Privacy Policy

Last updated: June 2026

1. Who We Are

Deka ("we", "us", "our") is a social trading card application operated by Deka, based in Ireland, and accessible at getdeka.app. Deka acts as the data controller for the personal data described in this policy.

For any privacy-related queries, you can contact our data protection point of contact at getdekaapp@gmail.com.

2. Age Requirement

Deka is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that a user is under 18, we will promptly delete their account and all associated data. If you believe a minor has created an account on Deka, please contact us immediately at getdekaapp@gmail.com.

3. Data We Collect

3.1 Account Information

When you create a Deka account, we collect your email address, display name, username, and profile photo.

3.2 Collection Data

Cards you add to your collection, wishlist, and trade bait lists, including any notes, tags, or values you assign to them.

3.3 Marketplace Data

Listings you create, offers you send or receive, trade and purchase history, negotiation messages, and reviews you leave or receive.

3.4 Payment and Financial Data

When you buy or sell cards on Deka, payments are processed by Stripe. We do not store your full card number or bank account details — these are handled directly by Stripe in accordance with PCI DSS standards. We do collect and store:

3.5 User Content

Photos, videos, and text you upload or publish on Deka, including post images, card photos, listing images, post text, and comments.

3.6 Device and Usage Data

Through our analytics provider (PostHog), we collect pseudonymous usage data — linked to your account identifier — such as pages viewed, features used, app version, device type, and operating system. We do not track precise location, although approximate location may be inferred from your IP address.

3.7 Technical Data

IP address, browser and app identifiers, and crash logs collected for debugging and service reliability purposes.

3.8 Card Image Data

When you use Deka's Pokémon card scanning feature, your card photo is transmitted to our image recognition provider (Ximilar) for identification. These images are processed in real time and are not retained by Ximilar after the identification result is returned. MTG card scanning uses on-device text recognition (OCR) and does not transmit images to any external service. Deka retains card images only as part of your collection or listing content.

4. Lawful Basis for Processing

Under the General Data Protection Regulation (GDPR), we rely on the following lawful bases to process your personal data:

5. How We Use Your Data

We use your data to:

We do not sell your personal data to third parties. We do not currently use your data for targeted advertising. Should this change in the future, we will update this policy and notify you in advance.

6. Third-Party Services

We share data with the following third-party service providers, solely to operate and improve Deka:

Service Purpose Data Shared Location Retention
Stripe Payment processing, seller payouts Name, email, shipping address, payment method (handled by Stripe — full card details never reach Deka servers), transaction amounts US / EU Per Stripe's data retention policies
Resend Transactional email (e.g. report notifications) Email address, notification content US Per their policies
Supabase Infrastructure, database, authentication, file storage All account and app data Ireland (EU West) Duration of account
PostHog Product analytics Pseudonymous usage events (linked to account ID), device info EU As configured
PokeTrace Pokémon card pricing Card identifiers only; no user data is transmitted EU N/A
Scryfall MTG card catalogue and pricing Card identifiers only; no user data is transmitted US N/A
SportsCardsPro Sports card catalogue and pricing Card identifiers only; no user data is transmitted US N/A
Pokémon TCG API Pokémon card catalogue data Card identifiers only; no user data is transmitted US N/A
eBay Card listing links (affiliate) None (outbound links only) US N/A
Ximilar Pokémon card image recognition Card photos submitted for scanning (processed in real time, not retained) EU Not retained
Expo Push notifications Device push token, notification content US Per their policies
Apple / Google App distribution, push delivery Device push token, account identifiers US Per their policies

We require all third-party providers to process personal data in accordance with applicable data protection laws. Where data is transferred outside the European Economic Area (EEA), appropriate safeguards are in place.

7. Data Storage and Security

Your data is stored on Supabase servers located in the Ireland (EU West) region. We implement industry-standard security measures, including row-level security policies, encrypted connections (TLS), and secure authentication protocols.

While we take reasonable steps to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents that may arise.

8. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights in relation to your personal data:

To exercise any of these rights, contact us at getdekaapp@gmail.com. We will respond within 30 days of receiving your request. If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Commission (DPC) in Ireland or your local supervisory authority.

9. Data Retention

We retain your personal data for as long as your account remains active and as necessary to provide the Deka service.

When you delete your account, all associated data is permanently removed, including your profile information, posts, collection data, listings, messages, reviews, and all uploaded images and videos.

Certain data may be retained for a limited period after account deletion where required by law or to resolve disputes, enforce our agreements, or comply with legal obligations. Transaction records and payment data may be retained for up to 7 years to comply with tax and financial reporting requirements.

10. Cookies and Tracking

Deka is a mobile application and does not use browser cookies. Our analytics provider (PostHog) may use local device identifiers for session tracking purposes. If you wish to object to analytics processing, please contact us at getdekaapp@gmail.com.

11. International Data Transfers

Some of our third-party service providers are located outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on an adequacy decision.

12. Children's Privacy

Deka is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at getdekaapp@gmail.com so that we can take appropriate action.

13. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of significant changes through the app or via email. Your continued use of Deka after any changes take effect constitutes your acceptance of the updated policy.

14. Contact

For any questions about this privacy policy or the handling of your personal data, contact us at: