What data PokeDen stores, why, and what you can do about it.

PokeDen is operated by an independent developer based in the United States. The site is hosted at pokeden.io. For all privacy-related requests, see the contact page.

When you sign up

If you choose to create a PokeDen account, we collect:

• Email address — used to log you in, send a confirmation link on signup, and recover your account.
• Display name — what shows on your trainer card and (if you make your portfolio public) on your public page.
• Avatar image URL — only if you sign in with Google, in which case Google provides a profile photo URL we store.

We do not collect or store your password directly. Passwords are handled by Supabase Auth (our authentication provider) using industry-standard bcrypt hashing.

When you use the site

• Cards you add to your collection, the condition, grading info, purchase price, and notes you enter — used to compute your portfolio value and history.
• Public portfolio settings if you choose to publish a public portfolio: the slug you pick, your bio, social handles, theme/accent choices, and which cards you feature.
• Pack-simulator pulls that qualify for the public leaderboard — only your display name, the card pulled, and the market price are stored. Bulk-pack pulls are excluded entirely.
• Anonymous portfolio view counts for public portfolio pages, used to display the “visits” indicator. We don't associate views with specific visitors.

Automatic technical data

• Cookies for authentication — required to keep you logged in across page loads. These are first-party, session cookies set by Supabase Auth.
• Analytics — we use Google Analytics 4 to understand which tools and pages get used. Google Analytics stores anonymous usage data (pages visited, approximate location, device type) and may set its own cookies.
• Advertising — pages may display ads from Google AdSense once enabled. AdSense and its partners may use cookies and similar technologies to personalize the ads shown. See “Ads and third-party services” below for opt-out information.
• Server logs — our hosting provider (Vercel) keeps standard request logs (IP address, request path, response code, user agent) for a short retention window for security and debugging.

We use the data above to:

• Provide the core service — show your collection, compute values, run the simulator.
• Keep you signed in across sessions.
• Send transactional emails (signup confirmation, password reset).
• Display your public portfolio if and only if you opt into making it public.
• Operate the public pack-sim leaderboard with your chosen display name.
• Understand which tools are working and which aren't (analytics).
• Show ads to keep the service free (when ads are active).
• Detect abuse, fix bugs, and respond to your support requests.

We do not sell your personal information to anyone. We do not use your collection data, pull history, or watchlist for any purpose other than running the site for you.

PokeDen relies on the following third parties to operate. Each has its own privacy policy that governs the data they handle:

• Supabase (hosting our database and authentication) — see supabase.com/privacy.
• Vercel (web hosting) — vercel.com/legal/privacy-policy.
• Google Analytics (anonymous traffic analytics) — policies.google.com/privacy.
• Google AdSense (advertising, when enabled). Google and its partners use cookies to serve ads based on your visits to this site and other sites. You can opt out of personalized advertising at adssettings.google.com or visit aboutads.info for industry-wide opt-outs.
• Pokémon TCG API (pokemontcg.io), PokemonPriceTracker, and PokéAPI — we make outbound API calls to these services to fetch card data and prices. We do not transmit any personal information about you to them.

PokeDen uses cookies for the following purposes only:

• Essential cookies — keeping you logged in, persisting CSRF tokens, remembering your preferences (e.g. preferred pack quantity, auto-reveal toggle).
• Analytics cookies — set by Google Analytics to measure traffic. Anonymous, no PII.
• Advertising cookies — set by Google AdSense and its partners when ads are active. Used to show relevant ads and measure ad performance. Subject to your opt-out preferences at the links in the section above.

You can, at any time:

• Access any data we have about you by signing in and visiting your dashboard, collection, or settings page.
• Update your profile, email, password, and collection through the same pages.
• Make your portfolio private at any time via the customize portfolio page; this immediately removes your public portfolio from indexing and from public view.
• Request deletion of your account and all associated data by contacting us via the contact page. We'll process the request within 30 days.

If you're in California (CCPA), the EU (GDPR), or another jurisdiction with specific data-protection laws, the rights above satisfy the standard access, rectification, and erasure requirements. Contact us if you want to invoke a specific right by name.

PokeDen is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe a child under 13 has provided us with personal information, please contact us via the contact page and we will remove the information immediately.

Your account data is retained while your account is active. Public-portfolio view counts are retained indefinitely as aggregate counters with no per-visitor data. Server access logs retained by Vercel are kept according to their policy. When you delete your account, all directly identifying data (email, display name, collection cards, portfolio settings, pull history) is removed within 30 days.

Account passwords are hashed by Supabase Auth using bcrypt. Data in transit is encrypted via HTTPS. Database connections use SSL. No system is ever 100% secure, but we follow current best-practice defaults from our hosting and database providers.

We may update this policy from time to time. When we do, we'll update the “Last updated” date at the top of the page. Material changes will be announced on the homepage or via email if they affect existing users meaningfully.

For privacy questions, data deletion requests, or anything else, please use the contact page. We aim to respond within a few business days.