Effective Date: May 19, 2026
Last Updated: May 19, 2026
Version: 3
This Privacy Policy describes how SuperSwap LLC ("SuperSwap," "we," "us," or "our") collects, uses, shares, and protects your personal information when you use the SuperSwap mobile application and related services (the "Service").
SuperSwap is a location-based platform for trading physical trading card game (TCG) cards, including Magic: The Gathering, Pokémon Trading Card Game, Yu-Gi-Oh!, and others. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.
SuperSwap does not retain: your real/legal name (only a chosen display name), profile picture, phone number, mailing or shipping address, payment or financial information, contacts or address book, browsing history or activity outside the app, biometric data, or data from other apps on your device. Where OAuth providers transmit name or profile picture data alongside your email at sign-in, we discard these fields immediately and do not persist them.
Camera access: If you use the card scanner feature, the app accesses your device camera in real-time to identify card names. Camera images are processed on-device only and are never transmitted to our servers, stored, or shared. No photos or media are saved to your device or our systems.
Some data is required to use the Service: email address, display name, birth year, and password (or OAuth credentials) are necessary to create and maintain your account. Card list data is necessary to use the trading features. All other data is optional: location data, push notification tokens, and camera access are collected only with your explicit permission, and the Service can be used without them (with reduced functionality).
We use your information only for the purposes described below. For users in the European Economic Area (EEA) and United Kingdom, we identify the applicable legal basis under the General Data Protection Regulation (GDPR).
Legal basis key: "Contract performance" = we need it to provide the service you signed up for. "Consent" = you gave us permission. "Legitimate interest" = we have a valid business reason that doesn't override your rights. "Legal obligation" = the law requires it.
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Create and maintain your account | Email, password hash, display name, birth year, OAuth identifiers | Contract performance (Art. 6(1)(b)) |
| Verify minimum age (18+) | Birth year | Legal obligation (Art. 6(1)(c)) |
| Display your profile to other users | Display name, ratings, trade history | Contract performance (Art. 6(1)(b)) |
| Enable card trading | Card lists, trade proposals, trade history | Contract performance (Art. 6(1)(b)) |
| Match you with nearby traders | Card lists, location data | Contract performance (Art. 6(1)(b)); location via consent (Art. 6(1)(a)) |
| Show approximate distance to trade partners | GPS coordinates (processed server-side; only approximate distance displayed) | Consent (Art. 6(1)(a)) |
| Deliver messages between traders | Message content, sender/recipient, timestamps | Contract performance (Art. 6(1)(b)) |
| Operate the social feed | Follows, activity events | Contract performance (Art. 6(1)(b)) |
| Send push notifications | Push token, notification content | Consent (Art. 6(1)(a)) |
| Display trader trustworthiness | Star ratings, trade count | Legitimate interest (Art. 6(1)(f)) |
| Prevent fraud, abuse, and enforce Terms of Service | Account data, messages, IP address, reports | Legitimate interest (Art. 6(1)(f)) |
| Maintain and improve the service | Server logs, error reports | Legitimate interest (Art. 6(1)(f)) |
| Provide affiliate links to card marketplaces | Referral source identifier (no personal data sent) | Legitimate interest (Art. 6(1)(f)) |
| Respond to legal requests | Any data as legally required | Legal obligation (Art. 6(1)(c)) |
What we do NOT use your information for:
When you grant location permission, we collect your device's GPS coordinates. Before storing, these coordinates are snapped to a grid (approximately 8 km) so that your precise location is never persisted in our database. This data is classified as sensitive personal information under California law (CCPA/CPRA) and is processed based on your explicit consent under GDPR.
Your coordinates are used to calculate the distance between you and other users for trade matching, and to display an approximate distance (e.g., "< 8 km" or "12 km") to other users.
Other users never see your exact coordinates, street address, or precise location. They see only an approximate distance (e.g., "< 8 km" or "12 km"), with all distances under 8 km (approximately 5 miles) displayed uniformly so that close proximity cannot be inferred. Distances beyond 8 km are rounded to the nearest whole kilometer. The Service does not display your location on a map or reveal your neighborhood, street, or GPS coordinates to other users.
We store only your most recent location. We do not maintain a history of past locations. When you update your location, the previous coordinates are overwritten. Before storing, your coordinates are fuzzed (shifted by 0.5–1.5 km in a random direction) so that your exact GPS position is never persisted in our database. Your coordinates are protected by database-level security policies that prevent other users from accessing your location through the API. Distance calculations are performed server-side; distances under 8 km are displayed uniformly and distances beyond 8 km are rounded to the nearest whole kilometer. Precise coordinates are never transmitted to other users' devices.
You can revoke location permission at any time through your device settings. If you do:
Your display name and approximate distance are visible to other users. Your card lists are visible based on your privacy settings. Messages you send are visible to the recipient. Trade ratings are visible to other users. Your exact GPS coordinates are never shared.
We share information with third-party service providers who operate infrastructure on our behalf:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase, Inc. (on AWS) | Database hosting, authentication, file storage | All account and service data |
| Expo (820 Labs, Inc.) | Push notification delivery | Push tokens and notification content (transit only) |
| Google LLC | OAuth sign-in, push delivery (FCM) | OAuth tokens, email, push tokens. Google's OAuth response also transmits the user's name, profile picture URL, and locale; we discard these at sign-in. |
| Apple Inc. | OAuth sign-in, push delivery (APNs) | OAuth tokens, email, push tokens. Apple may transmit the user's name on first sign-in; we discard this at sign-in. |
| Discord Inc. | OAuth sign-in | OAuth tokens, email. Discord's OAuth response also transmits the username, avatar identifier, and discriminator; we discard these at sign-in. |
| New Relic, Inc. | Application performance monitoring, error tracking, crash reporting | Device info, OS version, app version, crash reports, performance traces, IP address |
| Mapbox, Inc. | Geocoding (converting postal codes to coordinates) | Postal/ZIP codes, IP address |
| Cloudflare, Inc. | API proxy, rate limiting, bot protection (Turnstile during signup and password recovery) | IP address, browser/device information, Turnstile interaction signals |
| Transactional email provider | Delivery of signup confirmation and password recovery emails | Email address, message content |
These providers are contractually obligated to use your information only for providing services to us. Where required by GDPR, we maintain Data Processing Agreements (DPAs) with our service providers that include Standard Contractual Clauses (2021 SCCs) for international data transfers:
SuperSwap participates in affiliate programs with third-party card marketplaces. When you tap an affiliate link in the Service (for example, a link to purchase or view a card on a partner site), you are redirected to that partner's website or app. At that point, the partner may collect information about you in accordance with their own privacy policy.
What we share with affiliate partners: We do not proactively send your personal information to affiliate partners. Affiliate links contain a tracking identifier that identifies SuperSwap as the referral source — not your identity. However, the partner may associate your visit with your account on their platform if you are already logged in.
| Affiliate Partner | Purpose | Data They May Receive | Their Privacy Policy |
|---|---|---|---|
| Mana Pool | Card marketplace | Referral source identifier, your IP address and browser/device info (collected by them upon visit) | manapool.com/privacy |
| Card Kingdom | Card marketplace | Referral source identifier, your IP address and browser/device info (collected by them upon visit) | cardkingdom.com/privacy |
| TCGplayer (eBay Inc.) | Card marketplace | Referral source identifier, your IP address and browser/device info (collected by them upon visit) | ebay.com/privacy |
We may add or remove affiliate partners over time. This table will be updated accordingly. You can avoid sharing data with affiliate partners by choosing not to tap affiliate links.
What we receive from affiliate partners: We receive aggregated, anonymized reports about referral activity (e.g., total clicks, total purchases attributed to SuperSwap). We may also receive commission payments based on qualifying purchases. We do not receive any personal information about you from affiliate partners.
Scryfall provides card data (names, images, prices). We download card data from Scryfall's public API. No user information is sent to Scryfall.
We may disclose your information if we believe in good faith that disclosure is necessary to: comply with applicable law, regulation, or legal process; enforce our Terms of Service; protect the safety, rights, or property of SuperSwap, our users, or the public; or detect, prevent, or address fraud or security issues.
If SuperSwap is acquired by or merged with another company, your information may be transferred as part of that transaction. We will notify you via email or prominent in-app notice before your personal information becomes subject to a different privacy policy.
We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We do not share your personal information for cross-context behavioral advertising. We have not sold personal information in the preceding 12 months.
Our affiliate relationships (Section 4.3) involve commission payments for referral traffic. These are standard affiliate marketing arrangements. We do not send your personal data to affiliate partners, and affiliate tracking identifiers do not constitute a "sale" or "sharing" of personal information under the CCPA/CPRA.
We retain your personal data for as long as your account remains active and as necessary to provide the Service. Specifically: your profile, card lists, trade history, ratings, and location data are all retained for the life of your account and deleted when your account is deleted. Messages and notifications may be pruned after reaching storage thresholds to maintain service performance; recent messages are always retained.
Inactive accounts: If you do not log in for four (4) consecutive years, we will send a notice to your registered email address giving you 30 days to log in and retain your account. If you do not log in during that period, your account and all associated data will be deleted as described below.
We do not retain data beyond what is needed for the purposes described in this Privacy Policy. When you delete your account (or when it is deleted due to inactivity), your account is deactivated and most associated data is retained for a period of up to 14 days before being permanently deleted via cascading database deletion. Some data (such as your location) is cleared sooner, and certain categories are retained or anonymized as described below:
| Data Type | What Happens | Reason |
|---|---|---|
| Profile, email, display name, birth year | Permanently deleted within 14 days | — |
| Card lists, collection, trade history | Permanently deleted within 14 days | Cascade deletion with account |
| Messages | Permanently deleted within 14 days (entire conversation) | Cascade deletion with account. Note: When you delete your account, all conversations you participated in are deleted, including messages sent by the other party. Similarly, if another user deletes their account, your messages in shared conversations are also deleted. |
| GPS coordinates, push tokens | Cleared at the time you request deletion | Removes you from proximity matching immediately |
| Ratings you gave | Anonymized (attributed to “Deleted User”) | Preserving rating system integrity |
| Moderation records (reports, enforcement actions) | Retained for up to 2 years | Preventing ban evasion; legal compliance |
| Server logs (IP address) | Deleted within 30 days | Infrastructure log rotation |
If we receive a valid legal request (litigation hold, law enforcement preservation, subpoena), we may retain specific data beyond these periods as legally required.
We implement reasonable technical and organizational measures to protect your data:
No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach where required (GDPR Article 33), and will notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34). We will also comply with breach notification requirements under US state laws, including the California Consumer Privacy Act.
We maintain records of our data processing activities and a register of security incidents as required by GDPR Articles 30 and 33(5).
All SuperSwap users can: view and edit their display name and card lists within the app; delete their account from settings (which deletes all associated data as described in Section 5); and control location and notification permissions via device settings.
If you are in the European Economic Area or United Kingdom, you have the following rights under the GDPR:
We will respond to requests within 30 days (extendable by 60 days for complex requests, with notice).
If you are a California resident, you have the right to:
You may designate an authorized agent to submit requests on your behalf. We will respond within 45 days (extendable by 45 days with notice).
Categories of personal information collected in the preceding 12 months:
| Category | Examples | Collected |
|---|---|---|
| A. Identifiers | Email address, display name, IP address, device identifiers, push notification tokens | YES |
| B. Personal information (Cal. Civ. Code §1798.80) | Display name, email address | YES |
| C. Protected classification characteristics | Age (birth year only, for age gate) | YES |
| D. Commercial information | Trade proposals, trade history, cards offered and received (no monetary transactions or payment information) | YES |
| E. Biometric information | Fingerprints, voiceprints, facial recognition data | NO |
| F. Internet or similar network activity | Server logs, app usage data, crash reports, feature interactions | YES |
| G. Geolocation data | Precise GPS coordinates (opt-in only) | YES |
| H. Audio, electronic, visual, or similar information | Camera frames processed on-device for card scanning (never uploaded) | NO |
| I. Professional or employment-related information | Job title, work history | NO |
| J. Education information | Student records, directory information | NO |
| K. Inferences drawn from collected information | Trade preferences, card interests based on collection activity | NO |
| L. Sensitive personal information | Precise geolocation (GPS coordinates, opt-in only); contents of messages sent through the Service | YES |
We use precise geolocation data solely to provide the Service's proximity-based matching feature. You may limit our use of your precise geolocation at any time by revoking location permission in your device settings. Message content is used solely to deliver messages between users, enforce our Terms of Service, respond to user reports, and comply with legal requests.
We have not sold or shared personal information (as defined by the CCPA/CPRA) in the preceding 12 months and will not do so in the future.
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other US states with comprehensive privacy laws may have similar rights to access, delete, correct, and opt out of certain processing of their personal data. Because SuperSwap does not sell personal data, use it for targeted advertising, or engage in profiling that produces legal or similarly significant effects, many opt-out rights are not applicable. To exercise any available rights under your state's privacy law, contact privacy@superswap.gg.
Appeals: If we deny your privacy rights request, you may appeal by emailing privacy@superswap.gg with the subject line "Privacy Rights Appeal." We will respond to appeals within 60 days. If you are not satisfied with our response, you may contact your state's attorney general.
In the app: Use account settings for profile editing, account deletion, and permission management.
By email: Contact privacy@superswap.gg with your display name and account email so we can verify your identity.
SuperSwap is not directed at children or minors. We require all users to be at least 18 years of age (or the age of majority in their jurisdiction). We enforce this through an age gate during registration that collects your birth year. Our minimum age of 18 exceeds the thresholds set by the US Children's Online Privacy Protection Act (COPPA, age 13), the GDPR's digital consent age (Art. 8), and Australia's Social Media Minimum Age Act (age 16). Because the Service facilitates in-person meetups between users, we require all users to be legal adults.
We do not knowingly collect personal information from anyone under 18. If we discover a user is under 18, we will promptly delete their account and associated data. If you believe someone under 18 has created an account, please contact us at privacy@superswap.gg.
SuperSwap is operated from the United States. Our infrastructure provider, Supabase, hosts data on Amazon Web Services in the United States. If you are located outside the United States, your personal information will be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your country.
We rely on the following transfer mechanisms:
Supabase's Data Processing Addendum is available at supabase.com/legal/dpa. New Relic processes performance and crash data in the United States under its Data Processing Addendum, which incorporates SCCs for international transfers.
SuperSwap is a native mobile application. We do not use cookies, web beacons, pixel tags, or browser-based tracking technologies. We do not use advertising identifiers (IDFA, GAID), advertising SDKs, fingerprinting, cross-app tracking, or social media tracking pixels.
We use New Relic's mobile SDK for application performance monitoring and crash reporting (see Sections 1.2 and 4.2). New Relic is not an advertising or tracking service and does not use the data it collects for advertising, profiling, or cross-app tracking.
The only device identifiers we store are authentication tokens (to maintain your session) and push notification tokens (to deliver notifications). Neither is shared with third parties for tracking or advertising.
SuperSwap does not track users across third-party websites or apps, so we do not respond to Do Not Track (DNT) browser signals. We honor Global Privacy Control (GPC) signals as a valid opt-out of the "sale" or "sharing" of personal information under the CCPA/CPRA. Because we do not sell or share personal information, no additional action is required when we detect a GPC signal.
SuperSwap uses automated processing to match you with potential trading partners based on your card lists and location. This matching is a recommendation — you choose whether to contact or trade with any suggested partner. The matching engine does not make decisions with legal or similarly significant effects, and human involvement (your choice to trade) is always part of the process.
Messages are stored on our servers in plaintext (encrypted at rest). Messages are not end-to-end encrypted. This means SuperSwap can access message content for the purposes of enforcing our Terms of Service (e.g., detecting spam, harassment, or prohibited content), responding to user reports, and complying with valid legal requests or law enforcement inquiries. We may use automated filters to block prohibited content (such as external links or spam) at the time of sending, but we do not scan stored messages for advertising, profiling, or surveillance purposes. Human review of message content occurs only in response to user reports or legal process.
Material changes (changes to what we collect, how we use it, or who we share it with): We will notify you at least 30 days before changes take effect, via email and in-app notice. You will be asked to acknowledge the updated policy.
Non-material changes (clarifications, formatting): We will update the "Last Updated" date. No advance notice is required.
Your continued use of the Service after the effective date of a revised Privacy Policy constitutes acceptance. If you disagree, you should stop using the Service and delete your account.
If you have questions about this Privacy Policy or our data practices:
SuperSwap LLC
Email: privacy@superswap.gg
2108 N ST STE N
Sacramento, CA 95816
United States
SuperSwap's core activities do not involve large-scale systematic monitoring or processing of special-category data. Accordingly, we are not required to appoint a Data Protection Officer under GDPR Article 37. Privacy inquiries are handled directly by our team at privacy@superswap.gg.
If you are in the European Economic Area, our designated representative under GDPR Article 27 is: Not yet appointed. Contact privacy@superswap.gg for EEA inquiries.
If you are in the United Kingdom, our designated representative under UK GDPR Article 27 is: Not yet appointed. Contact privacy@superswap.gg for UK inquiries.
EEA users may lodge complaints with their local data protection authority: edpb.europa.eu. UK users may contact the Information Commissioner's Office: ico.org.uk.