Privacy Policy

JUST TCG PLATFORMS (“we”, “us”) operates a multi-tenant e-commerce platform for trading-card-game shops, along with public tools — the AI Explorer, the Assistant, the Appraisal tool, the Watchlist, and the Movers feed — at justtcgplatforms.com. This policy explains what we collect and how we use it.

Who controls your data

For data collected by the public site (Explorer, Assistant, Appraisal, Watchlist, Movers, and marketing pages), we are the data controller.

For data collected through a specific merchant’s storefront, POS, or admin running on our platform, the merchant is the controller and we act as the processor. Each merchant’s data is isolated from every other merchant’s at the database layer.

Information we collect

On the public site

• Watchlist signup: your email address, the cards you’ve asked to track, and your alert thresholds. We use your email solely to send the alerts you signed up for plus a one-time confirmation. The link in the email is the only credential — no password, no profile.
• Assistant chat: the messages you send to the public assistant, forwarded server-to-server to Anthropic for inference. Chats are not tied to an identity (there’s no login) and are not retained after the request completes.
• Appraisal lists: the deck or collection lists you paste in. Processed transiently in memory; never written to storage.
• IP-based rate limiting: we throttle each IP to keep heavy operations (chat, appraisal, explorer fetches) within healthy bounds. Counter entries live in our cache for short windows and are not persisted.
• Cookies: standard session cookies for signed-in operators (NextAuth). The public tools work without cookies. We don’t set tracking, advertising, or third-party analytics cookies.

On a merchant’s storefront, POS, or admin

• Customer accounts (storefront): name, email, phone, shipping addresses, order history, store-credit ledger.
• Operator accounts (admin / POS): name, email, role (owner / admin / manager / staff).
• Order data: items, totals, payment method, refund history, plus an audit log of operator actions (status changes, refunds issued, credit adjustments).
• Payment data: handled via Stripe Connect. Full card numbers never touch our servers; we store Stripe identifiers (PaymentIntent, Charge, Refund ids) so we can look up the original transaction.
• Trade-in submissions: the customer-submitted card lists, photos, and condition notes shared with the merchant for evaluation.
• Email communications log: subject, type, recipient, sent / failed status of every transactional email we send on the merchant’s behalf (order confirmations, shipping notifications, refunds, low-stock alerts).
• Inventory + product catalog: SKU, title, price, stock counts, and any operator-supplied notes or shelf-location tags.

How we use it

• To run the merchant’s store: process orders, fulfill shipments, send transactional email, maintain inventory, power the POS.
• To send Watchlist alerts you opted into.
• To answer Assistant queries (LLM inference via Anthropic, with live JustTCG catalog access via MCP).
• To detect fraud and abuse on the platform.
• To improve the platform via aggregate, non-identifying metrics.

We do not sell your information.

Subprocessors

We use the following service providers; data flows to them only as required to deliver functionality.

• Stripe — payment processing, Connect onboarding, payouts, refunds. Privacy
• Resend — transactional email delivery. Privacy
• Anthropic — LLM inference for the Assistant. Messages you send are forwarded for processing. Privacy
• JustTCG — TCG card catalog and market price data; no PII shared. Site
• Shippo — shipping label generation when a merchant uses the integration. Privacy
• Cloudinary — product image hosting when a merchant uses the integration. Privacy
• TCGplayer — order and inventory sync when a merchant uses the integration. Privacy
• Sentry — server error monitoring. Privacy
• Railway — application hosting and managed PostgreSQL. Privacy

Cookies

• Session cookie (NextAuth) — keeps merchants and staff signed in. Required for the admin and POS.
• No tracking cookies, no advertising cookies, no third-party analytics that profile visitors.

Data retention

• Customer + order data: retained for the lifetime of the merchant account or until the customer requests deletion (whichever first).
• Operator audit log: retained indefinitely for compliance and dispute resolution.
• Watchlist: retained until you remove the entry via the manage link in any alert email, or until 24 months of inactivity.
• Email log: retained for 12 months for delivery troubleshooting.
• Assistant chat: not retained server-side beyond the request lifecycle.
• Appraisal lists: not retained (processed in-memory only).

Your rights

• Access the personal data we hold about you — email privacy@justtcgplatforms.com.
• Request correction or deletion. We’ll honor within 30 days, except where retention is required by law or for an active dispute.
• Withdraw consent for a Watchlist alert via the one-click unsubscribe link in every alert email.
• Export your store data — merchants can contact support for a full export.

EU/UK residents have additional rights under GDPR; California residents have rights under CCPA. Reach us at the address above.

Security

• All traffic is HTTPS-only (HSTS preload).
• Card numbers never touch our servers; Stripe handles them directly via tokenized elements.
• Operator passwords are bcrypt-hashed.
• Per-tenant isolation enforced server-side on every request.
• Rate limits and bearer-token gates on every cron and webhook endpoint.

Children's privacy

The platform is not directed at children under 13. We do not knowingly collect personal data from children.

International transfers

Our infrastructure is hosted in the United States. By using the platform, you consent to processing of your data in the US.

Changes to this policy

We’ll post material changes here and bump the “Last updated” date. For significant changes affecting how we use data, we’ll email signed-in operators directly.

Contact

Questions? Email privacy@justtcgplatforms.com.