Privacy Policy

1. Data controller

The data controller for your personal data is:

Louis BERTRAND, sole trader (micro-entrepreneur) 36 rue Jean Jaurès, 91330 Yerres, France Email: louis.bertrand@magic-cards.fr

2. Data collected

We collect only the data strictly necessary to operate the service:

Account data: email address, display name and profile picture provided by your authentication provider (Google, GitHub, etc.) when you create your account.

Usage data: decks and cards created, review history (dates and number of cards reviewed), consecutive day streak, number of review sessions.

Payment data: transactions are processed exclusively by Stripe, Inc. We do not store any credit card numbers on our servers. We only retain Stripe subscription IDs necessary to manage your plan.

Push notifications (optional): if you consent, a notification token is stored to send you review reminders. You can revoke this permission at any time from your browser settings.

Contact data: if you contact us by email, we retain your message in order to respond.

3. Purpose of processing

Your data is used exclusively to:

• Create and manage your user account. • Sync your decks and cards across all your devices. • Calculate and display your progress statistics (streak, heatmap, achievements). • Manage your subscription and verify your Pro status. • Send you review reminders (only if you have enabled notifications). • Improve the quality and security of the service.

We never sell, rent or share your data for advertising or commercial purposes.

4. Legal basis (GDPR)

The processing of your data is based on the following legal grounds:

Performance of a contract (Art. 6.1.b GDPR): processing of email, decks, cards, review history and subscription — necessary to provide the service.

Legitimate interest (Art. 6.1.f GDPR): technical logs retained to ensure security and detect abuse.

Consent (Art. 6.1.a GDPR): push notifications and optional marketing communications.

5. Cookies and trackers

MagicCards uses only cookies and local storage mechanisms strictly essential to the operation of the service. No advertising or third-party tracking cookies are set.

Cookies and storage data used:

• Authentication session: access token stored in memory and refresh token in a secure httpOnly cookie, to maintain your session. • Firebase / IndexedDB: local cache of Firestore data (decks, cards) to reduce network reads and enable offline access. • Stripe: technical cookies set by Stripe during the payment process, necessary to secure transactions. These cookies are subject to Stripe's privacy policy (stripe.com/privacy).

These cookies being strictly necessary for the service, they do not require prior consent under the ePrivacy Directive.

6. Data sharing

Your data is only shared with the following technical sub-processors, strictly for their designated purposes:

• Google Firebase (Google LLC): database hosting, authentication. Data hosted in European data centers (europe-west1 region). Google is GDPR-compliant. • Stripe, Inc.: payment processing and subscription management. Stripe is PCI-DSS Level 1 certified and GDPR-compliant. • Vercel, Inc.: application hosting. Requests pass through Vercel's servers. • Resend (optional): sending transactional emails (reminders). Your email is not used for any other purpose.

We may also disclose your data if required by law (court order, legal obligation).

7. International transfers

Some of our sub-processors (Vercel, Stripe) are established in the United States. These transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework, ensuring an adequate level of protection for your data.

8. Data retention

Your data is retained for as long as your account is active.

Upon account deletion (from the Profile page > "Delete my account"), all your personal data (decks, cards, history, email) is permanently deleted within 30 days.

Technical logs are retained for a maximum of 90 days. Payment data (billing history) is retained for 10 years in accordance with legal accounting obligations.

9. Your rights (GDPR)

Under the General Data Protection Regulation (GDPR — Regulation EU 2016/679), you have the following rights:

• Right of access: obtain a copy of all data we hold about you. • Right of rectification: correct inaccurate or incomplete data. • Right to erasure ("right to be forgotten"): request deletion of your data. You can also delete your account directly from your Profile page. • Right to data portability: receive your data in a structured, machine-readable format (JSON). • Right to object: object to processing based on legitimate interest. • Right to withdraw consent: withdraw consent at any time for processing that depends on it (push notifications, marketing communications).

To exercise your rights, contact us at contact@magic-cards.fr. We will respond within 30 days.

If you believe your rights are not being respected, you can lodge a complaint with your local data protection authority (in France: cnil.fr).

10. Security

We implement the following security measures to protect your data:

• Communications encrypted via HTTPS (TLS 1.3). • Firestore security rules restricting access to the authenticated user's own data only. • Authentication via OAuth 2.0 with reputable third-party providers (Google, GitHub). • Short-lived access tokens, refresh tokens stored in httpOnly cookies. • No passwords stored on our servers.

11. Changes

This policy may be updated to reflect legal or technical changes. In case of material changes affecting your rights, we will notify you by email at least 15 days before the changes take effect. The last updated date is shown at the top of this document.