Privacy Policy

Last Updated: May 24, 2026 Effective Date: May 24, 2026

This Privacy Policy describes how TradeTrack TCG, a sole proprietorship registered in Hong Kong SAR ("Company", "we", "us", "our") collects, uses, discloses, and processes information in connection with the TradeTrack TCG service operated at tradetracktcg.com (the "Service").

BY USING THE SERVICE, YOU CONSENT TO THE PRACTICES DESCRIBED IN THIS POLICY. IF YOU DO NOT AGREE, DO NOT USE THE SERVICE.

This Policy is incorporated by reference into our Terms and Conditions.

1. No Payment Data Handling

The Company does not collect, store, process, transmit, or have access to any payment card information, bank account details, or financial credentials. All payment processing is performed exclusively by Paddle.com Market Limited ("Paddle"), acting as Merchant of Record. Payment data is governed solely by Paddle's Privacy Policy available at https://www.paddle.com/legal/privacy. You acknowledge that any payment-related dispute is between you and Paddle.

2. Information We Collect

We may collect the following categories of information:

2.1. Information You Provide

Account information: name, email address, password hash, organization name, language preference;
Profile information: avatar, display name, role within workspace;
Workspace and inventory data: trading card inventory records, transaction records, photographs of inventory items, pricing data, customer notes, and any other Content you upload;
Communications: messages, support requests, feedback, survey responses;
Authentication tokens from third-party providers (Google OAuth).

2.2. Information Collected Automatically

Device information: IP address, browser type, operating system, device identifiers, screen resolution;
Usage data: pages viewed, features used, click streams, session duration, referring URLs, timestamps, error logs;
Cookies, web beacons, pixels, and similar tracking technologies;
Approximate geolocation derived from IP address;
Performance and diagnostic data.

2.3. Information from Third Parties

Authentication data from Google when you sign in via Google OAuth;
Subscription status from Paddle;
Analytics data from PostHog;
Email delivery status from Resend;
Any information shared by your workspace administrator or co-members.

3. How We Use Information

We may use any information collected for any lawful purpose, including but not limited to:

(a) providing, operating, maintaining, and improving the Service; (b) authenticating users and managing accounts; (c) processing transactions through Paddle; (d) communicating with you about the Service, updates, security, and administrative matters; (e) marketing, promotional communications, and advertising; (f) personalizing your experience; (g) analyzing usage patterns and developing new features; (h) training, developing, and improving machine learning and artificial intelligence models for any purpose, including commercial purposes; (i) generating, deriving, and commercializing aggregated and anonymized statistics, benchmarks, market data, and industry insights from User Content; (j) detecting, preventing, and addressing fraud, abuse, security incidents, and illegal activity; (k) enforcing our Terms and protecting our legal rights; (l) complying with applicable laws and responding to lawful requests from authorities; (m) any other purpose disclosed to you at the time of collection or otherwise permitted by law; (n) any internal business purpose deemed appropriate by the Company.

4. Ownership of Content

4.1. As set forth in our Terms and Conditions, you grant the Company a perpetual, irrevocable, worldwide, royalty-free license over all Content you submit.

4.2. Anonymized, aggregated, derived, and de-identified data extracted from your Content is the sole and exclusive property of the Company and may be used, sold, licensed, or commercialized in perpetuity for any purpose, without obligation or compensation to you.

4.3. You acknowledge that anonymized data is no longer personal data and is not subject to deletion or access requests.

We may disclose information to:

5.1. Service Providers and Processors

Third-party vendors that perform services on our behalf, including but not limited to:

Paddle (payment processing, Merchant of Record);
Convex (database, file storage, backend infrastructure);
Vercel (hosting and content delivery);
Google (authentication via OAuth);
PostHog (product analytics, feature flags, session recording);
Resend (transactional and marketing email delivery);
any other service providers we engage from time to time.

These providers may be located outside Hong Kong, including in the United States, the European Union, and other jurisdictions.

5.2. Workspace Members

If you join or are invited to a workspace, your information may be visible to other members of that workspace, including the workspace owner and administrators.

5.3. Business Transfers

In connection with any merger, acquisition, financing, sale of assets, bankruptcy, or similar corporate transaction, we may transfer or assign any information we hold to the acquirer or successor entity, without notice to you.

5.4. Legal Compliance and Protection

We may disclose information to: comply with applicable laws, regulations, legal process, or governmental requests; enforce our Terms; protect the rights, property, or safety of the Company, our Users, or others; detect, prevent, or address fraud, security, or technical issues; or as otherwise required or permitted by law.

5.5. Affiliates and Successors

With our affiliates, subsidiaries, successors, and assigns for any purpose described in this Policy.

With third parties when you direct us or consent to such sharing.

5.7. Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data with any party for any purpose, without restriction.

6. International Data Transfers

6.1. The Company is based in Hong Kong. Information we collect may be transferred to, stored in, and processed in jurisdictions outside Hong Kong, including the United States, the European Union, and elsewhere.

6.2. These jurisdictions may have data protection laws that differ from, and may offer less protection than, those of your jurisdiction.

6.3. By using the Service, you expressly consent to such international transfers.

7. Data Retention

7.1. We retain personal data for as long as necessary to provide the Service, fulfill the purposes outlined in this Policy, comply with our legal obligations, resolve disputes, and enforce our agreements.

7.2. We may retain information indefinitely in anonymized or aggregated form.

7.3. Backup, archival, or log copies may persist for additional periods consistent with our standard retention schedules and legal obligations.

7.4. Upon account termination, we may retain information as we deem necessary or appropriate, including for the period in which a User could bring a claim against us under the applicable limitation period.

8. Security

8.1. We implement commercially reasonable technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, or destruction.

8.2. No system is completely secure. We do not warrant or guarantee the absolute security of any information, and we disclaim all liability for any breach, loss, or unauthorized access, to the maximum extent permitted by law.

8.3. You are responsible for maintaining the security of your account credentials and devices.

9. Your Rights

9.1. Hong Kong Personal Data (Privacy) Ordinance (PDPO)

If you are a Hong Kong data subject, you have the right under the PDPO to:

request access to personal data we hold about you;
request correction of inaccurate personal data;
ascertain our policies and practices in relation to personal data.

We may charge a reasonable fee for processing access requests, as permitted under the PDPO.

9.2. Limited Rights for Other Jurisdictions

To the extent applicable mandatory law grants you additional rights (such as under the GDPR or CCPA for residents of the EU/UK or California), we will comply with such laws only to the minimum extent legally required. Where the law permits exceptions, exemptions, or limitations, we reserve the right to invoke them.

9.3. Exercising Rights

To exercise any applicable right, contact us at support@tradetracktcg.com. We may require identity verification before responding.

9.4. Limitations

(a) Requests for deletion or erasure do not extend to anonymized or aggregated data, which is the Company's property; (b) We may refuse or limit requests where permitted by law, including where they are manifestly unfounded, excessive, or repetitive; (c) Deletion does not apply to data we are required to retain by law, for legitimate business purposes, or for the establishment, exercise, or defense of legal claims; (d) We may charge reasonable fees for processing requests where permitted by law.

10. Cookies and Tracking Technologies

10.1. We and our service providers use cookies, web beacons, pixels, local storage, session storage, and similar technologies to operate the Service, analyze usage, personalize content, deliver advertising, and for security purposes.

10.2. We may use third-party analytics tools (including PostHog) that may record sessions, capture mouse movements, clicks, scrolling, and page interactions.

10.3. You may disable cookies through your browser settings, but doing so may impair functionality of the Service.

10.4. We do not respond to "Do Not Track" browser signals.

11. Marketing Communications

11.1. By providing your email or contact information, you consent to receive marketing communications from us regarding the Service, new features, and related products.

11.2. You may opt out of marketing emails by following the unsubscribe link in any such email. Transactional, administrative, and security communications cannot be opted out of so long as you maintain an account.

12. Children's Privacy

12.1. The Service is not directed to, and we do not knowingly collect personal data from, individuals under the age of 18.

12.2. If we become aware that we have collected personal data from a child under 18 without verified parental consent, we will delete that information.

12.3. If you believe a child has provided us with personal data, contact us at support@tradetracktcg.com.

13. Third-Party Links and Services

13.1. The Service may contain links to, or integrations with, third-party websites and services not operated by us.

13.2. We are not responsible for the privacy practices, content, or policies of any third party. You should review the privacy policy of any third-party service before providing information.

14. Changes to this Policy

14.1. We reserve the absolute right to modify this Policy at any time, in our sole discretion, with or without notice.

14.2. Material changes will be indicated by updating the "Last Updated" date. We may, but are not obligated to, provide additional notice.

14.3. Your continued use of the Service after any change constitutes acceptance of the modified Policy. It is your responsibility to review this Policy periodically.

15. Governing Law

15.1. This Privacy Policy is governed by the laws of the Hong Kong Special Administrative Region, without regard to conflict of laws principles.

15.2. Any dispute relating to this Policy shall be resolved in accordance with the dispute resolution provisions of our Terms and Conditions, including mandatory HKIAC arbitration in Hong Kong.

16. Contact

For questions, concerns, or requests regarding this Privacy Policy or your personal data, contact:

TradeTrack TCG Sole Proprietorship Hong Kong SAR Email: support@tradetracktcg.com

BY USING THE SERVICE, YOU CONFIRM THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND CONSENT TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR INFORMATION AS DESCRIBED HEREIN.