Privacy Policy

NoirDeck is operated by [Company Name] ("we", "us", "our"), registered in England and Wales (Company Number: [XXXXXXXX]). We are the data controller for all personal data processed on this platform.

Contact: privacy@noirdeck.io

Account data: email address, username, display name, password (hashed — never stored in plain text).

Age verification data: date verification was completed, method used. We do not store copies of identity documents.

Transaction data: payment amounts, Stripe payment IDs, pack purchase history, marketplace transactions.

Collection data: which cards you own, when you obtained them, your marketplace listings.

Technical data: IP address, browser type, session tokens (stored in HTTP-only cookies), server logs.

Communications: emails you send to us, support requests.

Contract performance: Processing necessary to provide our services (account management, pack purchases, card ownership, marketplace transactions).

Legal obligation: Age verification (UK Online Safety Act 2023), VAT records (HMRC requirements), fraud prevention.

Legitimate interests: Platform security, fraud detection, improving our services, sending transactional emails.

Consent: Marketing communications (you can withdraw consent at any time).

We use your data to: create and manage your account; process pack purchases and marketplace transactions; verify your age as required by law; send transactional emails (purchase confirmations, password resets); detect and prevent fraud; comply with legal obligations.

Stripe: Payment processing and creator payouts. Data shared: email, payment amounts. Privacy policy: stripe.com/privacy

Yoti: Age verification. Data shared: verification result only (pass/fail). Privacy policy: yoti.com/privacy

Resend: Email delivery. Data shared: email address, email content. Privacy policy: resend.com/privacy

Vercel: Hosting and image storage. Data shared: uploaded images, server logs. Privacy policy: vercel.com/privacy

Supabase: Database hosting. Data shared: all platform data stored in database. Privacy policy: supabase.com/privacy

We do not sell your data to third parties.

Account data is retained for as long as your account is active, plus 6 years after closure (HMRC requirements for financial records).

Age verification records are retained for 12 months.

Server logs are retained for 90 days.

Under UK GDPR you have the right to: access your data; correct inaccurate data; erase your data ("right to be forgotten"); restrict processing; data portability; object to processing; withdraw consent.

To exercise any right, email privacy@noirdeck.io. We will respond within 30 days.

We use an HTTP-only session cookie (nd_session) for authentication. This cookie is essential for the platform to function and cannot be opted out of while logged in.

For analytics and optional cookies, see our Cookie Policy.

Your data may be processed outside the UK by our third-party providers. All transfers are protected by Standard Contractual Clauses or adequacy decisions recognised by the UK ICO.

For privacy concerns: privacy@noirdeck.io

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.