Legal

Privacy Policy

Effective date: 2026-05-15

This Privacy Policy explains how War Room (also referred to as "TCG War Room," "we," "us," or "our") collects, uses, shares, and protects information about visitors to tcgwarroom.com and users of our services (the "Services").

Plain-English summary: We collect your email if you sign up for the waitlist. We use Cloudflare for hosting and analytics, which collects IP addresses and browsing data. We don't sell your data. We don't run ads. We don't share your data with marketers. You can ask us to delete your data at any time by emailing contact@tcgwarroom.com.

1. Information We Collect

1.1 Information you give us directly

  • Email address — when you join the waitlist by submitting our signup form.
  • Card collection data — when you add cards to your personal collection page, we store the card identifiers (set ID + number) you choose to track. This is not sensitive personal data; it's a list of products you have indicated interest in.
  • Alert delivery log — when we send you a price-movement digest email, we record the recipient address, the date, the number of cards in the digest, and the delivery-provider message ID, so we don't send you the same digest twice and so we can investigate a delivery failure if you report one.

1.2 Information collected automatically

  • Log and usage data — including IP address, browser type, the pages you visit, request timestamps, and User-Agent string. This is captured by our web server (Caddy + uvicorn) and our rate-limiting system.
  • Device data — browser, operating system, and device type — captured by Cloudflare Web Analytics.
  • Coarse location data — country-level location derived from IP address — captured by Cloudflare Web Analytics. We do not collect precise GPS or device-precision geolocation.

1.3 Information we do not collect

We do not collect: names, phone numbers, mailing addresses, government IDs, payment information, biometric data, professional or employment history, demographic characteristics (gender, age, race, religion, etc.), or any other "sensitive personal information" as defined by US state privacy laws. We do not use social-media login. We do not buy personal data from third-party data brokers. We do not build inferred profiles about you.

2. How We Use Information

We use the information we collect to:

  • Provide the Services you signed up for, including delivering your personal access link, displaying your tracked cards, and (in the future) sending price-movement alert emails.
  • Respond to inquiries you send to contact@tcgwarroom.com.
  • Send administrative messages (account confirmations, security notices, updates to these terms).
  • Identify usage trends and improve the Services — this is what Cloudflare Web Analytics is for.
  • Protect the Services from abuse — including rate-limiting signups by IP address, detecting spam via a honeypot field, and retaining server logs for outage diagnostics and security investigations.

We do not use your information for: targeted advertising, third-party marketing, promotional campaign effectiveness measurement, profiling for automated decisions with legal effects, or any sale of personal information.

3. Legal Bases for Processing (EU/UK Users)

If you are in the European Economic Area, the United Kingdom, Iceland, Liechtenstein, Norway, or Switzerland, the General Data Protection Regulation (GDPR) and the UK GDPR require us to identify the legal basis for processing your personal data. We rely on:

  • Performance of a contract — when we use your email to deliver the personal collection-tracking service you signed up for.
  • Legitimate interests — for security, fraud prevention, and identifying usage trends to improve the Services. We have evaluated these interests against your rights and freedoms and concluded the processing is proportionate.
  • Legal obligation — when applicable law requires us to retain or disclose information (e.g., responding to a lawful subpoena).
  • Consent — for any processing that doesn't fit the above bases; we will ask for your consent and you may withdraw it at any time.

4. How We Share Information

We do not sell or "share" personal information for advertising purposes as those terms are defined under the California Consumer Privacy Act (CCPA), Connecticut Data Privacy Act (CTDPA), Colorado Privacy Act (CPA), or any similar state law.

We do disclose certain information to the following categories of service providers who process data on our behalf and only as needed to provide the Services:

  • Cloud Computing Services — Oracle Cloud, for hosting our application and database (US-based).
  • Website Hosting / Edge Services — Cloudflare, for content delivery, DDoS protection, and edge caching.
  • Data Analytics — Cloudflare Web Analytics (cookieless).
  • Email Service Provider — Resend, for delivering transactional and alert emails. We transmit your email address and the identifiers of the cards you have chosen to track as part of the email content.

Each of these providers operates under a Data Processing Agreement that requires them to process information only on our instructions and to apply appropriate security measures.

We may also disclose information when required by law (e.g., in response to a valid subpoena or court order) or in connection with a merger, acquisition, or sale of business assets. We will provide notice of the latter to the extent legally permitted.

5. International Data Transfers

Our servers and the servers of our service providers are located in the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States.

For users in the European Economic Area, the United Kingdom, Switzerland, or other jurisdictions with cross-border transfer restrictions, we rely on the European Commission's Standard Contractual Clauses (SCCs), which are incorporated into our service providers' Data Processing Agreements, as the legal mechanism for these transfers.

6. Cookies and Similar Technologies

The Services use Cloudflare Web Analytics, which loads a small JavaScript "web beacon" from cloudflareinsights.com to record aggregate visitor statistics. Cloudflare Web Analytics is cookieless — it does not set tracking cookies on your device.

Your browser may also store small amounts of data in localStorage when you use the Services — for example, to remember your sort preference on your collection page. This is local-to-your-browser data, not transmitted to us as cookies.

We do not use targeting cookies, social-media cookies, click redirects, retargeting pixels, advertising tags, or any third-party tracking beacons other than the cookieless Cloudflare Web Analytics beacon described above.

7. Data Retention

We retain your email address, access token, and collection data for as long as you have an account with us (i.e., your access token exists). You can delete your account yourself at any time from Settings → Delete account in the app: your account is disabled immediately and all associated data (email, access token, collection, watchlists, and profile) is permanently erased within 30 days. You may also email contact@tcgwarroom.com to request deletion.

Server logs (which contain IP addresses and browsing activity) are retained for a rolling window for security and debugging purposes, then automatically discarded.

8. Your Privacy Rights

To the extent required by applicable law, you may have specific rights regarding your personal information. The availability of each right depends on the privacy law in your jurisdiction.

Subject to applicable law, you may request to:

  • Access — Receive a copy of the personal information we hold about you.
  • Correct — Update inaccurate or incomplete information.
  • Delete — Have your personal information erased, subject to legal retention requirements.
  • Port — Receive your personal information in a structured, machine-readable format.
  • Restrict — Limit how we process your information.
  • Object — Opt out of processing based on legitimate interests.
  • Withdraw consent — Where processing is based on your consent.
  • Appeal — If we deny a request, you may appeal by replying to our response email.

Account deletion is self-serve in the app (Settings → Delete account). To exercise any other right, email contact@tcgwarroom.com from the email address associated with your account. We will respond within the time required by applicable law (typically 30–45 days). We do not charge a fee for these requests.

Where required by law, you may also lodge a complaint with your local data protection authority — for example, your state Attorney General in the United States, the Information Commissioner's Office in the United Kingdom, or your national Data Protection Authority in the European Union.

9. State-Specific Privacy Disclosures (United States)

This Privacy Policy describes our practices to support compliance with US state privacy laws to the extent they apply to us. Most US state privacy laws (including those in California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Jersey, New Hampshire, and Florida) apply only to businesses that meet specific applicability thresholds — for example, processing personal data of 100,000+ residents per year, or earning a defined share of revenue from selling personal data. We are a small, free, pre-revenue service and likely do not meet most of those thresholds at this time. Nevertheless, we follow the principles in these laws — including the consumer rights described in Section 8 — as a matter of policy, regardless of whether a particular statute legally requires us to.

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) have the lowest applicability thresholds and may apply to us if our California user base grows. We honor CCPA/CPRA rights for California users regardless.

9.1 Categories of personal information collected (CCPA terms)

  • Identifiers — email address, IP address, access token.
  • Internet activity — pages visited, referring URL, browsing data captured by web server logs and Cloudflare Web Analytics.
  • Geolocation data (coarse) — country-level location derived from IP address.
  • Commercial information — the list of Pokémon cards you have chosen to track in your collection. We treat this as commercial information because it constitutes a "record of products considered" under California Civil Code § 1798.140(o)(1)(D).

We do not collect: California Customer Records statute categories (names, signatures, government IDs, financial info, medical info), characteristics (gender/age/race), biometric data, sensory data (audio/video), professional or employment history, education history, or inferences drawn to create consumer profiles.

9.2 Sale / sharing of personal information

We do not sell personal information. We do disclose certain information to service providers as described in Section 4 above ("Disclose only," not "Sale" or "Share" under CCPA terms).

The only "disclosure" categories that fall under California's Sale/Share Tracking Technology disclosure rules are: beacons / pixels / tags, specifically the Cloudflare Web Analytics beacon, which transmits visit-level derivative data to Cloudflare as our analytics service provider. We do not use targeting cookies, marketing cookies, social-media cookies, click-redirect tracking, or social-media plugins.

9.3 Global Privacy Control (GPC)

We do not "sell" or "share" personal information for cross-context behavioral advertising, so a Global Privacy Control signal from your browser has no operational effect on our processing — there is no sale or share for us to opt you out of.

9.4 California "Shine the Light" (Cal. Civ. Code § 1798.83)

We do not share personal information with third parties for those parties' direct marketing purposes.

9.5 Non-discrimination

We will not deny, charge different prices for, or provide a different level of service to users who exercise their privacy rights.

10. EU/UK/Swiss Users

For users in the EU, UK, or Switzerland, this Privacy Policy is intended to comply with the General Data Protection Regulation (GDPR), the UK GDPR, and the Swiss Federal Act on Data Protection (FADP).

Data controller: War Room (TCG War Room), an operation based in the United States.

EU/UK Representative: We currently rely on the small-scale processing exception under GDPR Article 27(2) and have not appointed an EU or UK representative. Our processing of EU/UK personal data is occasional, does not involve large-scale special-category data, and is unlikely to result in a high risk to the rights and freedoms of data subjects.

EU-US Data Privacy Framework: We do not currently participate in the EU-US Data Privacy Framework. Our cross-border transfers rely on Standard Contractual Clauses (SCCs) as described in Section 5.

11. Canadian Users

For users in Canada, this Privacy Policy is intended to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Quebec Law 25 (An Act to modernize legislative provisions as regards the protection of personal information).

12. Australia and New Zealand Users

For users in Australia or New Zealand, this Privacy Policy is intended to comply with the Australian Privacy Act 1988 and the New Zealand Privacy Act 2020, respectively. Both frameworks are broadly aligned with the GDPR principles described above.

13. Children's Privacy

The Services are intended for users 13 years of age and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact contact@tcgwarroom.com and we will delete that information promptly.

14. Security

We use appropriate technical and organizational measures to protect personal information, including:

  • HTTPS / TLS encryption on all connections to the Services.
  • Cloudflare web application firewall (WAF) and DDoS protection.
  • Per-IP and per-account rate limiting on signups and account mutations.
  • Honeypot-based spam detection on the signup form.
  • Cryptographically random access tokens (43 characters, base64-url-safe).
  • Server-side logging with sensitive tokens redacted (only the first 8 characters of any token are ever logged).
  • SQLite database in WAL mode for crash safety; secrets stored in a root-only env file (0600 permissions).
  • SSH key–only authentication to our infrastructure.

No security system is perfect. If we ever experience a personal-data breach that triggers a legal notification requirement (e.g., GDPR Art. 33, state breach-notification laws), we will notify affected users and applicable regulators within the required timeframe.

15. Updates to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify users who have provided an email address by sending notice to that address, and we will update the "Effective date" at the top of this Policy. Your continued use of the Services after the updated Policy takes effect constitutes acceptance of the updates.

16. Contact

Questions about this Privacy Policy, or requests to exercise your privacy rights: email us at contact@tcgwarroom.com.