Data processing notice.

The data controller is the MinosTCG team. You can reach us at hello@minostcg.com.

When MinosTCG incorporates as a company (expected by the end of 2026), the corporate details will be updated here.

When you sign up:

• Email address (for login and service communications)
• A password (stored as a bcrypt hash, never in clear text)
• Subscribed plan, if any

When you sync a wishlist:

• Wishlist contents (card names, quantities, minimum condition)
• The anonymous wishlist ID on Cardmarket (no data about your account)
• Sync and optimization timestamps

When you pay:

• Stripe handles payment data; we only see the transaction outcome and the chosen plan
• Billing name and details if required (for the tax receipt)

What we do NOT collect:

• Cardmarket credentials (the extension reads the DOM, not your login)
• Cardmarket purchase history
• Third-party ad-tracking cookies (no ad tracking)

• Service: without a wishlist we can't optimize anything, without an email we can't give you an account
• Payments: needed to handle subscriptions and invoicing (legal obligation)
• Service communications: confirm payments, announce service changes, answer support requests
• Aggregated analytics: understand how many wishlists land on which plan, in anonymous aggregated form

• Performance of a contract (art. 6.1.b GDPR) for email, wishlist, payments
• Legal obligation (art. 6.1.c GDPR) for retention of billing data (10 years under Italian law)
• Legitimate interest (art. 6.1.f GDPR) for aggregated analytics and technical error logs

Only with the technical providers strictly necessary to the service:

• Supabase (database and auth, EU)
• Vercel (frontend hosting, EU)
• Render / Fly.io (backend hosting, EU)
• Upstash (Redis cache, EU)
• ScrapingBee (Cardmarket data fetching, EU): only sees public Cardmarket URLs, never your data
• Stripe (payments, EU/USA with GDPR safeguards)

No sale to third parties, no data brokers, no affiliate networks. DPA contracts are in place with all providers above.

• Active account: as long as the account exists
• After deletion: 30 days for possible recovery, then complete deletion
• Synced wishlists: 12 months from the last optimization, then anonymized
• Billing data: 10 years (Italian tax obligation)

Under GDPR you have the right to:

• Access your data (export available from the dashboard)
• Rectify incorrect data
• Delete your account and associated data
• Restrict processing
• Object to processing based on legitimate interest
• Portability (JSON or CSV export)

To exercise them write to hello@minostcg.com. Reply within 30 days.

You also have the right to lodge a complaint with the Italian Data Protection Authority (garanteprivacy.it).

• Technical: session and authentication cookies, essential to the service (no consent required)
• Preferences: language, optional light/dark theme (no consent required)
• Analytics: Plausible or self-hosted, anonymous, no fingerprinting (no consent required per EDPB/Italian Authority)
• Third-party advertising: none

Stripe may process payment data in the US under GDPR safeguards (Standard Contractual Clauses). All other providers are hosted in the EU. We don't transfer data to other non-EU countries.

If we change something substantial we notify you by email at least 30 days in advance. Minor edits (rewording, corrections) are published here by updating the date at the top.