Contents

Privacy Policy

Last updated: March 2026

1. Data Controller

Grimoria
Via dei Panciatichi 5/R, 50141 Firenze, Italy
P.IVA: 02463310462
Email: privacy@grimoria.app

Grimoria is the data controller responsible for your personal data as described in this Privacy Policy.

2. Data We Collect

We collect and process the following categories of data:

Account data: Email address, username, and password (stored as a bcrypt hash — we never store your plain-text password)
Collection data: Your card collections, decks, wishlists, binder organization, and trade lists
Usage data: Anonymous page views and interaction events collected via Umami (self-hosted, cookieless analytics — no personal data is collected)
Device data: Truncated user agent string (max 256 characters) stored only in cookie consent records for audit purposes
Communication data: Email address used for transactional emails (account verification, password reset, notifications)

3. How We Use Your Data

We use your data for the following purposes:

Service provision: To create and manage your account, store your card collections, enable deck building, and provide price tracking
Analytics: To understand how visitors use Grimoria and improve the service (anonymous, cookieless analytics via Umami)
Communication: To send transactional emails (account verification, password reset, security notifications) via Resend
Security: To protect against unauthorized access, abuse, and fraud
Future: Affiliate attribution: When affiliate links are implemented, to track purchase referrals to card marketplaces (only when you consent to marketing cookies)

4. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR:

Contract (Art. 6(1)(b)): Processing necessary for the performance of our service — creating your account, storing your collections, enabling deck building
Legitimate interest (Art. 6(1)(f)): Processing necessary for security, fraud prevention, and service improvement
Consent (Art. 6(1)(a)): Analytics tracking and marketing/affiliate cookies — only activated when you explicitly consent via our cookie banner

5. Data Sharing & Third Parties

We share data with the following third parties:

Scryfall (scryfall.com): We fetch card data (names, images, prices) from Scryfall's public API. No user personal data is sent to Scryfall.
EDHREC (edhrec.com): We fetch commander/deck statistics. No user personal data is sent to EDHREC.
Resend (resend.com): Our email delivery provider. Resend processes your email address to deliver transactional emails. Resend is based in the US and operates under Standard Contractual Clauses.
Hetzner (hetzner.com): Our hosting provider. All Grimoria servers are located in Germany (EU). Hetzner is a data processor under our Data Processing Agreement.
Future: TCGPlayer, CardMarket, CardTrader, Amazon: When affiliate links are implemented, these marketplaces may receive referral data. Their cookies will only be set if you consent to marketing cookies.

6. Cookies & Tracking

For detailed information about the cookies and tracking technologies we use, please see our Cookie Policy.

In summary: We use only strictly necessary cookies for core functionality (authentication, language, theme). Our analytics (Umami) is cookieless and does not track you across websites. Marketing cookies for affiliate programs will only be set with your explicit consent.

7. Your Rights

Under GDPR (Articles 15-22), you have the following rights:

Right of access (Art. 15): Request a copy of your personal data
Right to rectification (Art. 16): Correct inaccurate personal data
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
Right to object (Art. 21): Object to processing based on legitimate interest
Right to restriction (Art. 18): Request restriction of processing
Right to withdraw consent (Art. 7(3)): Withdraw consent for analytics or marketing cookies at any time via the cookie banner or "Manage Cookies" in the footer

To exercise any of these rights, contact us at privacy@grimoria.app. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. The relevant authority for Italy is the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it).

8. Data Retention

We retain your data as follows:

Account data: Retained while your account is active. Upon account deletion, your data enters a 30-day soft-delete grace period (allowing recovery), after which it is permanently deleted.
Analytics data: Anonymous analytics data is retained for 24 months on a rolling basis, then automatically deleted.
Consent records: Retained for the duration required for compliance auditing purposes.
Transactional emails: Email delivery logs retained by Resend per their data retention policy.

9. International Data Transfers

Your data is primarily stored and processed within the EU:

Hetzner (Germany): All Grimoria servers, databases, and backups are hosted in Germany.
Scryfall & EDHREC (US): We fetch card data from their public APIs. No user personal data is sent to these services.
Resend (US): Processes email addresses for transactional email delivery. Resend operates under Standard Contractual Clauses (SCCs) to ensure adequate data protection for EU-US transfers.

10. Security

We implement appropriate technical and organizational measures to protect your personal data:

Passwords are hashed using bcrypt (never stored in plain text)
Authentication via JSON Web Tokens (JWT) with 7-day expiry
All communications encrypted via HTTPS/TLS
Server-level firewalls and rate limiting
Regular security updates and dependency auditing
IP addresses in consent records are SHA-256 hashed (never stored raw)

11. Children's Privacy

Grimoria is not intended for children under the age of 16 (in accordance with GDPR Article 8). We do not knowingly collect personal data from children under 16. If you are under 16, please do not create an account or provide any personal data.

If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

For material changes, we will notify you via email at least 30 days before the changes take effect. The "Last Updated" date at the top of this page indicates when the policy was last revised.

Continued use of Grimoria after the notice period constitutes acceptance of the updated policy.

13. Contact

For any privacy-related questions, requests, or concerns:

Email: privacy@grimoria.app

Supervisory Authority: If you are unsatisfied with our response, you may contact the Garante per la Protezione dei Dati Personali (Italian Data Protection Authority) at www.garanteprivacy.it.