Privacy Policy

Last updated: May 22, 2026

This Privacy Policy explains how MatchedCards ("we", "us", "our") collects, uses, and protects your personal data when you use matched.cards (the "Service"). It applies to all visitors and registered users.

1. Data controller

The data controller responsible for your personal data is the operator of theMatchedCards service. You can contact us at [email protected] for any privacy-related question or to exercise your rights described below.

2. What data we collect

  • Account data: your email address and a hashed password (or, if you sign in with Google, the basic profile fields Google returns).
  • User content: images you upload as symbols, project and card data you create.
  • Payment data: order identifier, product purchased and amount paid. Card details are processed by Polar.sh and never reach our servers.
  • Usage analytics: aggregated funnel events (e.g. "project_create", "export_pdf") tied to your user identifier when you are signed in, or unlinked otherwise. We do not use third-party trackers, advertising cookies, or fingerprinting.
  • Technical logs: standard server logs (IP, user agent, timestamps) generated by our infrastructure providers for security and abuse prevention.

3. Legal basis

  • Contract performance (Art. 6(1)(b) GDPR) — to provide the account, process payments and deliver the Service.
  • Legitimate interest (Art. 6(1)(f) GDPR) — to maintain product analytics, prevent abuse and keep the Service secure. We do not use this data for cross-site tracking or advertising.
  • Consent (Art. 6(1)(a) GDPR) — for any optional processing you explicitly agree to (for example, marketing emails, if introduced in the future).

4. Sub-processors

We rely on the following third-party providers, all bound by data-processing agreements:

  • Supabase — authentication, database, file storage, edge functions and transactional email.
  • Cloudflare R2 — storage for symbol images.
  • Polar.sh — payment processing.
  • DigitalOcean — application hosting.
  • Google — OAuth sign-in and Google Fonts CDN.

5. Data location and international transfers

Your account data, projects and analytics events are stored in the European Union (Supabase, region: Central Europe / Zurich). Symbol images are stored in Cloudflare R2 with global edge replication. Payment processing is performed by Polar.sh in the United States. Application hosting is provided by DigitalOcean.

Any transfer of personal data outside the EEA is covered by the European Commission's Standard Contractual Clauses (SCCs) and the recipient's additional safeguards.

6. Cookies and local storage

The Service uses only strictly necessary cookies and browser storage:

  • Authentication state stored by Supabase in localStorage— required to keep you signed in.
  • Draft persistence in localStorage and IndexedDB — required to save your unsaved work between sessions.
  • UI preferences (e.g. sidebar:state cookie) — required for interface state.

We do not use analytics cookies, advertising trackers, or any third-party cookie that would require prior consent under the ePrivacy Directive.

7. Data retention

Personal data is kept while your account is active. When you delete your account, we erase your projects, symbols, card designs and uploaded images, and we delete or anonymise associated records:

  • Account row, projects, symbols, cards, purchases — permanently deleted.
  • Stored images on Cloudflare R2 — permanently deleted.
  • Funnel analytics events — the link to your user identifier is removed; the remaining event records are anonymised and retained for aggregate product analytics.

Provider logs (Supabase, DigitalOcean, Cloudflare) follow each provider's retention policies, typically 7-90 days.

8. Your rights

Depending on where you reside, you may rely on the GDPR (EU/EEA), the UK GDPR, or other applicable laws. You have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request erasure (you can delete your account from the Dashboard at any time).
  • Request a portable export of your data.
  • Object to or restrict processing based on legitimate interest.
  • Withdraw any consent you previously gave.
  • Lodge a complaint with your local Data Protection Authority — for example, your national DPA in the EU/EEA (see the European Data Protection Board) or the Information Commissioner's Office (ICO) in the UK.

To exercise any of these rights, email [email protected]. We respond within one month, and we will not charge a fee for routine requests.

9. Account deletion

You can permanently delete your account at any time from the Dashboard → user menu → Delete Account. The action is irreversible and erases all data as described in section 7.

10. Children

The Service is intended for adults creating card games (often for use with children at home). We do not knowingly collect personal data from children under 16. If you believe a child has created an account, contact us and we will delete it.

11. Security

We protect your data with industry-standard measures: HTTPS for all traffic, password hashing managed by Supabase, row-level security in our database, and least-privilege access for our infrastructure. No system is perfectly secure — please report vulnerabilities to [email protected].

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by email or via a notice in the app before they take effect. The "Last updated" date above always reflects the current version.

13. Contact

Questions or complaints about this policy: [email protected].

Not affiliated with Asmodee Group. DOBBLE and SPOT IT! are trademarks of Asmodee Group.

Terms of Service