privacy policy

how we collect, use, and protect your information.

1. Who we are

This privacy policy applies to folio, a portfolio tracking app for trading card game collectors, operated by FOLIOTCG LTD (company registration number SC885042, registered in Scotland).

We are the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have any questions about this policy or about your personal data, you can contact us at privacy@foliotcg.com.

2. What information we collect

2.1 Account information

When you sign up to folio or join our waitlist, we collect:

• Your email address (required)
• A password (stored as a secure hash — we never store your actual password)
• A display name (optional, used for social features)

2.2 Collection data

When you use folio, we store the information you add about your collection:

• The cards you own, along with details like quantity, condition, and purchase price
• Your binders, wishlists, and trade lists
• Optional notes you add to cards or collections

2.3 Scan images

If you use the card scanner feature, we store the photos you take. These are used to:

• Identify the card via our card recognition provider, Ximilar (a service operated by Ximilar s.r.o., based in the Czech Republic)
• Improve our card identification systems over time, including the development of an in-house recognition model
• Troubleshoot issues with identification when they occur

Each scan creates a record containing the image you took, the card we believe it to be, and our confidence in that match. Images are sent to Ximilar over an encrypted connection at the moment of scanning, and stored on our infrastructure (hosted by Supabase, with data centres in the European Union) for as long as you have an account with us.

We do not publicly display scan images, share them with advertisers, or sell them to anyone. Ximilar processes the image to return an identification and does not retain the image for their own purposes beyond what's required to provide the service. When you delete your account, your scan images and scan history are deleted alongside your other data.

If you'd like a specific scan removed without deleting your account, email privacy@foliotcg.com.

2.4 Usage data

When you use folio, our hosting providers (Render and Railway) automatically log basic technical information needed to operate the service:

• Device information (type, operating system, browser)
• IP address (held by our hosting providers, not stored in our application database)
• Pages or features you interact with
• Date and time of your visits

This is used to maintain the service, prevent abuse, and understand which features are working well. We do not currently use any analytics or tracking products. If we add analytics in future, we will update this policy and use privacy-respecting tools that do not require a cookie banner under UK PECR regulations.

2.5 What we don't collect

We don't collect your payment card details (the app is free and we don't process payments at this time). We don't collect your precise location unless you explicitly enable trade discovery features. We don't access your contacts, photos (other than ones you scan), or other device data.

3. How we use your information

We use your personal data to:

• Provide the service — display your collection, track prices, match trades, identify cards from photos
• Communicate with you — send waitlist updates, launch notifications, and important service messages
• Improve folio — understand which features are useful, fix bugs, train better card identification over time
• Protect the service — prevent abuse, fraud, and unauthorized access
• Comply with legal obligations — respond to legal requests where required

4. Legal basis for processing

Under UK GDPR, we process your data based on:

• Contract — we need to process your data to provide the service you've signed up for
• Legitimate interests — improving our systems, security, and understanding our users, where these don't override your rights
• Consent — for optional features like marketing emails, which you can opt out of at any time
• Legal obligation — where we're required to process data by law

5. Pricing data and third-party sources

folio aggregates pricing information from third-party sources to value your collection. These currently include:

• Cardmarket — publicly available daily price data, used under their public data availability
• eBay — public sold listings data, accessed via eBay's Developer API with appropriate permissions
• First-party sales data — in future, prices from trades that occur within folio itself (if you use trading features)

This pricing data is not personal — it's market data about cards. We store it in our catalogue and use it to value users' collections.

6. Who we share your information with

We don't sell your personal data. We share it only with:

• Service providers — companies that help us run folio, including Supabase (database hosting), Railway (server hosting), Render (frontend hosting), and Ximilar (card image recognition). These providers are bound by contracts requiring them to protect your data.
• Legal authorities — where we're required to by law, for example in response to a valid court order or law enforcement request
• Successor entities — if folio is acquired, merged, or reorganized, your data may transfer to the successor, subject to the same protections as this policy

We don't share your personal data with advertisers, data brokers, or anyone else for commercial purposes.

7. International data transfers

Some of our service providers may process data outside the UK (for example, in the EU or US). Where this happens, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office.

8. How long we keep your data

We keep your personal data only as long as needed:

• Account data — while your account is active. When you delete your account, this data is removed immediately from our active database, and removed from encrypted backups within 7 days (see section 8.1).
• Scan images — for as long as your account is active; deleted with your account
• Usage logs — up to 12 months, then deleted or anonymized
• Waitlist emails — until you unsubscribe or request deletion

8.1 How to delete your account

You can delete your account at any time from within the app: open the profile menu and tap Delete account. You'll be asked to re-enter your password (or confirm via your sign-in provider) to prevent accidental deletion.

If you can't access your account — for example, you've lost access to your email — you can request deletion by emailing privacy@foliotcg.com from any contact details associated with the account. We'll ask for reasonable evidence of identity before processing the request.

When you delete your account, we remove:

• Your account record (email, password hash, profile)
• Your collection items, binders, custom collections, and wishlists
• Your scan history and uploaded scan images
• Any portfolio history or value snapshots tied to your account
• Card reports you've submitted

Backups. For up to 7 days after deletion, your account data may persist in encrypted database backups used for disaster recovery. These backups are not accessed or processed for any purpose other than service restoration after a catastrophic failure, and are automatically purged on the 7-day rolling cycle. After this window, no copy of your personal data remains in our systems.

Anonymized contributions. Aggregate, non-identifying contributions you may have made to our card identification training dataset (e.g. confirmed scan-to-card mappings) may be retained in anonymized form so that the model is not degraded by your deletion. These records contain no personal data and cannot be linked back to you.

Returning to folio. After deletion, you can sign up again with the same email address — you'll start fresh with no link to the old account.

9. Your rights

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — ask us to delete your data ("right to be forgotten")
• Restriction — ask us to limit how we process your data
• Portability — request your data in a machine-readable format
• Objection — object to processing based on our legitimate interests
• Withdraw consent — where we process data based on your consent, you can withdraw it at any time

To exercise any of these rights, email privacy@foliotcg.com. We'll respond within 30 days.

If you're unhappy with how we've handled your data, you have the right to complain to the UK Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113.

10. Security

We take security seriously. We use encryption in transit (HTTPS), encryption at rest for sensitive data, secure password hashing, and access controls to limit who can access user data internally.

No system is 100% secure, but we follow industry-standard practices and will notify affected users and the ICO promptly if a data breach affecting personal data occurs, as required by law.

11. Cookies

folio uses a small number of cookies and similar technologies for essential functionality:

• Authentication cookies — to keep you logged in
• Preference cookies — to remember settings like your preferred theme

We don't use advertising or tracking cookies. We don't use third-party cookies for marketing purposes. If we add analytics in future, we'll use privacy-respecting tools that don't require a cookie banner under UK PECR regulations.

12. Children

folio is not intended for users under 13. We don't knowingly collect data from children under 13. If you believe a child has provided us with personal data, please contact us and we'll delete it.

For users aged 13 to 17, we recommend using folio with the awareness and permission of a parent or guardian.

13. Changes to this policy

We may update this privacy policy from time to time. When we make material changes, we'll notify you by email or via a notice in the app before the changes take effect. The "last updated" date at the top of this policy always reflects the most recent version.

14. Contact us

For any questions about this privacy policy, to exercise your data rights, or to report a privacy concern, email us at privacy@foliotcg.com.

For general support, you can also reach us at hello@foliotcg.com.