ref: CardScope - [your query])

1. Introduction

CardScope ("we", "our", or "us") is committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), EU GDPR, and Data Protection Act 2018. This Privacy Policy explains how we collect, use, store, and protect your personal data.

Your rights: You have the right to access, correct, delete, or restrict processing of your personal data. You also have the right to data portability and to lodge a complaint with the UK Information Commissioner's Office (ICO).

2. Data We Collect

2.1 Account Information (If You Create an Account)

• Email address: For account creation, login, and communication (encrypted at rest)
• Password: Hashed using bcrypt (we never store plaintext passwords)
• Authentication provider: If you use Google, Apple, or Facebook OAuth (we only store provider ID, not credentials)
• Account creation date: Timestamp of registration
• Last login date: For security and inactive account management

2.2 Collection Data (Your Pokémon Cards)

• Card details: Card name, set, number, condition, quantity, purchase price, notes
• Binder organization: How you've organized cards in binders (layout, page numbers, positions)
• Deck lists: Decks you've created from your collection
• Scan history: Date/time of card scans (for analytics, not linked to images)
• Local storage: All data stored locally on your device via AsyncStorage (offline-first architecture)
• Cloud sync: If enabled, synchronized to our MySQL database at cardscope.aurasoft.co.uk (encrypted in transit via HTTPS)

2.3 Usage Data (Analytics)

• App events: Feature usage, screens viewed, actions taken (anonymized where possible)
• Device information: Device model, OS version, app version (for debugging and compatibility)
• Crash reports: Error logs if the app crashes (helps us fix bugs, no personal data)
• Performance metrics: Load times, API response times (for optimization)

2.4 Technical Data

• IP address: Temporarily logged for security and rate limiting (not stored long-term)
• Session tokens: 64-character secure tokens for authentication (30-day expiry, stored hashed)
• API requests: Logged for rate limiting (100 requests/minute per user)

2.5 Payment Information

• Subscription status: Free, Premium, or Pro tier (stored in our database)
• Payment processing: Handled by Apple App Store or Google Play (we never see your card details)
• Transaction ID: Receipt validation token from App Store/Play Store
• Subscription dates: Start date, renewal date, cancellation date

3. How We Use Your Data

3.1 Service Provision (Legal Basis: Contract)

• Provide the CardScope app and its features
• Sync your collection across devices (if enabled)
• Process your subscription payments
• Provide customer support

3.2 Service Improvement (Legal Basis: Legitimate Interest)

• Analyze usage patterns to improve features
• Debug errors and fix bugs
• Optimize app performance
• Develop new features based on usage data

3.3 Communication (Legal Basis: Consent)

• Send account-related emails (password resets, security alerts)
• Send marketing emails (only if you opt-in, unsubscribe anytime)
• Notify you of app updates or new features

3.4 Legal Compliance (Legal Basis: Legal Obligation)

• Comply with UK/EU data protection laws
• Respond to legal requests (court orders, law enforcement)
• Prevent fraud and abuse

4. Data Storage & Retention

4.1 Where We Store Data

• Local device: All collection data stored on your device (iOS/Android secure storage)
• Cloud database: MySQL server at cardscope.aurasoft.co.uk (UK-based, HTTPS encrypted)
• No third-party storage: We do NOT use Firebase, AWS, or other third-party cloud providers for user data

4.2 How Long We Keep Data

• Active accounts: Data retained while your account is active
• Inactive accounts (30+ days): Data soft-deleted after 30 days of inactivity (flagged as deleted, not purged)
• Soft delete period: Soft-deleted data retained for 30 days (recoverable if you log back in)
• Hard delete: After 30 days of soft deletion, data is permanently purged from all systems
• Account deletion request: Immediate soft delete, hard delete after 30 days
• Payment records: Kept for 7 years (UK tax law requirement)
• Crash logs: Retained for 90 days, then deleted

4.3 Soft Delete Process

When you delete your account or request data deletion:

1. Day 0: Account marked as "deleted" in database (deleted_at timestamp set)
2. Day 0-30: Data no longer accessible via app, but retained in soft-deleted state
3. Day 30: Automated job permanently deletes all data (hard delete)
4. Recovery: If you log in during Days 0-30, we can restore your account (email support)

5. Data Sharing & Third Parties

5.1 We DO Share Data With:

• TCGdex API: We fetch public card data (card names, sets, images) - NO user data shared
• Cardmarket API: We fetch public pricing data - NO user data shared
• Apple/Google: Payment processing only (we send subscription status, they handle payment)

5.2 We DO NOT Share Data With:

• Marketing companies
• Data brokers
• Social media platforms (unless you use OAuth login)
• Advertisers
• Analytics platforms (we self-host analytics)

5.3 Data Transfers Outside UK/EU

We do NOT transfer your data outside the UK/EU. All data is stored on UK-based servers. If we ever need to transfer data internationally, we will:

• Notify you in advance
• Ensure adequate safeguards (Standard Contractual Clauses or UK Adequacy Decisions)
• Obtain your explicit consent where required

6. Your GDPR Rights

6.1 Right to Access (Article 15)

Request a copy of all personal data we hold about you (we'll provide within 30 days, free of charge).

How to exercise: Email contact@aurasoft.co.uk with subject "Ref: CardScope - Data Access Request".

6.2 Right to Rectification (Article 16)

Correct inaccurate or incomplete data (you can do this in-app under Settings > Account).

6.3 Right to Erasure / \"Right to be Forgotten\" (Article 17)

Request deletion of your personal data (soft delete immediate, hard delete after 30 days).

How to exercise: Settings > Account > Delete Account, or email contact@aurasoft.co.uk with subject "Ref: CardScope - Delete My Account".

6.4 Right to Restrict Processing (Article 18)

Request we stop processing your data temporarily (e.g., during a dispute).

6.5 Right to Data Portability (Article 20)

Receive your data in a structured, machine-readable format (JSON or CSV export).

How to exercise: Settings > Export Data, or email contact@aurasoft.co.uk with subject "Ref: CardScope - Data Export Request".

6.6 Right to Object (Article 21)

Object to processing based on legitimate interests (e.g., marketing).

Marketing opt-out: Click \"Unsubscribe\" in any email, or Settings > Notifications > Marketing Emails OFF.

6.7 Right to Withdraw Consent (Article 7)

Withdraw consent for data processing at any time (doesn't affect past processing).

6.8 Right to Lodge a Complaint

If you're unhappy with how we handle your data, you can complain to:

• UK: Information Commissioner's Office (ICO) - https://ico.org.uk/make-a-complaint/
• EU: Your local Data Protection Authority

7. Security Measures

7.1 Technical Safeguards

• Encryption at rest: Email addresses encrypted using AES-256
• Encryption in transit: All API communication via HTTPS/TLS 1.3
• Password hashing: bcrypt with salt (industry standard)
• Session tokens: 64-character secure random tokens, hashed in database
• Rate limiting: 100 requests/minute per user (prevents abuse)
• SQL injection protection: PDO prepared statements (not vulnerable)

7.2 Organizational Safeguards

• Access control: Only authorized personnel can access database (2FA required)
• Data minimization: We only collect data necessary for service provision
• Regular audits: Quarterly security reviews and penetration testing
• Incident response plan: Data breach notification within 72 hours (GDPR requirement)

7.3 Data Breach Notification

If we suffer a data breach affecting your personal data, we will:

1. Notify the ICO within 72 hours (GDPR Article 33)
2. Notify you directly via email (GDPR Article 34)
3. Explain what data was compromised and what we're doing to fix it
4. Provide guidance on protecting yourself (e.g., password reset)

8. Children's Privacy (Under 13)

CardScope is not intended for children under 13. We do not knowingly collect data from children under 13. If we discover we've collected data from a child under 13, we will delete it immediately.

Parents: If you believe your child has provided personal data to CardScope, contact us at contact@aurasoft.co.uk with subject "Ref: CardScope - Child Data Deletion" and we'll delete it immediately.

9. Cookies & Tracking

Website (cardscope.aurasoft.co.uk): We use localStorage to save theme preference (light/dark mode). No tracking cookies. No analytics cookies. No advertising cookies.

Mobile app: No cookies (native apps don't use cookies). Device ID is used for session management (you can reset this by logging out).

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Changes will be posted on this page with an updated \"Last updated\" date.

Material changes: If we make material changes (e.g., new data collection, third-party sharing), we will:

• Email you 30 days in advance
• Display an in-app notification
• Require you to accept the new policy before continuing to use the app

Version history: Previous versions of this policy are available upon request.

11. Contact & Data Protection Officer

Data Controller: Aurasoft UK
Email: contact@aurasoft.co.uk
Email Format: Please use subject line "Ref: CardScope - [your topic]"
Response time: We aim to respond to all requests within 30 days (GDPR requirement)

Data Protection Officer (DPO): Not currently required (we're a small business under GDPR Article 37), but you can contact us at the above email for any data protection concerns.

12. Legal Basis Summary

Data Type	Legal Basis	Retention
Account info (email, password)	Contract (service provision)	Until account deletion + 30 days
Collection data (cards, binders, decks)	Contract (service provision)	Until account deletion + 30 days
Usage analytics	Legitimate interest (service improvement)	90 days
Marketing emails	Consent (opt-in)	Until unsubscribe
Payment records	Legal obligation (UK tax law)	7 years

13. International Users

CardScope is primarily designed for UK/EU users. If you're outside the UK/EU:

• Data location: Your data is still stored on UK servers
• Privacy protections: You still benefit from GDPR-level protections
• US users: CCPA rights respected (California residents)
• Other jurisdictions: We comply with local data protection laws where applicable

---

Questions? Email contact@aurasoft.co.uk (Subject: Ref: CardScope - [your query])
Complaints? Contact the ICO at https://ico.org.uk/make-a-complaint/
Last updated: January 25, 2026