Privacy Policy

1. Who We Are

Mintage is a personal TCG collection-tracking app. The data controller for personal information collected through Mintage is the Mintage development team, contactable at support@mintagetcg.app.

2. Information We Collect

Account information, when you sign in with Apple:

• Your Apple-provided unique user identifier.
• Your email address (or Apple-provided private-relay address if you chose Hide My Email).
• Your name as supplied by Apple at first sign-in (used as your default display name; you can change it in onboarding or Profile).

Collection data, which you enter:

• Cards in your portfolio and wishlist.
• Variants, conditions, quantities, acquired prices, and notes you attach to those cards.
• Avatar selection (a bundled preset image — we do NOT collect or upload personal photographs of you).
• Currency preference.

Camera and photo input, when you scan cards:

• When you use the camera to scan a card, the image is processed locally on your device for card identification.
• When you select a photo from your library, the image is sent to our servers ONLY for the duration of the identification call. We do not retain scan images after identification completes.

Voice input, when you tap the microphone:

• Speech-to-text is processed on-device using Apple's SFSpeechRecognizer with on-device-only mode enabled. Audio NEVER leaves your device.
• Only the resulting text transcript is sent to Brie's chat pipeline as if you had typed it.

Usage telemetry, generated automatically as you use the app:

• Anonymized event logs (which features you use, performance metrics).
• Crash and error reports.
• Brie narration metadata: latency, AI engine used (on-device vs. server), tool-call counts. Never the text content of your chat.

3. How We Use Your Information

• To provide and maintain Mintage's features (collection tracking, price updates, AI narration).
• To synchronize your collection across your devices.
• To generate AI-assisted narrations and chat replies via Brie.
• To improve the app via aggregated, anonymized usage analytics.
• To communicate with you about account or service issues, security alerts, and important changes.

4. Third-Party Services

We share specific data with the following providers as part of operating the service:

• Supabase — database and authentication. Stores your account record and collection data. Hosted in the United States.
• Apple Sign in with Apple — identity provider. Apple authenticates you and supplies us with your identifier and (if you don't choose Hide My Email) your email.
• Apple Intelligence (on-device) — powers Brie's chat and narration entirely on your iPhone. No data leaves the device for AI processing.
• TCGCSV / TCGplayer — public TCG market data. We FETCH pricing data from them; we do NOT send any user information to them.
• RevenueCat (when premium features launch) — subscription state management. Handles in-app-purchase receipt validation if you purchase a premium subscription.

5. AI Processing and Brie

When Brie answers a chat or narrates your home screen, all AI processing happens on your device through Apple Intelligence Foundation Models. Your chat message, the relevant collection metadata, and any tool-call results are processed locally and do not leave your iPhone.

We do not use any third-party cloud AI provider for Brie's chat or narration. If we ever introduce one, this Privacy Policy will be updated and you will be notified in-app at least 30 days before the change takes effect.

6. Data Retention

We retain personal data only as long as we have a legitimate business or legal reason to do so:

• Account record (Apple identifier, email, display name): retained while your account is active and for up to 30 days after account deletion to allow recovery in case of accidental deletion.
• Collection data (portfolio, wishlist, scans, lots, conditions, notes, target hits): retained while your account is active and removed from active systems within 30 days of account deletion.
• Encrypted database backups: retained on Supabase's standard rolling 7-day point-in-time recovery window. Deleted records are purged from backups as backups age out of that window.
• Anonymized telemetry and crash logs: retained for up to 12 months for app-improvement analysis, then aggregated or deleted.
• Brie chat metadata (latency, engine used, tool-call counts — never message text): retained for up to 90 days for performance monitoring, then deleted.

7. Account Deletion

You can permanently delete your Mintage account and all associated personal information at any time, directly from inside the app:

• Open the app and go to the Profile tab.
• Tap "Delete Account".
• Confirm the deletion in the prompt that appears.

Once you confirm, your account record, collection data, wishlist, scans, lots, target hits, and saved preferences are removed from our active systems within 30 days. Encrypted backups roll off naturally within Supabase's 7-day point-in-time recovery window. We may retain a minimal record of the fact of deletion (an internal account ID and a deletion timestamp) for up to 12 months solely to comply with legal obligations and to prevent abuse.

If you cannot access the app — for example, if you've lost your device — you may also request deletion by emailing support@mintagetcg.app from the email address associated with your account. We will verify your identity and complete the deletion within 30 days.

8. Your Rights

You have the right to:

• Access — request a copy of the personal data we hold about you.
• Correct — fix inaccurate data via the Profile screen, or request correction by email.
• Delete — delete your account and all associated personal data via the Profile screen.
• Export — request your collection data in a machine-readable format.
• Opt out — disable optional analytics in Settings.

To exercise any of these rights, contact us at support@mintagetcg.app. We will respond within 30 days.

9. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you additional rights regarding your personal information:

• Right to know — request the categories and specific pieces of personal information we have collected about you, the sources we collected it from, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to delete — request that we delete personal information we have collected about you, subject to certain legal exceptions.
• Right to correct — request that we correct inaccurate personal information we maintain about you.
• Right to opt out of sale or sharing — Mintage does NOT sell or share personal information for cross-context behavioral advertising. You may confirm this status at any time.
• Right to limit use of sensitive personal information — Mintage does not use sensitive personal information beyond what is necessary to provide the service you requested.
• Right to non-discrimination — we will not deny service, charge different prices, or provide a different level of quality because you exercised your CCPA rights.

To exercise any of these rights, email support@mintagetcg.app with the subject line "California Privacy Request". We will verify your identity using your Apple-provided account email and respond within 45 days, with a one-time 45-day extension where reasonably necessary.

10. European Privacy Rights (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation and analogous laws give you the following rights with respect to your personal data:

• Right of access — obtain confirmation that we process your personal data and a copy of that data.
• Right to rectification — have inaccurate or incomplete data corrected.
• Right to erasure ("right to be forgotten") — have your personal data deleted, subject to lawful exceptions.
• Right to restriction — restrict the processing of your data in certain circumstances.
• Right to data portability — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to object — object to processing based on our legitimate interests.
• Right to withdraw consent — where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint with the supervisory authority in your country.

Our legal bases for processing your personal data are contract performance (to provide the Mintage service you signed up for), our legitimate interests (to keep the app secure, prevent abuse, and improve performance), and compliance with legal obligations.

To exercise any of these rights, email support@mintagetcg.app with the subject line "GDPR Request". We will respond within one (1) month.

11. Children's Privacy (COPPA)

Mintage is intended for users aged 13 and older and is NOT directed at children under the age of 13. Use of the app — including Sign in with Apple — requires that the user be at least 13 years old.

Consistent with the U.S. Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506), we do not knowingly collect, use, or disclose personal information from children under 13. If we learn that we have inadvertently collected personal information from a child under 13, we will delete that information promptly.

If you are a parent or legal guardian and believe your child under 13 has used Mintage or provided personal information to us, please contact us at support@mintagetcg.app and we will delete the account and associated data within 30 days.

12. International Data Transfers

Mintage's primary servers are located in the United States. By using Mintage from outside the United States, you consent to the transfer and processing of your information in the United States, where data-protection laws may differ from those of your country.

13. Security

We use industry-standard security practices including HTTPS for all API traffic, password-less authentication via Apple, encrypted storage at rest on Supabase, and row-level security policies that prevent users from accessing each other's data. No system is perfectly secure; in the unlikely event of a breach affecting your account we will notify you within 72 hours of detection as required by applicable law.

14. Cookies and Tracking

The Mintage mobile app does not use browser cookies. We use Apple's Keychain (via Expo SecureStore) for local session caching. We do not use cross-app tracking identifiers (IDFA), advertising SDKs, or third-party behavioral-targeting services.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notice with at least 30 days' lead time. The "Last updated" date at the top reflects the most recent version.

16. Contact

For privacy-related questions or requests, contact us at support@mintagetcg.app.