Privacy Policy

Foilr (the "Service") is a market radar for the One Piece Trading Card Game, with planned expansion to Pokémon and Magic: The Gathering. The Service is available at foilr.gg and through the Foilr application surfaces.

The Service is currently operated by Anastase Hélaine, registered as an entreprise individuelle(sole proprietorship) under French law. We are in the process of transferring operations to a Delaware limited liability company; this policy will be updated when that transfer takes effect, and the change will be material enough to trigger notice (see Section 13).

When this policy says "Foilr", "we", "us", or "our", we mean the entity above. When it says "you", we mean the individual using the Service.

Foilr is an independent, fan-run product and is not affiliated with, endorsed, or sponsored by Bandai, the ONE PIECE Card Game, The Pokémon Company, or Wizards of the Coast. All trademarks belong to their respective owners.

We collect only what we need to run the Service. Categories below.

Information you give us directly

• Account data. If you create an account: email address, hashed password (we never store it in plain text), display name if you provide one.
• Collection data. Cards you mark as owned, wanted, or chased; decks; expense entries; calendar items. This is yours, you can export or delete it at any time.
• Preferences. Notification settings, theme, currency, language, what TCGs you care about.
• Communications. If you email us or use a contact form, the contents of that message.

Information we collect automatically

• Cookieless anonymous identifier. A random ID generated client-side, stored in your browser's local storage. Used to count distinct visitors and stitch analytics events together within a session. It does not identify you personally and cannot be used to track you across other websites.
• Analytics events. Page views, button clicks, search queries, feature usage. Stored in our own database, not sent to Google Analytics, PostHog, or any third-party analytics vendor.
• Server logs. IP address, browser user-agent, request paths, response codes, timestamps. Retained for up to 30 days for abuse prevention, debugging, and security.
• Device information. Screen size and browser capabilities, used to render the Service correctly. Not stored beyond the request.

Information we receive from third parties

• Affiliate click confirmations. When you click a TCGplayer, eBay, or Amazon link from Foilr and make a purchase, the affiliate network (e.g. impact.com) tells us a click resulted in a sale. We receive a commission ID and an aggregate amount. Not the items you bought, not your shipping address, not your name.
• Authentication providers. If you sign in with Google, Apple, or another OAuth provider, that provider sends us your email address and a stable user ID. We do not receive your password.

We do not collect: precise geolocation, contacts, microphone or camera input, health data, biometrics, or any "sensitive personal information" as defined under CPRA.

We use your data for the following purposes only:

• To operate the Service. Authenticate you, render the pages you ask for, save your collection.
• To prevent abuse and secure the Service. Detect scraping, brute-force login attempts, fraud against the affiliate program.
• To improve the Service. Understand which features get used, which surfaces are broken, where users get stuck. We use our own analytics for this.
• To communicate with you. Account-related notices (security, password reset), transactional confirmations, and (only if you opt in) product updates or radar alerts.
• To meet legal obligations. Tax records for any commissions received, responses to lawful requests from competent authorities.

We do not use your data to train machine learning models. We do not sell your data, share it for cross-context behavioural advertising, or build profiles for targeted ads (we run no display ads).

For users in the European Economic Area, the United Kingdom, and Switzerland, we rely on the following legal bases under Article 6 of the GDPR:

• Performance of a contract (Art. 6(1)(b)). Account management, providing the Service you signed up for.
• Legitimate interest (Art. 6(1)(f)). Security, abuse prevention, basic analytics for service improvement. You may object at any time; see Section 7.
• Consent (Art. 6(1)(a)). Optional email notifications, marketing communications. You can withdraw consent at any time without affecting prior processing.
• Legal obligation (Art. 6(1)(c)). Tax records, response to lawful requests.

We share personal data only with the following categories of recipient:

Service providers (data processors)

These vendors process data on our instructions, under contract, and are bound by confidentiality:

Legal disclosure

We may disclose your data if compelled by a valid legal process (court order, subpoena, or equivalent) or where we believe in good faith that disclosure is necessary to protect rights, safety, or property. Where lawful, we will notify you before disclosure.

Business transfers

If we transfer the Service to another entity (for example, when Anastase Hélaine transfers operations to the planned US LLC), your data may transfer with it under the same terms. You will be notified before such a transfer becomes effective.

We do not sell personal information for monetary or other valuable consideration, nor share it for cross-context behavioural advertising, under the meaning of CCPA / CPRA.

The Service is operated from France and the United States. Some processors listed in Section 5 are based in the United States. For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States or any country that has not received an adequacy decision, we rely on:

• The EU-US Data Privacy Framework (and UK / Swiss extensions) where the vendor is certified.
• The European Commission's Standard Contractual Clauses (Module 2) where the vendor is not certified.
• Supplementary measures (encryption in transit and at rest, access controls) where appropriate.

You may request a copy of the safeguards in place by writing to hi@foilr.gg.

Depending on where you live, you have some or all of the following rights:

• Access. Get a copy of the personal data we hold about you.
• Rectification. Correct inaccurate or incomplete data.
• Erasure ("right to be forgotten"). Delete your account and all personal data we hold, unless we're required by law to keep it.
• Restriction. Ask us to limit how we process your data while a dispute is resolved.
• Portability. Receive your data in a structured, machine-readable format (we provide JSON and CSV exports).
• Objection. Object to processing based on legitimate interest; we'll stop unless we have overriding grounds.
• Withdraw consent. Where processing relies on consent, you can withdraw it at any time without affecting prior processing.
• Automated decisions. We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, email hi@foilr.gg. We respond within 30 days. For account-data exports and deletion, you can also use the in-app controls under Profile → Data.

California residents (CCPA / CPRA). You have the right to know, delete, correct, opt-out of sale or sharing (we do neither), and limit use of sensitive personal information (we collect none). You may designate an authorised agent to exercise these rights on your behalf.

California "Shine the Light" (Civil Code § 1798.83). California residents may request a list of the categories of personal information we have disclosed to third parties for their direct marketing purposes during the preceding calendar year. We do not disclose personal information to third parties for their direct marketing purposes.

Do Not Track. Some browsers transmit a "Do Not Track" signal. There is no industry-standard interpretation of the signal at this time. Because we do not track users across third-party sites, our practices do not change based on the signal.

Quebec residents (Law 25). You have the right to data portability, the right to know if a decision was made about you using automated processing (none are), and the right to lodge a complaint with the Commission d'accès à l'information.

Right to complain. EU/UK residents may lodge a complaint with their local supervisory authority. The French data protection authority is the CNIL.

We protect data with administrative, technical, and physical safeguards proportionate to the risk:

• All traffic between your device and the Service is encrypted in transit using TLS 1.2 or higher.
• Passwords are hashed with a strong, salted algorithm (bcrypt). We never store or have access to your plain-text password.
• Database backups are encrypted at rest.
• Production access is limited to the operator and is two-factor-authenticated.
• Affiliate redirects are signed; abuse triggers automatic blocking.

No system is perfectly secure. If you believe your account has been compromised, email hi@foilr.gg immediately. We disclose qualifying incidents in accordance with applicable law (typically within 72 hours under GDPR Article 33).

The mobile applications of the Service ("Foilr for iOS", "Foilr for Android") follow the same data practices as the web Service, with the additions below.

Push notifications

If you grant permission, we collect a device push token issued by Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM). The token is used solely to deliver alerts you have subscribed to (radar signals, price moves, release reminders). You can revoke permission at any time in your device's system settings, and the token is invalidated and deleted within 30 days.

Advertising identifiers

We do not collect, use, or share Apple's Identifier for Advertisers (IDFA), Google's Advertising ID (GAID), or any equivalent cross-app identifier. The Service does not display advertising, and we do not engage in cross-app tracking. For this reason, the Foilr iOS app does not present the App Tracking Transparency (ATT) prompt under iOS 14.5+.

Sign in with Apple, Google, and similar

If you sign in using a third-party identity provider (Apple, Google, Meta), that provider sends us your email address (or, in the case of Apple's private email relay, a forwarding alias) and a stable user identifier. We do not receive your password. Where Apple offers a private email relay, we honour the relay address and you may revoke our access at any time from your Apple ID settings.

Device and diagnostic data

To keep the mobile apps stable, we collect anonymous diagnostic data: anonymised crash reports, app version, OS version, device model, locale. This data is not linked to your account identity unless it is necessary to debug an issue specific to your account, in which case it is correlated with your express request to hi@foilr.gg.

Apple App Analytics and Google Play Console may provide us with aggregate, non-identifying usage statistics about the app. We do not receive individual user-level data from these sources.

Account deletion in the app

The Foilr mobile apps provide an in-app path to delete your account: Profile → Data → Delete account. You may also delete your account from the web at any time, or by emailing hi@foilr.gg. Deletion is processed within 30 days per Section 8.

App store disclosures

The Apple App Store App Privacy section and the Google Play Data Safety section summarise the same disclosures made in this Policy in the format each store requires. Where you see a discrepancy between this Policy and a store form, this Policy controls and we will correct the store form as soon as possible.

The Service is not directed at, and we do not knowingly collect personal information from, children under 13 (United States, under COPPA) or under 16 (European Economic Area). If you are a parent or guardian and believe your child has provided us with personal data, please email hi@foilr.gg. We will delete the data within a reasonable period.

The TCG market includes products and content suitable for all ages. The Service itself is rated for users aged 13 and over because account creation, analytics, and affiliate links involve data processing that requires informed consent.

The Service uses only the storage strictly necessary to provide its features:

• Session cookie. Set when you sign in, cleared when you sign out or after expiry. HttpOnly, Secure, SameSite=Lax.
• Anonymous analytics ID. A random value stored in your browser's localStorage. Not a cookie, not transmitted to third parties.
• Preferences. Theme, language, region, also stored in localStorage. Local to your browser.

We do not deploy advertising cookies, tracking pixels, or third-party analytics scripts. As a result, no consent banner is required under the EU ePrivacy Directive for strictly necessary storage; we still describe it here for transparency.

Affiliate links may set their own cookies when you click them and visit the partner's site. That happens on the partner's domain under the partner's policy, not ours. We disclose every paid relationship inline next to the link.

The Service contains links to retailers (TCGplayer, eBay, Amazon, Premium Bandai, others), social platforms (YouTube, TikTok, Instagram, Threads, X), and informational sources. We have no control over these sites and assume no responsibility for their privacy practices or content. Please review the privacy policy of each site you visit.

We may update this Privacy Policy from time to time to reflect changes in the Service, legal requirements, or operational practices. When we make material changes, we will:

• Update the Effective date at the top of this page.
• Post a notice on the Service for at least 30 days before the change takes effect.
• If you have a registered account, email you a summary of the change.

Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree, you may delete your account before the change takes effect.

For any privacy question, request, or complaint:

• Email: hi@foilr.gg (preferred)
• Operator: Anastase Hélaine, France (postal address provided on request to the email above)
• EU representative: not required, since the operator is established in the EU.