Privacy Policy

1. Who we are

This Privacy Policy describes how Rebellion LLC ("Rebel Cards", "we", "us", "our") collects, uses, and shares information when you use rebel-cards.comand the related mobile applications (the "Service").

Business address: [OPERATOR REVIEW: insert mailing address]

Privacy contact: legal@rebel-cards.com

2. Scope and audience

The Service is intended only for users who are 18 or older and who reside in the United States or Canada. We do not knowingly collect data from anyone under 18 or from anyone in the European Union, United Kingdom, or other jurisdictions with stricter data-protection regimes. If you are in those regions, please do not use the Service.

3. Information we collect

3.1 Information you provide

• Account information: email address, display name, authentication provider (typically Google via Firebase).
• Profile data: business name (for sellers), shipping/return address (if you opt into custody), phone number (optional).
• Card content: photos of cards you scan or upload, condition notes, prices, descriptions.
• Marketplace credentials: OAuth tokens we hold on your behalf to post to eBay (we never see your eBay password).
• Support communications: messages you send us, including any attachments.

3.2 Information collected automatically

• Device and technical data: IP address, browser type, operating system, device identifiers, app version, language, time zone.
• Usage data: pages visited, features invoked, click events, error reports, performance traces.
• Camera and microphone (with permission): in-app card scanning uses your device camera; voice features use your microphone. We do not record audio outside of a voice command session.
• Cookies and similar technologies: we use first-party session cookies for authentication and a small set of first-party analytics events. We do not currently use third-party advertising trackers.

3.3 Information from third parties

• Stripe: payment status, last four digits of card, billing country, fraud signals. We do not receive or store your full card number.
• eBay (via OAuth you authorize): your seller account data, listing status, order data, fee data — limited to the scopes you grant.
• PSA (if you opt into custody): grade results, cert numbers, slabbed-card photos for cards we submitted on your behalf.

4. Why we use the information ("purposes")

• To run the Service: authenticate you, store your inventory, run AI grading and pricing, post listings to eBay, process payments, ship cards in custody.
• To improve our models: we use anonymized photo and grade data to train and evaluate our AI grading and pricing models. (You can opt out by emailing the privacy contact above.)
• To communicate with you: transactional emails (receipts, password resets, custody status), service announcements, support replies. We send marketing only if you opted in.
• For safety, fraud prevention, and legal compliance: detecting abuse, complying with subpoenas and lawful requests, enforcing our Terms.
• For business analytics: aggregate usage trends, feature adoption, conversion rates. No individual user is identified in this analysis.

5. How we share the information

We share information only with the following categories of recipients:

We do not sell your personal information. We do not share personal information with advertising networks. We do not allow third parties to use the data we share with them for their own purposes (other than as required to provide their service to us).

We may disclose information when legally required (subpoena, court order, lawful government request), or when necessary to protect our rights, property, or safety, or in connection with a business transfer (merger, acquisition, sale of assets), in which case we will notify affected users.

6. Where the data lives and how long we keep it

All Service data is stored in AWS data centers in the United States.

Retention periods:

• Account data: retained while your account is active, plus up to 90 days after account deletion for backup recovery, then permanently deleted.
• Card photos and inventory: same as account data.
• Payment records: retained for 7 years to comply with U.S. tax and accounting requirements.
• Support communications: retained for 2 years.
• Error logs and audit trails: retained for 1 year.
• Custody records: retained for 5 years in case of dispute.
• Anonymized training data: may be retained indefinitely once de-identified.

7. Your rights

7.1 All users

You can:

• Access the personal information we hold about you, by emailing the privacy contact.
• Correct inaccurate information from the in-app Settings page or by emailing us.
• Delete your account from the Settings page or by emailing us. Deletion is processed within 30 days (plus the 90-day backup window described above).
• Export your data: cards, photos, inventory records, sales records — available from Settings or on request.
• Opt out of model training by emailing us; we will exclude your future uploads from training pipelines.
• Opt out of marketing email via the unsubscribe link in any marketing message. Transactional messages (receipts, password resets) cannot be turned off while your account is active.

7.2 California residents (CCPA / CPRA)

If you reside in California, you have additional rights:

• The right to know what categories of personal information we collect, the purposes, and the categories of recipients.
• The right to request deletion of personal information.
• The right to correct inaccurate personal information.
• The right to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CPRA.
• The right to limit use of sensitive personal information. We do not use sensitive personal information for any purpose beyond what is needed to provide the Service.
• The right to non-discrimination for exercising any of these rights.

To exercise California rights, email the privacy contact above with the subject line "California Privacy Request" and include enough information for us to verify your identity (typically the email on your account).

7.3 Other state laws

We extend the same access/deletion/correction rights to residents of any U.S. state with comparable consumer-privacy law, including Virginia, Colorado, Connecticut, Utah, Texas, and others as they come into effect.

8. Children's privacy

The Service is not directed to children under 18, and we do not knowingly collect personal information from anyone under 18. If we learn we have collected information from a person under 18, we will delete it promptly. If you believe we have inadvertently collected such information, please contact us.

9. Cookies

We use first-party cookies for:

• Authentication (keeping you signed in).
• Session state (remembering UI preferences).
• First-party analytics (counting page views and feature usage).

We do not currently use third-party advertising cookies, cross-site tracking pixels, or session-replay tools that record full screen activity. If we add any of those in the future, we will update this Policy and (where required) provide an in-app consent banner.

You can disable cookies in your browser. Disabling cookies may break sign-in.

10. Security

We protect personal information using industry-standard measures including:

• TLS encryption in transit (HTTPS everywhere).
• Encryption at rest (AWS-managed keys for storage and database).
• Role-based access controls and row-level security in our database.
• Audit logging of administrative actions.
• Multi-factor authentication for staff with production access.

No system is perfectly secure. If a breach occurs that affects your data, we will notify you within the timeframes required by applicable law (typically 30-60 days).

11. App store data-collection disclosures

For mobile users, our App Store and Play Store data-collection disclosures mirror this Privacy Policy. We declare the following data types as collected:

• Contact info (email)
• Identifiers (account ID)
• Photos (card images you upload)
• Usage data (interactions with the app)
• Diagnostics (crash logs, performance data)
• Camera, microphone (with permission, for scanning and voice features)
• Location (only if you explicitly enter a shipping address)

We do not collect or share data for third-party advertising or cross-app tracking.

12. International users

The Service is intended for users in the United States and Canada. Data is stored in the United States. If you access the Service from outside those regions, you do so at your own risk; we do not offer GDPR-grade protections at this time. We may add EU/UK support in the future with a separate addendum.

13. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be announced by email to the address on your account at least 14 days before they take effect.

14. How to contact us

For all privacy questions, requests, or complaints:

• Email: legal@rebel-cards.com
• Mail: [OPERATOR REVIEW: insert mailing address]

We respond to privacy requests within 30 days (extendable to 60 days for complex requests, with notice).