Legal
Privacy Policy
Last updated: April 27, 2026
Catchinary collects as little personal data as possible. You can browse the entire site without an account, without tracking pixels, and without a cookie banner. This page documents exactly what is and isn't stored.
What Catchinary does not do
- No third-party analytics. No Google Analytics, Plausible, PostHog, Fathom, or similar.
- No advertising or retargeting pixels (no Meta Pixel, no Google Ads tag).
- No mailing list. There is no email signup, no newsletter, no marketing email.
- No selling, renting, or sharing personal data with data brokers. Ever.
What Catchinary does collect
If you don't sign in
You can browse every card page, set page, market dashboard, and search result without identifying yourself. Catchinary uses two minor browser-storage items in this mode:
- Currency preference stored in
localStorageso the site remembers whether you want USD or EUR. This stays on your device and is never sent back to the server. - Standard server logs generated by the Cloudflare edge (IP address, user-agent string, request path, timestamp). These are short-lived and used for debugging, abuse mitigation, and rate limiting. They are not joined with any identity.
If you sign in
Catchinary uses Google OAuth as the only sign-in method. When you sign in, Google returns your email address and name to Catchinary. Those values are stored in the database with a session record so the site can show your saved collection on subsequent visits.
Catchinary sets the following cookies:
session— an encrypted session identifier that authenticates you on subsequent requests. Expires when you sign out or after the session lifetime.oauth_return_to— a short-lived cookie (a few minutes) that remembers where you were trying to go before being redirected to sign in. Cleared automatically after the redirect completes.
If you save cards to your collection, Catchinary stores the card identifiers, the date added, and your account ID. Card-level notes and acquisition prices, if you enter them, are stored alongside.
Outbound clicks (eBay)
eBay listing links on Catchinary are affiliate links through the eBay Partner Network. When you click one, eBay receives standard click-tracking parameters from the link itself, including a campaign ID and a Catchinary-internal identifier of the form card:<slug> that lets Catchinary see which card the click came from in aggregate reporting. eBay's own privacy policy governs what eBay does after the click.
Third parties Catchinary uses
- Cloudflare — hosting, CDN, edge cache, and DDoS protection. Cloudflare sees every request as part of routing it. Cloudflare privacy policy
- Google — OAuth sign-in only. Catchinary does not use Google Analytics, Google Ads, or Google Tag Manager. Google privacy policy
- eBay — affiliate link routing for outbound listing clicks (only on click, never on page view). eBay privacy policy
- pokemontcg.io — public card-data API. The browser does not contact pokemontcg.io directly; Catchinary fetches data server-to-server.
Cookies, in one place
| Name | Purpose | When it's set | Lifetime |
|---|---|---|---|
session | Keeps you signed in | After Google OAuth completes | Until sign-out / expiry |
oauth_return_to | Sends you back to the page you were on before sign-in | Click "Sign in" | A few minutes |
Browsers also create their own purely-local localStorage entries for things like currency and the no-account binder. Those never travel back to Catchinary servers.
Data retention
Account records and saved collections are kept until you ask for deletion. Server logs are typically rotated within 30 days at the edge layer. Aggregate counts (how many people viewed a page, how many clicks a link got) may be kept indefinitely in non-identifying form.
Your rights
You can:
- Sign out anytime via /logout to invalidate your session cookie.
- Request a copy of the data Catchinary holds for your account.
- Request deletion of your account and saved collection. Catchinary will remove account records and collection rows within 30 days of a verified request.
- If you are in the EU, UK, or California, you have additional rights under GDPR / UK GDPR / CCPA respectively, including the right to object to processing and to lodge a complaint with your local data protection authority.
For any of the above, email hello@catchinary.com from the email address on file.
Children
Catchinary is not directed at children under 13 (or under 16 in the EU). Catchinary does not knowingly collect data from children. If you are a parent or guardian and believe a child has signed in, email the address below and the account will be deleted.
Security
Sessions are encrypted, OAuth tokens are not stored client-side, and traffic is served over HTTPS only. No system is perfectly secure; if a breach occurs that affects your data, Catchinary will notify affected accounts by email and post a notice on the site.
Changes
Material updates to this policy will be flagged at the top of this page with a new "Last updated" date. Continued use of Catchinary after a change constitutes acceptance.
Contact
Privacy questions, data requests, or concerns: hello@catchinary.com.