What we collect
To run the service we collect:
- Account details — email address, hashed password (or OAuth token if you signed in via a social provider), Stripe customer ID for billing.
- Uploaded card photos — stored in Supabase Storage, associated with your account. Used to identify the card and produce your CSV output.
- Identification results — matched card ID, condition, suggested price, and other fields shown in the review grid.
- eBay OAuth token — if you connect an eBay account, we store the OAuth refresh token so we can publish listings on your behalf. Your eBay password is never sent to us.
- Usage logs — request timestamps, scan counts, error messages. Used for quota accounting and debugging.
What we don’t collect
- Payment card numbers — those go directly to Stripe.
- Location data beyond what your browser sends in normal HTTP headers.
- Third-party tracking cookies. We do not use Google Analytics, Facebook Pixel, or similar.
How we use it
- Identify your uploaded cards and generate CSVs.
- Bill your subscription and enforce scan quotas.
- Publish eBay listings you initiate.
- Respond to your support requests.
- Improve the identification model — anonymised images may be used to train and evaluate our matcher. Tell us at hello@bulkcard.app if you’d rather opt out.
Third parties we share data with
- Anthropic — receives card photos to run the vision model. Anthropic’s privacy policy applies.
- Google Cloud Vision — OCR fallback on stamp text.
- Pokémon TCG API / TCGdex — receives card names and stamp signatures during catalog lookups. No user identifiers are sent.
- eBay — if you connect an eBay account, we send listing content and pricing queries on your behalf.
- Stripe — handles all payment card processing.
- Supabase — hosts our database, storage, and authentication.
- Vercel — hosts the application.
Where the data lives
The Supabase project is hosted in the Sydney (ap-southeast-2) region. Vercel serves the application from its edge network globally. Anthropic processes inference in the United States. eBay and Stripe operate their own global infrastructure.
Your rights
Under Australian privacy law you can:
- Request a copy of the personal data we hold about you.
- Ask us to correct or delete that data.
- Withdraw consent for optional processing (like image-based model training).
- Close your account, which deletes your identifiable data within 30 days.
Email hello@bulkcard.app to exercise any of these rights.
Retention
- Uploaded card photos: kept while your account is active, or 90 days after subscription cancellation, whichever is later.
- Identification results and CSVs: kept while your account is active. Deleted 30 days after account closure.
- Billing records: retained 7 years to meet Australian tax record requirements.
- Usage logs: rolled off after 90 days.
Security
We use TLS in transit, encryption at rest for Supabase Storage, and Row-Level Security policies to enforce per-user data isolation. If we discover a data breach that affects your data we’ll notify you within 72 hours as required under the Notifiable Data Breaches scheme.
Contact
Privacy questions or data requests: email hello@bulkcard.app.