Legal

Privacy Policy

Last updated · 2026-05-27

Short version

  • ScryBrew is offline-first. Your collection, decks, and scan history live in your browser.
  • We collect the minimum needed to run the Service and never sell your data.
  • Card images and data come from Scryfall’s public API.
  • You can export or delete your data at any time.

1. What we store locally

The following data lives in your browser’s IndexedDB and never leaves your device unless you sign in:

  • Your collection (card IDs and quantities)
  • Your decks
  • Scan history and OCR results
  • UI preferences

2. What we collect when you sign in

If you create an account, we collect:

  • Email address (for login and account recovery)
  • An anonymous user ID
  • The data you opt to sync (collection, decks)
  • Basic auth metadata (last sign-in, IP for security)

We do not collect your real name, phone number, or location beyond what your IP reveals.

3. Third parties

Scryfall:Card data and images load from Scryfall’s public API (scryfall.com). Their servers see your IP when fetching cards. We do not send them anything about you.

Supabase hosts our database and authentication. Cloudflare provides CDN and bot protection. Stripe processes payments for premium subscriptions. None of these vendors receive your collection or deck data unless required to provide the Service.

4. Cookies

We use only strictly-necessary cookies (session, auth, CSRF). We do not run analytics, advertising, or tracking cookies.

5. Your rights (GDPR / CCPA)

If you are in the EU, UK, or California, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data (right to erasure)
  • Export your data in a portable format
  • Object to processing or restrict it

The profile page lets you export and delete your account. For other requests, email [email protected].

6. Children

ScryBrew is not directed at children under 13. We do not knowingly collect data from children under 13. The leaderboard opt-in requires an age confirmation.

7. Security

We use TLS in transit, encryption at rest, and Supabase Row-Level Security to scope your data to you. No system is 100% secure; if we learn of a breach affecting your data, we will notify you promptly.

8. Changes

We may update this Policy. Material changes will be flagged in-app and at the top of this page.