Your Data

Privacy Policy

Last updated June 2026

This is a plain-English summary of what Verdict does with your data. If something here isn’t clear, ask us.

Who We Are

Verdict is operated by Verdict Analytics, LLC, a Mississippi limited liability company. For purposes of GDPR and similar laws, we are the “data controller” for personal information processed through this site.

Mailing address:
Verdict Analytics, LLC
102 Indian Creek Blvd
Flowood, MS 39232
United States

Privacy contact: support@verdict.cards

What We Collect

  • Account information when you sign in — your email address and, if you set one, a salted-and-hashed password (stored by Supabase Auth; Verdict never sees the plaintext).
  • Searches you run. The normalized query (lowercase, punctuation stripped) is used as a cache key so repeat searches are faster and can be enriched over time.
  • Collection, Watchlist, and Player Collection entries you save — the card query, purchase price, target price, notes, sealed-product format, and timestamps. Stored in Supabase tied to your account.
  • Photos you upload to the Grade Tool, AI Snap card identification, Lot Calculator bulk identification, or cert scanning. AI Snap photos route by category: CardSight identifies cards from supported categories (sports, Magic, Pokémon), and Anthropic Claude identifies cards from other categories (Yu-Gi-Oh, Lorcana, One Piece, Bo Jackson Battle Arena, non-sport, etc.) as well as serving as a fallback when CardSight can’t identify a supported-category card. Grade Tool grade prediction, Lot Calculator multi-card identification, bounds detection, and cert OCR all route to Anthropic Claude. Photos are processed and not stored by us after the response is returned. Neither provider uses your photos to train their models.
  • Billing information if you subscribe to Pro or Founders. Stripe collects your billing email, name, address, and payment card directly — Verdict never sees or stores the card number. Stripe returns a customer ID and subscription status which we store in Supabase so we can grant access to paid features.
  • Basic technical logs — browser user-agent, errors, and request/response timing. Used for debugging; not sold.

What We Don’t Collect

  • We don’t use tracking cookies, advertising pixels, or any cross-site tracking. The analytics we do use (see below) are cookieless and anonymous.
  • We don’t see or store your payment card number — Stripe collects that directly and we only receive a customer ID and subscription status.
  • We don’t collect demographic, location-precision, or contact-list data. Nothing about you beyond what’s listed above.

Cookies & Tracking Technologies

Verdict does not set any tracking cookies, advertising cookies, or analytics cookies. No consent banner is shown because there’s nothing requiring consent to refuse. We’ve deliberately chosen technologies that work without cross-site tracking:

  • Vercel Speed Insights measures page-load performance using anonymous metrics — no cookies, no identifiers.
  • Vercel Web Analytics counts page views and aggregate traffic to help us understand which tools get used. It is cookieless and does not build a cross-site profile of you; visitor data is anonymized and not tied to your identity.
  • Sentry captures uncaught application errors so we can fix bugs. By default and in our configuration, the Sentry SDK does not set cookies; Session Replay, which would store browsing context, is explicitly disabled.
  • Your browser’s localStorage is used only for UI preferences — search history, the active category tab, expanded Pop Report rows, sort/filter selections, and grid-vs-list view. Your Collection, Watchlist, and Player Collections are not in localStorage; they live in Supabase tied to your account so they sync across devices. You can clear the local UI preferences at any time via your browser’s Site Settings.
  • Supabase Auth session cookies are set when you sign in. They are strictly necessary first-party cookies that keep you logged in — under GDPR, ePrivacy, and CCPA, strictly necessary cookies do not require prior consent. They expire when you sign out or when the refresh window lapses.

If we ever introduce optional analytics, advertising, or personalization cookies, we’ll add a consent banner that lets you opt in or out before the cookie is set — not retroactively, and not with a pre-checked “agree” box. Until that happens, none of this infrastructure is in place because none of it is needed.

Who Sees Your Data

To run the product, your data is passed through a handful of third-party services. None of them receive data beyond what’s needed to deliver their function. The Sub-Processors page has each vendor’s DPA and privacy policy link.

  • Supabase — auth (email, hashed password, session cookies) and database (sales history, your Collection, Watchlist, Player Collections). Hosted in the US. Per-user row-level security keeps each account’s data isolated.
  • CardSight — our primary catalog and pricing provider, and the vision provider for AI Snap identification on the search page for supported categories (sports, Magic, Pokémon). Sees the card query text and, for AI Snap on those categories, the photo. Does not see your Collection, Watchlist, account, or contact information.
  • Anthropic (Claude) — vision provider for Grade Tool grade prediction, Lot Calculator multi-card identification, AI bounds detection, and cert-label OCR. Also handles AI Snap photos for any category CardSight doesn’t identify (Yu-Gi-Oh, Lorcana, One Piece, Bo Jackson Battle Arena, non-sport, etc.) and as a fallback when CardSight can’t identify a supported-category card. Receives the photos and text prompts needed for the request. Anthropic’s enterprise API terms apply — photos are not used to train models.
  • GemRate — grading population data for PSA, BGS, SGC, CGC, and CSG. Sees the card query text only (or a cert number if you submit one through cert lookup). No personal data.
  • TCGplayer — ungraded TCG market price. Sees the card query text only.
  • eBay — sold-listing comp data via their public Browse / Marketplace APIs. They see the card query text and server IP. Verdict is not affiliated with, endorsed by, or sponsored by eBay Inc. — we use their public listings data the same way a price aggregator uses a store’s catalog.
  • Apify — server-side eBay listing retrieval (Lot Calculator URL imports) and fallback comp data when the official eBay API isn’t available or rate-limited. Sees the eBay listing URL or search query. No personal data.
  • SerpAPI — fallback eBay sold-listing search when CardSight and the eBay API are both unavailable. Sees the card query text. No personal data.
  • Stripe — payment processing and subscription billing for Pro and Founders tiers. Collects billing email, name, address, and card data directly — Verdict never sees the card number. Returns a customer ID and subscription status, which we store in Supabase.
  • Resend — transactional email delivery for account email (sign-in magic links, password resets, billing receipts). Sees the recipient address and message content.
  • Sentry — uncaught application error monitoring. Cookieless. Session Replay is explicitly disabled.
  • Vercel — hosts the site and processes every request. Also provides cookieless Web Analytics and Speed Insights.

We don’t sell or rent your data to anyone. Not today, not later.If that ever changes, we will update this policy with advance notice and an opt-out mechanism before any sharing begins.

eBay Data: What, Why, and How

Verdict’s prices come from publicly visible sold-listing data from eBay. We don’t access anyone’s eBay account, order history, or private messages. We don’t store individual buyer or seller usernames. We cache the listing titles, sold prices, sale dates, shipping costs, and public listing URLs so long-term trend analysis is possible after eBay removes a sale from its rolling 90-day window.

How Long Data is Kept

  • Sales history: retained indefinitely to power long-term trend charts.
  • Your collection/watchlist entries: until you delete them.
  • Photos you upload: processed in memory and discarded.
  • Search logs: retained up to 30 days for debugging, then rotated out.

International Users & Data Transfers

Verdict is operated from the United States and welcomes users worldwide, with the exception of jurisdictions subject to comprehensive US sanctions (currently Cuba, Iran, North Korea, Syria, and the Russian-occupied regions of Ukraine). If you use Verdict from outside the United States, you understand and agree that your data will be transferred to, stored in, and processed in the United States.

Our infrastructure and service providers (Supabase, Vercel, Sentry, Anthropic, CardSight, GemRate, TCGplayer, eBay, SerpAPI, Apify, Stripe, Resend) all process the data we send them in the United States, or in the case of Apify, in the European Union. For users in the European Economic Area, the United Kingdom, and Switzerland, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and the corresponding UK/Swiss addenda — in place with each vendor through their published Data Processing Agreements — as the legal basis for those transfers. See our Sub-Processors page for the full list of vendors and links to each DPA.

US privacy law does not currently offer the same protections as GDPR or UK GDPR. You have the right to know this before using the service. The rights section below describes how we close that gap in practice.

Lawful Basis for Processing (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, we process personal data on the following lawful bases:

  • Legitimate interest — for running the free tier, serving search results, logging errors so we can fix bugs, and aggregate analytics. Our interest is operating a functional product; your interest is using one that works.
  • Contract performance — for paid Pro subscriptions: storing your collection and watchlist, sending watchlist alert emails, and billing.
  • Consent — for any future optional marketing email (not currently offered). You will be asked to opt in before any marketing email is sent; you can withdraw consent at any time.
  • Legal obligation — for responding to lawful requests from authorities and for retaining records required by tax and consumer-protection law.

Your Rights

Regardless of where you live, Verdict provides the following rights. We apply the most-user-friendly standard to every visitor, not just those in jurisdictions that legally require it:

  • Right to know what we store — see the “What We Collect” section above. If you want a specific data export, email us.
  • Right to access — your collection and watchlist entries are always visible and exportable in-app.
  • Right to delete — remove any collection or watchlist card in-app (permanent and immediate), or email us to wipe everything associated with you within 30 days.
  • Right to correct — editable data is editable in-app. For anything else, email us and we’ll fix it.
  • Right to opt out of sale — moot, because we do not sell your data. If we ever begin sharing data for commercial purposes, you will have a clear opt-out before it starts.
  • Right to non-discrimination — exercising any of these rights will not result in degraded service, price changes, or reduced features.

California, Virginia, Colorado, Connecticut, Utah, EU/UK residents— you have the same rights above under your local privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, GDPR, UK GDPR). Mississippi does not currently have a comprehensive consumer privacy law, but Mississippi residents enjoy the same protections by our choice.

GDPR / UK GDPR users additionally have:

  • Right to restriction of processing — ask us to stop processing your data while a dispute is resolved.
  • Right to data portability — request a copy of your collection, watchlist, and account data in a structured, machine-readable format (CSV/JSON).
  • Right to object — object to processing based on legitimate interest at any time; we will reassess and either stop or document why our interest overrides.
  • Right not to be subject to automated decisions — Verdict does not make automated decisions with legal or similarly significant effects about you. AI grade predictions and card identifications are informational outputs, not decisions about you.
  • Right to lodge a complaint with your local supervisory authority — you can find your country’s authority at edpb.europa.eu (EU) or ico.org.uk (UK). We’d appreciate the chance to address concerns first, but you don’t have to come to us first.

To exercise any right, email support@verdict.cards. We will respond within 30 days (GDPR) or 45 days (CCPA), and we may ask for information sufficient to verify your identity before acting on access or deletion requests.

Data Breach Notification

If we discover a security incident that affects personal data, we will notify affected users by email (if we have an address) or by a prominent in-app notice within 72 hours of confirmation, as required by applicable law. The notice will describe what happened, what data was involved, and what steps you can take.

Age & Children

You must be 16 or older to use Verdict. We’ve chosen 16 as a single global minimum because it is the most protective threshold across the jurisdictions where users may sign up (GDPR allows EU member states to set 13–16; we use the high end). This is stricter than what US law (COPPA, 13) requires, by design.

Verdict is not directed at children under 16 and we do not knowingly collect data from them. If you believe a child under 16 has provided data to Verdict, email support@verdict.cards and we will delete the account and associated data promptly.

Changes

If this policy changes materially, we’ll update the “Last updated” date at the top and surface a notice in the app. For small clarifications, we’ll just update the page.

Contact

Questions, data access, or deletion requests: support@verdict.cards, or write to us at the mailing address above. Full options on the Contact page.