Privacy

Last updated: May 29, 2026

PokeBible is a small Pokémon TCG collection tracker. This page describes, in plain language, what we collect about you, why, who it's shared with, and how you can delete it.

What we collect

We collect what's needed to run the product plus some product-analytics events that help us understand how it's used and where to improve. No marketing profiles, no advertising trackers, no cross-app tracking. Specifically:

• Email address — used to sign you in via magic-link. Stored alongside your account in our database.
• Your collection data — every card you add, wishlist, favorite set, price alert, target price, condition, quantity, optional cost-basis, optional acquisition date, and optional notes. All of it private to your account.
• Activity log — a per-account history of the mutations you've performed (cards added or removed, alerts set, etc.). Powers the activity feed on your dashboard.
• Snapshots of your portfolio value over time — one row per day, derived from your collection and the day's prices. Powers the dashboard chart.
• Session cookie — a signed token that proves you're signed in. Expires after 30 days of inactivity.
• IP address — used only at the moment of sign-in requests to rate-limit magic-link emails (so an attacker can't drain our email quota or spam you). Not stored beyond that check.

We do not collect: your real name (we never ask for it), payment information (the product is free), browsing history outside PokeBible, or any device identifiers beyond what your browser sends with each request.

Who has access

Your account data lives in our infrastructure. The third parties below each see a narrow slice of it because we use them to operate the product:

• Neon (database, EU region) — stores everything described above.
• Vercel (application hosting) — receives your requests in transit; doesn't persist your data.
• Cloudflare (DNS + image CDN) — serves card images. Doesn't see your account data.
• Resend (email delivery) — receives your email address and the magic-link URL when we send you a sign-in email.
• PostHog (product analytics, EU Cloud — Frankfurt) — receives the product-analytics events described in Analytics below. Receives a SHA-256 hash of your email so it can recognise you across sessions on your devices; never your raw email.

When you click an outbound link to a marketplace (TCGPlayer, Cardmarket, eBay, gradedcardcenter.com), that marketplace's own privacy policy applies from the moment you land on their page. We never share your account data with them.

Pricing data

Card prices shown on PokeBible are aggregated daily from public marketplace APIs and sitemaps. That data is about cards, not about you — it's not personal data and isn't tied to your account.

Analytics

We use PostHog to understand how PokeBible is used and to improve it over time. PostHog is a privacy-first product-analytics service. The data we send to PostHog is stored in the European Union (Frankfurt, Germany).

What we send. Events triggered by your interactions with the app — for example: opening the app, viewing a card, adding to your collection, setting a price alert. Each event includes its name, a few descriptive properties (e.g. which tab you tapped, the currency you've set, the language of the price you viewed), the version of the app, your device model, and the country your device was set to when you first installed the app.

What we never send to PostHog. We never send your raw email address — only a one-way SHA-256 hash, so PostHog can recognise you across sessions on your devices without knowing who you are. We never send: passwords, payment details, location beyond country, contact lists, or photos from the card-scan feature (those are processed entirely on your device and are not uploaded).

Tracking. PokeBible does not track you across other apps or websites. We do not use the iOS Advertising Identifier (IDFA) and do not share your data with advertising networks. iOS does not show you an App Tracking Transparency prompt for PokeBible because we have nothing to track you across.

Opt-out. You can turn off all analytics data sharing at any time from the Me tab → Preferences → Share usage data. When off, no analytics events leave your device.

Retention. Analytics events are kept for up to 7 years by default in PostHog. You can request deletion of your data by emailing pierre@pokebible.app, or by deleting your account from the Me tab — which permanently removes your account data, including the analytics events tied to it.

Data processor agreement. Our use of PostHog is governed by their published Data Processing Agreement, available at posthog.com/dpa.

Cookies and browser storage

The cookies below are strictly necessary for the service you've requested and are set without consent — under both the EU ePrivacy Directive and the GDPR, strictly-necessary cookies are exempt from the consent requirement.

• authjs.session-token — your session cookie when signed in. HTTP-only, Secure, SameSite= Lax. Removed on sign-out or after ~30 days of inactivity.
• ui-lang — remembers whether you clicked EN or FR on the language toggle. SameSite=Lax, ~1 year.
• pokebible_welcome_seen — set when you dismiss the first-visit welcome modal so it doesn't show again. SameSite=Lax, ~1 year.
• pokebible_consent — records your cookie choice (accept or decline) so we don't ask again. SameSite=Lax, ~1 year.

We also use a few localStorage entries for view preferences (grid vs list, theme, sort order). These never leave your browser and are never sent to our servers.

Analytics cookies — only with your consent. If you accept analytics in the cookie banner, we load PostHog's browser library (posthog-js) to understand how the site is used — pages viewed, sessions, traffic sources and approximate location — which sets PostHog cookies on pokebible.app. If you decline, none of that loads and no analytics cookie is set; the site stays fully functional either way. PostHog data is stored in the EU. You can change or withdraw your choice at any time:

Manage cookie preferences

Separately, we run server-side product analytics (PostHog, via our own server) that is cookieless — anonymous visitors attributed by a short SHA-256 hash of IP + user-agent computed per request, never written to your device; signed-in visitors by account id. We also load Sentry in the browser for error monitoring (and a short session replay only when an error occurs) so we can fix crashes — it is not used for analytics or advertising.

Visiting Stripe's hosted Checkout page during a Pro subscription will cause Stripe's own cookies to be set on stripe.com (not on pokebible.app) — these are required for fraud prevention and 3-D Secure authentication and are exempt from consent under the same "strictly necessary" rule. They're governed by Stripe's privacy policy.

Your rights

Under the GDPR you can:

• Access — request a copy of everything we hold about you.
• Correct — fix anything that's wrong.
• Delete — wipe your account and every related row (collection, wishlist, alerts, activity log, snapshots). Cascade deletion is configured in our database so deleting your user record removes everything tied to it.
• Port — receive your data in a machine-readable format.
• Object — to any specific processing.

Email pierre@pokebible.app and we'll action any of the above within 30 days.

Retention

We keep your account data for as long as your account exists. When you delete your account, your data is removed immediately (cascading hard delete — no soft-delete recycle bin). Operational backups containing the deleted data roll off within 30 days.

Changes to this policy

When we make meaningful changes, we update the "Last updated" date at the top and email anyone with an active account. Minor wording fixes don't trigger a notification.

Contact

Questions about anything on this page: pierre@pokebible.app.