Privacy Policy
What we collect, why, and the control you have over it. Plain language, on purpose. Last updated 23 June 2026.
1. Who we are
card90 is a marketplace for sports cards operated from the Netherlands. For data-protection law we are the “controller” of the personal data described here. Questions or requests about your data: contact us at privacy@card90.com. (Final legal entity, address and DPO/representative details will be confirmed with a lawyer before public launch.)
2. What we collect
- Account & profile — your email, a username, country/region and (optionally) a password. If you sign in with Google we receive your email and basic profile, not your Google password.
- Listings & content — the cards you list, photos you upload, scans you submit, and messages and offers you exchange with other members.
- Region signal — your locale/time zone (and, by your browser, an approximate region) so we can default to “ships to my region”. You can override this any time in the top bar.
- Technical data — basic logs needed to run and secure the site (e.g. error logs, IP address handled by our hosting provider).
- Payments (Phase 2) — when payments go live, card and bank details are entered with and held by our payment provider (PayPal). card90 never sees or stores your card number.
3. Why we use it (and our legal basis)
- To run your account and the marketplace — list, search, message, make and receive offers (performance of our contract with you).
- To keep card90 safe — prevent fraud, spam and abuse, review flagged listings and scans (our legitimate interest in a trustworthy marketplace).
- To meet legal duties — tax, accounting and dispute records once payments are live (legal obligation).
- Optional emails — watchlist and offer alerts you ask for (consent, withdrawable any time).
4. Who can see it
Your username, region and listings are public so people can buy from you. The contents of your messages and offers are visible only to you and the other party. We share data only with the providers that run the service — our database/auth host (Supabase, EU region) and, in Phase 2, our payment provider (PayPal). We do not sell your data, and we show no advertising.
5. Where it lives & how long we keep it
Data is stored in the EU. We keep your account data while your account is open and for a short period after you close it; transaction records are kept as long as the law requires. You can ask us to delete your account at any time (see your rights below).
6. Cookies & local storage
We use only essential storage to run the site: a login/session cookie when you sign in, and small values saved in your browser for your theme, shipping region, cart and watchlist. We run no advertising or third-party analytics trackers, so there is nothing non-essential to refuse.
7. Your rights
Under the GDPR you can request access to your data, correction, deletion, a portable copy, and you can object to or ask us to restrict certain uses. You can also withdraw consent for optional emails at any time. Email privacy@card90.com and we'll respond within the legal time limit. You have the right to complain to your national data-protection authority (in the Netherlands, the Autoriteit Persoonsgegevens).
8. Children
card90 is not intended for people under 16. We don't knowingly collect data from children.
9. Changes
We'll update this page as the product grows (for example when payments launch) and change the date at the top. Material changes will be highlighted in the app.
This is a clear-language working draft, not legal advice. Final privacy (GDPR), payment (PSD2/escrow) and marketplace terms will be reviewed by a lawyer before live payments are enabled. See also our Terms & Buyer Protection.