PRIVACY POLICY

1. INTRODUCTION

This Privacy Policy describes how Leumas Card Craze LLC ("we", "us", "our") collects, uses, stores, and shares personal data when you use the service available at inventory.leumascc.com (the "Service") or visit our website. It applies to all visitors, waitlist subscribers, and registered users.

We are the data controller for the personal data described in this Policy. For privacy questions or to exercise your rights, contact support@leumascc.com.

2. INFORMATION WE COLLECT

Category	Examples	Source
Account identity	Email address, display name, password hash	You, at registration
Profile	Return shipping address, ship-from address, eBay seller username	You, in Account Settings
eBay account data	OAuth refresh token (encrypted), seller ID, internal eBay user ID, listing data, order data, fees	eBay APIs after you Connect
TCGplayer data	Order data (manually uploaded), pricing CSV exports	You, via Import / Sync
Business data	Inventory, combine lists, lot tracking, expenses, picklist, audit logs	You, via the Service
Operational telemetry	Session timestamps, last login, last token refresh, error logs (no PII content)	Automatically
Usage analytics	Anonymized page views and in-app actions (no names, emails, card titles, or dollar amounts)	Google Analytics (GA4) — only after you accept analytics cookies
Waitlist	Email address only	You, at landing-page signup

2.1 What we don't collect

• We use only privacy-first, consent-gated analytics (see Section 10) — no analytics run at all unless you accept cookies, and we never send personal data to our analytics provider.
• We do not use advertising trackers or cross-site/behavioral advertising cookies.
• We do not collect device fingerprinting data beyond what your browser sends in normal HTTP requests.
• We do not access your eBay messages, buyer personal data beyond what's required for order fulfillment, or other sellers' data.

3. HOW WE USE YOUR DATA

• Provide the Service — sync your listings, process orders, render dashboards, generate shipping labels.
• Account communication — notify you about Service changes, security events, scheduled maintenance, and (for waitlist subscribers) when public registration opens.
• Security & abuse prevention — detect unusual login patterns, enforce rate limits, investigate breaches.
• Service improvement — aggregated, anonymized usage patterns may inform feature priorities. Individual data is never combined across tenants.
• Legal compliance — respond to lawful requests, enforce our Terms, and protect our rights.

We do not sell your personal data. We do not share Your Data with other tenants. We do not use Your Data to train AI models.

4. LEGAL BASIS (GDPR)

For users in the EU/UK, we process personal data under the following legal bases:

• Contract performance — providing the Service you signed up for.
• Legitimate interest — security, fraud prevention, Service improvement.
• Consent — waitlist email subscription, optional features.
• Legal obligation — tax records, regulatory compliance.

5. DATA SHARING

We share personal data only with the following categories of recipients:

• Infrastructure providers processing data on our behalf:
  • Supabase (database hosting, authentication, edge functions) — based in the United States; SOC 2 Type 2 certified.
  • Netlify (static hosting + CDN) — based in the United States.
  • Cloudflare, Inc. (Turnstile bot protection on sign-up forms) — based in the United States.
  • Google LLC (Google Analytics / GA4, anonymized usage measurement, consent-gated — no personal data sent) — based in the United States.
  • Stripe, Inc. (payment processing — applies only once paid billing is enabled) — based in the United States.
• Marketplace partners at your direction — eBay (when you Connect your account) and TCGplayer (when you upload exports).
• Email provider — Microsoft Outlook (operator's business inbox).
• Legal recipients — law enforcement, regulators, or courts when required by valid legal process.
• Successors — in connection with a merger, acquisition, or sale of assets, subject to confidentiality protections.

All third-party processors operate under data-processing agreements that restrict their use of Your Data to providing services to us.

6. DATA STORAGE & SECURITY

• Encryption in transit — all connections use TLS 1.2+ (HTTPS).
• Encryption at rest — Supabase Postgres encrypts disk-level. eBay OAuth refresh tokens are additionally encrypted at the column level using pgcrypto with a master key stored in Supabase Vault (pgsodium-backed).
• Row-level security — every business table enforces a Postgres row-level security policy (user_id = auth.uid()) at the database layer. Application code cannot bypass tenant isolation; the database refuses cross-tenant access regardless of bugs.
• Access controls — service-role credentials are restricted to backend Edge Functions; never exposed to client browsers.
• Audit trail — destructive operations are logged with batch_id and revert paths.

7. DATA RETENTION

Data	Retention
Active account data	Retained while your account is active.
Account terminated	30 days after termination, then permanently deleted.
Waitlist email	Retained until public registration opens or you unsubscribe.
Operational logs	90 days, then aggregated/anonymized.
Backups	Up to 90 days following deletion, then purged.
Records required by law	As required by applicable law (typically 7 years for financial records).

8. YOUR RIGHTS

8.1 Universal rights

• Access — request a copy of personal data we hold about you.
• Correction — update inaccurate information via Account Settings or by emailing us.
• Deletion — request permanent removal of your account and data.
• Export / portability — download Your Data in CSV format at any time via the Service's export tools.
• Restriction — request we suspend processing while we investigate a dispute.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — disconnect eBay, unsubscribe from waitlist, or close your account at any time.

8.2 California (CCPA / CPRA) rights

California residents have additional rights to know what categories of personal data we collect, sources, business purposes, and recipients (all disclosed above). California residents may also opt out of "sale" or "sharing" of personal data — though we do not sell or share personal data for cross-context behavioral advertising.

8.3 How to exercise

Email support@leumascc.com with the request and the email address on your account. We will respond within 30 days. We may require identity verification before fulfilling deletion or export requests.

9. INTERNATIONAL TRANSFERS

Our infrastructure is located in the United States. If you access the Service from outside the U.S., your data will be transferred to and processed in the U.S. We rely on Standard Contractual Clauses (or equivalent transfer mechanisms) for EU/UK data transfers.

10. COOKIES & ANALYTICS

The Service uses session storage (sessionStorage) and local storage (localStorage) in your browser to store your auth token, user preferences (e.g., onboarding state, feature flags), and OAuth state. These are essential for the Service to function and are not used for tracking.

We also use Google Analytics (GA4) to understand aggregate, anonymized usage. Analytics runs with Google Consent Mode set to DENIED by default — nothing is sent to Google until you click Accept on our cookie banner. You can decline, change your choice at any time via the "Cookie settings" link, or block cookies in your browser. We do not send personal data (names, emails, card titles, or dollar amounts) to our analytics provider, and we do not use advertising or cross-site behavioral cookies.

11. CHILDREN

The Service is not directed to children under 18. We do not knowingly collect personal data from minors. If you believe a child has provided personal data, contact us at support@leumascc.com and we will delete the data promptly.

12. DATA BREACH NOTIFICATION

If we become aware of a breach of personal data that creates a high risk to your rights and freedoms, we will notify affected users without undue delay (and within 72 hours where required by law) by email and via in-Service notification. Notifications will describe the nature of the breach, likely consequences, mitigations taken, and contact information for further questions.

13. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 14 days before taking effect. The "Last updated" date above reflects the most recent revision.

14. CONTACT

Privacy questions, requests, or complaints: support@leumascc.com.

EU/UK residents may also lodge a complaint with their national data protection authority.

Mailing address available upon request.

Leumas Card Craze LLC · Sioux Falls, South Dakota, United States

← Back to home