Privacy Policy

Account Information: When you create an account, we collect your name, email address, and password (stored as a cryptographic hash, never in plain text). If you sign in via Google, we receive your name, email address, and profile photo from Google.

Payment Information: When you purchase credits, your payment is processed by Stripe. We do not store your credit card number, CVV, or full card details on our servers. Stripe handles all payment data in accordance with PCI-DSS standards. We receive and store your Stripe customer ID and transaction records (amounts, dates, credit pack purchased).

Card Images: When you upload trading card images for grading, we store the front and back images on our servers. These images are processed through our image analysis pipeline and sent to OpenAI's API for AI-powered grading assessment.

Usage Data: We collect information about how you use our service, including pages visited, features used, grading history, and interaction patterns. This data is collected via Google Analytics 4 and Sentry error tracking.

Device Information: We automatically collect your IP address, browser type, operating system, and device type through standard web server logs and analytics tools.

• To provide and operate the card grading service
• To process payments and manage your credit balance
• To maintain your card library and grading history
• To improve our grading accuracy and service quality
• To communicate with you about your account, transactions, and service updates
• To detect and prevent fraud, abuse, and security incidents
• To comply with legal obligations

We share your information with the following third-party services, each of which has their own privacy policies:

OpenAI: Card images (front and back) are sent to OpenAI's API (GPT-5.4) for AI grading analysis. OpenAI's API data is not used to train their models by default. OpenAI's privacy policy is available at https://openai.com/privacy. We send only the card images and grading instructions - no personal identifying information is included in the API request.

Stripe: Payment processing. Stripe receives your payment details, email, and transaction amounts. Stripe's privacy policy is available at https://stripe.com/privacy.

Google: If you use Google sign-in, Google processes your authentication. If we use Google Analytics, Google collects anonymised usage data. Google's privacy policy is available at https://policies.google.com/privacy.

Sentry: Error tracking and performance monitoring. Sentry may receive your user ID and technical information about errors you encounter. Sentry's privacy policy is available at https://sentry.io/privacy.

Hetzner: Our servers are hosted by Hetzner Online GmbH in Singapore. Your data is stored on these servers. Hetzner's privacy policy is available at https://www.hetzner.com/legal/privacy-policy.

Your data is stored on secured servers hosted by Hetzner in Singapore. We implement the following security measures:

• All data is transmitted via HTTPS/TLS encryption
• Passwords are hashed using bcrypt with a cost factor of 12
• Database access is restricted to the application layer only
• Payment data is handled entirely by Stripe (PCI-DSS compliant)
• Regular database backups are maintained with 30-day retention
• Server access is restricted via SSH key authentication and firewall rules

Account Information: Retained for as long as your account is active. If you delete your account, your personal information is deleted within 30 days.

Card Images and Grade Reports: Retained for as long as your account is active and stored in your card library. You can delete individual cards from your library at any time.

Transaction Records: Retained for 7 years in accordance with Australian tax and accounting requirements.

Usage Analytics: Google Analytics data is retained for 14 months (default GA4 retention).

Under the Australian Privacy Principles, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate personal information
• Request deletion of your personal information (subject to legal retention requirements)
• Withdraw consent for data processing
• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

To exercise any of these rights, contact us at info@cardrevive.com.au.

We use cookies and similar technologies for authentication, analytics, and service functionality. See our Cookie Policy at /cookies for full details.

Our service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, contact us and we will delete it.

Your data may be processed in the following locations:

• Singapore (Hetzner servers - primary data storage)
• United States (OpenAI API processing, Stripe payment processing, Sentry error tracking)
• Google's global infrastructure (Google Analytics, Google OAuth)

By using our service, you consent to your data being transferred to and processed in these locations.

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top of this page indicates when this policy was last revised.

If you have questions about this Privacy Policy or wish to make a complaint:

Email: info@cardrevive.com.au

Business: itDreams (ABN: 17690197267)

Location: Padstow, NSW 2211, Australia

You may also contact the Office of the Australian Information Commissioner:

Website: www.oaic.gov.au

Phone: 1300 363 992