Privacy Policy

Last updated: 2026-05-03

This Privacy Policy describes our current data handling practices. Final legal review is in progress; this document may be updated before public launch.

1. Who we are

CardBase operates an online peer-to-peer marketplace for sports and collectible cards. For the purposes of the EU GDPR, CardBase is the controller of personal data collected on its platform, except where explicitly stated otherwise, such as payment data processed directly by Stripe.

2. What data we collect

  • Account data: email address, display name, country, hashed password, authentication cookies.
  • Profile and seller data: shipping address, shipping fees, Stripe Connect onboarding status, and connected account identifier.
  • Listing and collection data: card details, photos, prices, condition.
  • Orders and messages: order history, shipping and delivery status, and messages exchanged with other users or support.
  • Technical data: IP address, user-agent, device and browser information, and basic log data for security and abuse prevention.

3. How we use data

  • To operate the marketplace and your account.
  • To process orders, payments, and payouts.
  • To send transactional emails, such as welcome emails, order placed, order shipped, and password reset emails.
  • To provide support and resolve disputes.
  • To prevent fraud, abuse, and security incidents, and to comply with legal obligations.

4. Processors and third parties

We share the minimum necessary amount of data with the following processors:

  • Stripe — payments, payouts, and Connect onboarding. Stripe is an independent controller for payment data.
  • Mailtrap — sending transactional emails.
  • FoxPost — parcel point selection and tracking when the buyer selects FoxPost shipping.
  • Cloud infrastructure / object storage — hosting the application and storing uploaded images.
  • Public statistics providers — CardBase fetches NBA and API-Football data; these providers do not receive user data.

5. Cookies

We use a small number of cookies, all of which are necessary for the service to function:

  • An HttpOnly authentication cookie that keeps you signed in.
  • In the test environment (cardbase.hende.org), an additional cookie issued by the staging gate to restrict public access during development.
  • Stripe may set its own cookies as part of the payment flow.

We do not use advertising or cross-site tracking cookies.

6. Retention

We retain account, listing, and order data while your account is active and for as long as needed to meet tax, accounting, and legal obligations. Support messages are retained for a reasonable period to resolve and reference previous cases.

7. Your rights

If you are in the EU/EEA, you have the right to access, correct, delete, restrict, and port your personal data, and to object to certain processing. You can exercise these rights through support. We verify your identity before fulfilling a request.

8. Security

Passwords are stored hashed. Authentication tokens are issued as HttpOnly cookies, not stored in browser storage. Communication with the platform is encrypted in transit (HTTPS).

9. Changes

We may update this Policy. Material changes will be posted here with a new "Last updated" date.

10. Contact

For privacy questions or to exercise your rights, open a ticket with Support.

← Back to marketplace