Privacy Policy

Last updated: 2026-05-11 · Placeholder pre-launch — full review before public release.

TL;DR

Binder Boss is a local-first tracker. On the Free tier, every piece of collection data lives on your device in localStorage + IndexedDB — nothing leaves your browser. On Pro, your ownership rows sync to Supabase under your user ID with row-level security. We never sell, share, or monetize your collection data.

What we collect

• Email address (Pro sign-in only) — required for magic-link auth via Supabase. We use it solely to sign you in.
• Ownership rows (Pro cloud sync only) — variant IDs, owned flag, acquired-at timestamp, optional notes you type. Stored under your user ID with RLS so only you can read your own data.
• Subscription state (Pro only) — Stripe customer ID, subscription status, period end. Used to grant Pro features.
• Error reports — when something crashes, we send the error stack + minimal context to Sentry. PII fields (email, notes) are stripped before sending.

What we don't collect

• No analytics tracking on the Free tier or signed-out users.
• No third-party advertising trackers, ever.
• No payment card details — Stripe handles payments end-to-end. We see only the subscription status, not card numbers.
• No location data, contacts, browsing history, or device identifiers.

Where data lives

• Your device — localStorage (collection, binders, wishlist, theme preference, dismissed hints) + IndexedDB (cached card catalog).
• Supabase (Pro tier) — US-East region. Postgres with row-level security; only your user ID can read your rows.
• Stripe(Pro tier) — subscription state + payment processing. Stripe's privacy policy applies for payment data.
• Sentry — error reports only. We can disable Sentry entirely by clearing the DSN env var.

Your rights

• Export — go to /app/data and download your full ownership CSV anytime.
• Delete — reset all stored data from /app/data. Cancelling Pro removes your cloud-synced rows on request — email us.
• Access / correction— email us; we'll respond within 14 days.

Card data attribution

Pokemon card metadata (names, set lists, images, rarities) comes from the public pokemontcg.io API. Pokemon, the Pokemon TCG, and all related trademarks are property of The Pokemon Company International, Nintendo, Game Freak, and Creatures Inc. Binder Boss is a fan-made independent tool with no affiliation.

Contact

Privacy questions: privacy@binderboss.app (placeholder — to be activated at launch). Security disclosures: security@binderboss.app (see /.well-known/security.txt).

This is placeholder copy pending legal review. The substance reflects how the app handles data today, but exact wording will be revised before public launch.