ScryDeck

Privacy Policy

Last Updated: April 20, 2026 · Policy Version: 1.0

The ScryDeck team believes that privacy is fundamental. We seek to minimize the amount of personal data we collect and store. We are a two-person team based in North Carolina, USA, and we operate ScryDeck with care for the people who use it.

We are not interested in advertising or building profiles about our visitors. Any data we collect is used only to operate ScryDeck, provide paid services, and make informed decisions about how to improve the product. We do not sell or trade your data to other companies.

This document describes what data ScryDeck gathers, how we protect it, and the choices you have about it.

Secure Browsing

ScryDeck forces HTTPS for all services, including the application, marketing site, and API. Information you submit is private in transit and cannot be seen by your internet service provider or anyone else on your network.

We deploy modern web security practices, including HSTS and a strict Content Security Policy. Payment information is handled exclusively by Stripe and never touches our servers.

Cookies and Browser Data

ScryDeck has features that need to remember who you are and what preferences you've set. We use a combination of browser cookies and your browser's local storage to track this information.

Authentication: Your session with ScryDeck is stored in an encrypted, HTTP-only cookie set by better-auth. This cookie is how we know you're signed in.

Product analytics: When you consent to product analytics (see the next section), PostHog sets a small number of cookies and local storage keys to remember your anonymous session ID, your user ID (once you've logged in), and cached feature flag values. These keys start with ph_ or posthog_.

Preferences: Your theme choice, layout preferences, and other non-sensitive settings are stored in your browser's local storage.

Clear website data: If you no longer want this information on your device, you can clear your history and cookies:

Analytics Data

ScryDeck uses PostHog to understand how people use the product so we can make it better. PostHog analytics are opt-in. We do not capture anything until you explicitly consent — either by accepting the banner on our marketing site or by opting in during registration in the app.

When you have consented, we collect:

  • Your browser version (Safari, Firefox, Chrome, etc.)
  • Your operating system (macOS, Windows, iOS, Android, etc.)
  • The size of your screen
  • Your system language and country
  • Which pages you visit and which buttons you click
  • Session replays of your interactions with our user interface (not the camera feed)

Session replays record the structure of the pages you visit — the buttons, menus, and layouts — so we can see how people move through the app and fix problems when they get stuck. Every text input is masked by default, so passwords, emails, and card notes are never visible in a replay. The camera feed from card scanning is never captured.

Only ScryDeck administrators have access to this data. We never sell or trade it to any other company.

Opt-out: You can turn off product analytics at any time in your account settings. Flipping the toggle off immediately disables capture and session replay from that point forward.

ScryDeck Accounts

You can register for a ScryDeck account to use scanning, collection tracking, deck building, and sync across your devices. If you do, the information in this section applies to you.

Personal information: To open an account you provide us with an email address and a username. You may also provide an optional display name and avatar. None of this information needs to contain your legal name.

Email policy: ScryDeck currently only sends you critical account-related emails — for example, when you sign up, reset your password, or change account settings. We may introduce optional email features in the future, such as a summary of notable price changes in your collection. Any such feature will be strictly opt-in, configurable in your account settings, and will never be used for advertising or third-party promotions. If you no longer wish to receive account-related emails, you can close your account.

Data storage: Your account data is stored in PostgreSQL on DigitalOcean managed infrastructure in the United States. Connection pooling is handled at the edge by Cloudflare Hyperdrive.

Administrator access: ScryDeck administrators have access to the database to investigate and troubleshoot issues. When a team member no longer needs that level of access, we revoke it.

Account deletion: You can close your ScryDeck account at any time from your account settings. Your account is deactivated immediately — you can no longer sign in, and all existing sessions are ended on every device. Your data is retained for 30 days in case you change your mind; during this window, email us at support@scrydeck.com and we can restore your account. After 30 days, your account and all associated data — collection, decks, binders, scan history, and analytics — are permanently deleted. If you'd rather work with a human, or if you're unable to sign in to delete your account yourself, email us at support@scrydeck.com and we will initiate the same 30-day deletion process on your behalf.

Card Scanning and Images

ScryDeck's card scanner uses your device's camera to identify Magic: The Gathering cards. We are specific about what leaves your device:

The camera feed stays on your device. Every frame is processed locally by a web worker running an ONNX Runtime model that detects card corners and tracks stability. The raw camera stream never leaves your browser.

We only send the card crop, never the full frame. Once the local model has confidently detected a card, we crop the card region to a 640×892 WebP image and send just that crop to our inference server (hosted on Modal.com). The rest of the camera frame — the background, your surroundings, your hands — is never transmitted.

The cropped image is not stored anywhere afterward. Not in our database, not in logs, not on the inference server. Once the scan result returns to your device, the image is discarded.

You are always in control. You can pause or resume the scanner at any time.

Session replays do not capture the camera feed. Our PostHog session replays record only the user interface (buttons, layouts, menus) — not the video stream from your camera.

Payment Processing

If you sign up for a paid ScryDeck subscription, the information in this section applies to you.

Data storage: ScryDeck uses Stripe to capture card information and process payments. Stripe adheres to PCI security standards.

Personal information: You provide payment source information such as your credit or debit card details. This information is securely captured by Stripe. ScryDeck team members cannot see your full card number or card security code — we only see the last four digits for identification and support purposes.

Third-Party Service Providers

We use a small number of service providers to operate ScryDeck. Each is contractually obligated to protect your data and process it only for the purposes of providing their service to us.

Service Purpose
PostHog Product analytics and session replay (opt-in)
Stripe Payment processing
Cloudflare Hosting, CDN, edge compute, DNS, DDoS protection
Modal.com Card scanning inference (ML compute)
Resend Transactional email (account and support messages)
DigitalOcean Managed PostgreSQL database
better-auth Account authentication and session management

We do not share your data with advertising networks, data brokers, or other companies not on this list.

Data Retention

We retain data only as long as we need it to operate ScryDeck and meet our legal obligations.

  • Account data (username, email, collection, decks, binders, notes): retained until you close your account.
  • Product analytics (PostHog events): retained for 1 year, then automatically purged.
  • Session replays: retained for 30 days, then automatically purged.
  • Card scan images: not retained — discarded once the scan result returns.
  • Payment records: retained as required by tax and accounting regulations.

Your Rights

You have the following rights regarding your data. These reflect the spirit of GDPR and CCPA, even though ScryDeck does not yet operate in the European Union.

Access: You can see all your account data inside the app at any time. For a complete machine-readable archive, see Portability below.

Correction: You can update your email, username, display name, and other account details from your account settings.

Deletion: You can delete your account from your account settings, or request deletion by email. Your account is deactivated immediately; all data is permanently erased after a 30-day recovery window. See Account deletion above for details.

Portability:

  • Collection Export (coming soon): You will be able to export your collection, binders, and decks as CSV files from your account settings — useful for moving between MTG tools. This feature is on our roadmap.
  • Full archive: For a complete archive of all the data we hold about your account (account metadata, consent history, scan history, and collection data), email support@scrydeck.com and we will send it to you within 30 days.

Analytics opt-out: You can disable product analytics and session replay at any time in your account settings. Visitors to the marketing site can decline analytics via the consent banner shown on first visit.

Consent withdrawal: Anywhere you've granted consent (analytics, terms acceptance), you can withdraw it. Withdrawing consent does not affect the lawfulness of processing that happened while consent was active.

Changes to This Policy

We may update this Privacy Policy from time to time. The Last Updated date at the top of this page always reflects the most recent revision. We track changes with two labels:

  • Material changes — updates that change what data we collect, why we collect it, who we share it with, how long we keep it, or your rights over it. Material changes bump the Policy Version number, are communicated by email and an in-app banner, and require you to re-accept the policy on your next sign-in.
  • Non-material changes — typos, clarifications, reorganizations, or launching features that were already disclosed (for example, removing a "coming soon" label). These bump the Last Updated date but not the Policy Version, and do not require re-acceptance.

You can see every change to this policy in the log below. The full diff history also lives in our version-controlled source code.

Change Log

  • 1.0 — 2026-04-20 — Material. Initial publication of the restructured Privacy Policy. Added explicit disclosure of PostHog product analytics and session replay, named our third-party service providers, documented cookies and local storage, added a Data Retention section, clarified how card scanning images are handled, and added a Your Rights section covering access, correction, deletion, portability, and analytics opt-out.

Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us at support@scrydeck.com.

Powered by Scryfall and MTGJSON

Card prices represent daily estimates and market values provided as-is by our sources. No guarantee is made for any price information — see stores for final prices and details.

ScryDeck is an unofficial, fan-made app and is NOT affiliated, endorsed, or supported by Wizards of the Coast LLC or Hasbro, Inc. Magic: The Gathering, card images, mana symbols, and set icons are copyrighted by Wizards of the Coast LLC.