Privacy Policy

Effective date: June 3, 2026 · Last updated: June 3, 2026

This Privacy Policy describes how PackBuddy ("PackBuddy", "we", "us", or "our") collects, uses, and shares information when you use the PackBuddy iPhone app (the "App") and the packbuddy.io website (the "Site"). By using PackBuddy you agree to the practices described here.

PackBuddy is operated by an independent developer based in the United States. We are not affiliated with Nintendo, The Pokémon Company, or any of its licensees.

The short version. We collect the minimum information needed to run your account and track your card collection. Card images and OCR text are processed entirely on your device — they never leave your iPhone. We do not sell your data. You can delete your account and all associated data at any time from within the App.

1. Information we collect

1.1 Account information

When you create a PackBuddy account, we collect:

• Your email address (used for sign-in and account recovery)
• A password, stored only as a one-way hash by our authentication provider (Supabase)

PackBuddy does not support sign-in via Apple ID, Google, or any other third-party identity provider as of this version. Only email-and-password accounts exist.

1.2 Collection data

As you scan cards with the App, we store:

• The catalog ID of each card you pull (e.g. me4-15)
• The variant (e.g. holofoil, reverse holo)
• The quantity you own
• The date/time of your first and most recent pull of that card
• A snapshot of the market price at the time of the pull

We do not store photos of your cards on our servers. Card identification happens entirely on your iPhone using Apple's Vision framework and a local visual matching model. Once the App identifies a card, only the catalog ID is sent to our backend — never the underlying photo.

1.3 Subscription information

If you purchase a Hobbyist subscription, the App Store collects the payment. RevenueCat (our subscription management partner) notifies our backend of your subscription status (active, in trial, expired). We do not see your credit-card or Apple ID payment details.

1.4 Diagnostic information

When the App or our backend encounters an error, we collect a crash report through Sentry. Crash reports include:

• Anonymized device type (e.g. iPhone 15 Pro)
• iOS version
• App version and the specific code path that crashed
• The most recent ~30 in-app actions (cache hits, network calls)

Crash reports are scrubbed before transmission. We strip email addresses, user IDs, authentication tokens, and any text recognized from card images. Crash reports are declared as not linked to your identity in our App Store Privacy Nutrition Label.

1.5 What we do NOT collect

PackBuddy does not collect, store, or transmit:

• Photographs of your cards or surroundings
• OCR text recognized from card scans
• Your physical address, phone number, or government identifiers
• Your location (we do not request location permissions)
• Your contacts, photo library, calendar, or any other system data
• Behavioral advertising identifiers or tracking pixels

2. How we use information

We use the information described above only to:

• Authenticate you when you sign in
• Display your collection and portfolio value inside the App
• Refresh card prices daily and update your portfolio totals
• Validate that your subscription is active
• Detect and fix bugs (via Sentry crash reports)
• Communicate with you about your account (e.g. password reset emails)

3. How we share information

PackBuddy does not sell, rent, or trade your personal information. We share information only with the following service providers, each of which is contractually limited to processing your data on our behalf:

• Supabase — hosts our authentication system and application database (your email, hashed password, collection rows, subscription status).
• Cloudflare — provides our content delivery network for card images and the marketing site. Cloudflare may log IP addresses for fraud-prevention purposes per its own privacy policy.
• RevenueCat — manages your subscription lifecycle. RevenueCat receives only the cryptographic identifier Apple assigns to your purchases; it does not see your real Apple ID or payment details.
• Sentry — receives scrubbed crash reports from both the App and our backend service. Sentry holds these in a short-retention window for debugging purposes.
• Render — hosts our backend service. Render's infrastructure stores no user data on its own; it executes our backend code which then writes to Supabase.
• Resend — delivers transactional email such as password reset emails. Resend processes only the email address and message contents necessary to deliver the message.

We may also disclose information when required by law (e.g. valid subpoena), to protect the security of PackBuddy or its users, or to investigate suspected misuse of the App.

4. On-device processing

Card identification, image cropping, OCR (text recognition), and visual feature matching all happen on your iPhone using Apple's Vision framework and Core ML. The camera feed and any captured frames remain on the device. The only data transmitted to our backend after identification is the resulting catalog ID (e.g. me4-15).

5. Children's privacy

Pokémon TCG is enjoyed by collectors of all ages, including children. PackBuddy is rated 4+ in the App Store and is suitable for children, but we do not knowingly collect personal information from children under 13 years of age without verifiable parental consent.

If you are a parent or guardian and believe your child under 13 has created a PackBuddy account, please contact us at support@packbuddy.io and we will delete the account and all associated data promptly. The email-only signup flow does not request age, so we rely on parental supervision to determine appropriateness.

PackBuddy contains no in-app advertising, no third-party tracking, no behavioral profiling, no chat or messaging with other users, and no user-generated content posted publicly. Photos of cards remain on the user's device.

6. Your rights

6.1 Account deletion

You can permanently delete your PackBuddy account and all associated data at any time from inside the App: Settings → Account → Delete Account. Deletion is immediate and irreversible. All collection rows, snapshots, subscription records, and crash diagnostics tied to your account are removed.

If you cannot access the App, email us at support@packbuddy.io from the email address associated with the account and we will process the deletion within 30 days.

6.2 California residents (CCPA)

If you are a California resident, you have the right to:

• Know what personal information we have collected about you
• Request deletion of your personal information
• Opt out of any sale of your personal information (we do not sell)
• Not be discriminated against for exercising any of these rights

Submit any such request to support@packbuddy.io. We will verify your identity by sending a confirmation email to the address on file before processing.

6.3 EU / UK residents (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have the right to access, correct, port, or erase your personal information, and to object to or restrict our processing of it. Our lawful basis for processing is your consent (which you may withdraw at any time by deleting your account) and the contractual necessity of operating the service you signed up for. Submit any GDPR requests to support@packbuddy.io.

7. Data retention

We retain your account information and collection data for as long as your account is active. Once you delete your account, your data is removed from our primary database immediately. Encrypted off-site backups containing your data are rotated out within 30 days, after which no copy of your data remains in our systems.

Crash diagnostics are retained for 90 days, after which Sentry automatically purges them.

8. Security

We use industry-standard security practices to protect your information:

• TLS 1.2+ encryption for all data in transit
• At-rest encryption for all backend databases and backups
• Authentication tokens stored in the iOS Keychain (encrypted with the device's hardware-backed secure enclave)
• Row-Level Security enforced at the database layer so that a leaked authentication token cannot access another user's data
• No third-party advertising or analytics SDKs that fingerprint users

No system is perfectly secure, however. If you believe your account has been compromised, change your password immediately and contact support@packbuddy.io.

9. International data transfers

PackBuddy's servers are located in the United States. If you access PackBuddy from outside the United States, your data will be transferred to and processed in the United States. By using PackBuddy you consent to this transfer.

10. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated version at this URL with a new "Last updated" date. Material changes will also be announced inside the App.

11. Contact us

Questions about this Privacy Policy or PackBuddy's privacy practices? Email support@packbuddy.io.