Privacy Policy — Sleevee

1. Introduction

Sleevee (“we,” “us,” or “our”) operates the Sleevee website and mobile-accessible web application (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service.

By using Sleevee, you consent to the data practices described in this policy. If you do not agree, please discontinue use of the Service immediately.

2. Information We Collect

2.1 Information You Provide

Account information: email address, password (stored as a secure hash), display name, and username.
Profile information: avatar image URL and display preferences.
Collection data: cards you add, card conditions, purchase prices, notes, binder layouts, tags, and organizational preferences.
Payment information: processed securely by Stripe. We do not store credit card numbers. We retain your Stripe customer ID and subscription ID for billing management.
Communications: any information you provide when contacting support.

2.2 Information Collected Automatically

Usage data: pages visited, features used, search queries, binder creation and editing activity, and interaction events via Mixpanel analytics.
Device and browser data: browser type, operating system, screen resolution, and general location (derived from IP address).
Session data: authentication tokens stored in HTTP-only cookies with a 30-day expiration.
Security data: IP addresses for rate limiting and fraud prevention, failed login attempt counts, and reCAPTCHA verification tokens (processed by Google).

2.3 Information from Third Parties

Card pricing data: market prices sourced from third-party trading card APIs (e.g., TCGPlayer, CardMarket) used to display estimated values in your portfolio.

3. How We Use Your Information

To provide, operate, and maintain the Service.
To manage your account, including authentication and security features (e.g., two-factor authentication).
To process subscription payments through Stripe.
To display estimated market values and portfolio analytics based on third-party pricing data.
To send transactional emails (password resets, account notifications) via Resend.
To analyze usage patterns and improve the Service via Mixpanel analytics.
To detect, prevent, and address fraud, abuse, and security issues (via reCAPTCHA and rate limiting).
To comply with legal obligations.

4. Third-Party Services

We share data with the following third-party services, each governed by their own privacy policies:

Stripe: payment processing. Receives your email and payment details.
Mixpanel: product analytics. Receives anonymized usage events and your user ID.
Google reCAPTCHA v3: bot protection. May collect browser and interaction data.
Resend: transactional email delivery. Receives your email address.
Anthropic (Claude API): card scanning feature (Pro tier only). Card images you scan may be processed by the Anthropic API.
Third-party card pricing APIs: we send card identifiers to retrieve market pricing. No personal information is shared with these providers.

We do not sell, rent, or trade your personal information to any third party for marketing purposes.

5. Cookies and Tracking

Sleevee uses HTTP-only session cookies for authentication. These are essential cookies required for the Service to function. We also use Mixpanel for analytics, which may set cookies or use local storage to track usage patterns.

You can control cookie settings through your browser preferences, though disabling essential cookies may prevent you from using the Service.

6. Data Security

We implement industry-standard security measures to protect your data, including:

Passwords hashed with bcrypt (cost factor 12).
HTTP-only, secure session cookies.
Rate limiting on authentication endpoints.
Optional two-factor authentication (TOTP).
Encrypted connections via HTTPS.

While we strive to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your account data for as long as your account is active. If you request account deletion, we will remove your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention, financial record-keeping).

Anonymized analytics data may be retained indefinitely for product improvement.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal data we hold about you.
Correct inaccurate or incomplete data.
Delete your account and associated data.
Export your data in a portable format.
Opt out of non-essential analytics tracking.
Withdraw consent for data processing where consent is the legal basis.

To exercise any of these rights, please contact us at the email provided below. We will respond to requests within 30 days.

9. Children's Privacy

Sleevee is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal data, please contact us immediately.

10. International Users

Sleevee is operated from Canada. If you access the Service from outside Canada, your information may be transferred to and processed in Canada or other jurisdictions. By using the Service, you consent to this transfer. We comply with applicable data protection laws, including PIPEDA (Canada) and, where applicable, GDPR (EU) and CCPA (California).

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or an in-app notice. Continued use of the Service after changes constitutes acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

Email: privacy@sleevee.app