Privacy Policy
Last updated: 12 February 2026
1. Introduction
Welcome to TotalTCG. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our platform at www.totaltcg.com.
TotalTCG Ltd, located at [Registered Address — Pending], United Kingdom, is the data controller responsible for your personal data.
2. Data We Collect
2.1 Information You Provide
- Account Information: Email address, password (encrypted), display name
- Profile Information: Name, profile picture (optional)
- Shipping Information: Delivery address, phone number (for marketplace orders)
- Payment Information: Payment details processed securely through our payment providers
- Collection Data: Cards you add to your collection, wishlist items, set tracking preferences
- Card Images: Photos you upload when using our card scanner feature
- Card Scanner Data: When you use our AI-powered card scanner, images are temporarily processed by our detection service to identify cards. Images are not permanently stored and are deleted after processing is complete.
2.2 Automatically Collected Data
- Device Information: Browser type, operating system, device type
- Usage Data: Pages visited, features used, time spent on platform
- Log Data: IP address, access times, referring URLs
- Cookies: Session and preference cookies (see our Cookie Policy)
3. How We Use Your Data
We use your personal data to:
- Provide and maintain our services (collection tracking, marketplace, card scanning)
- Process transactions and send related information
- Send administrative notifications (account updates, security alerts)
- Respond to your comments, questions, and support requests
- Analyze usage patterns to improve our platform
- Detect, prevent, and address fraud and security issues
- Comply with legal obligations
3A. Lawful Basis for Processing
Under GDPR Article 6, we process your personal data on the following lawful bases:
| Purpose | Lawful Basis | Data Categories |
|---|---|---|
| Account management | Performance of contract | Email, name, password hash |
| Marketplace transactions | Performance of contract | Shipping address, payment reference, order details |
| Collection tracking | Performance of contract | Card data, set progress, wishlist |
| Card scanner (AI) | Consent | Uploaded images, camera access |
| Platform improvement | Legitimate interest | Usage data, anonymised analytics |
| Security & fraud prevention | Legitimate interest | IP address, access logs, device info |
| Marketing communications | Consent | Email address (only with explicit opt-in) |
4. Third-Party Services
We use the following third-party services:
- Google OAuth: For secure authentication (if you choose to sign in with Google)
- Stripe: To securely process payments. Stripe is PCI DSS Level 1 certified. We do not store your full card details. See Stripe's Privacy Policy for details.
- Cloud Hosting (Azure): To host and secure our platform
- Analytics: To understand how users interact with our platform
We also aggregate publicly available pricing data from eBay to provide market valuations. This does not involve sharing your personal data.
4.1 International Data Transfers
Some of our service providers may process your data outside the United Kingdom. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:
- UK adequacy decisions where applicable
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
- Binding Corporate Rules where applicable
Our primary hosting infrastructure is located in the UK/EU region via Microsoft Azure.
5. Data Sharing
We do not sell your personal data. We may share your data only in these circumstances:
- With Your Consent: When you explicitly agree to sharing
- Marketplace Transactions: Necessary details shared between buyers and sellers
- Service Providers: With trusted partners who assist in operating our platform
- Legal Requirements: When required by law or to protect our rights
- Business Transfers: In connection with a merger, acquisition, or sale of assets
6. Data Retention
We retain your personal data only as long as necessary to provide our services and fulfill the purposes described in this policy. When you delete your account:
- Account deletion process begins within 30 days
- Complete deletion from active systems within 90 days
- Backup systems may retain data for an additional 90 days
- Some data may be retained for legal compliance purposes
7. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption of data in transit (HTTPS/TLS)
- Encrypted password storage (hashing)
- Secure cloud infrastructure with regular security updates
- Access controls and authentication for our systems
- Regular security assessments
8. Your Rights (GDPR)
Under GDPR and UK data protection laws, you have the following rights:
- Right to Access: Request a copy of your personal data
- Right to Rectification: Request correction of inaccurate data
- Right to Erasure: Request deletion of your data ("right to be forgotten")
- Right to Restrict Processing: Request limitation of how we use your data
- Right to Data Portability: Receive your data in a portable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time
To exercise these rights, please contact us at support@totaltcg.com. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
9. Children's Privacy
TotalTCG is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child, please contact us immediately.
10. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.
11. Contact Us
If you have questions about this privacy policy or our data practices, please contact us: