Privacy Policy

• Legal entity: El Grizzly Blanco Corp.
• Incorporated under: the Canada Business Corporations Act (federal)
• Mailing address: 123 Main Street, Suite 100, Toronto, ON M5V 0A1, Canada [PLACEHOLDER — set up virtual office before launch]
• Privacy contact: privacy@pokegemhq.com
• EU representative (Art. 27 GDPR): [PLACEHOLDER — appoint an EU Art. 27 representative (e.g. Prighter or VeraSafe) before accepting EEA users]
• UK representative: [PLACEHOLDER — appoint a UK Art. 27 representative before accepting UK users]

We collect only what is necessary to provide and secure the Service:

• Account information — name, email address, and a hashed password (or third-party identifier if you sign in with a social provider) when you create an account. You confirm at signup that you are 18 years old or older.
• Card images — photographs you upload for AI grading. Images are processed entirely in memory on our servers and are never written to persistent storage. The bytes are transmitted to our AI processor for analysis and are discarded immediately after the response is returned. See “Data retention” for details.
• Grading results and history — the grades, condition assessments, and certificate identifiers we generate for you, together with a small thumbnail or hash of the source image used to render your history.
• Portfolio, binder, and wantlist data — card names, sets, conditions, prices, and notes that you choose to add. You control whether this data is stored only on your device or synced to your account.
• Subscription and usage data — your plan tier, the number of grades you have run, and limits applied to enforce free and paid quotas.
• Payment information — we do not receive or store your full card number, CVC, or bank credentials. Our payment processor handles those directly. We receive a customer identifier, the last four digits of the card, the card brand, the billing country, and your subscription status.
• Discord data (if you use the Discord bot) — when you invoke a slash command (such as /grade) with an image attachment, we receive your Discord user ID, the server (guild) ID, and the attachment bytes. We do not read messages that you do not address to the bot through a slash command. Operational logs may temporarily record user IDs and command-execution events for security and debugging.
• Mobile app data (iOS/Android) — when you use a mobile build, the operating system may share device identifiers, push-notification tokens, and crash reports with us. Permission to access your camera or photo library is requested only when you choose to upload an image, and the image is uploaded only after you confirm.
• Technical and log data — IP address, user-agent string, approximate location derived from IP, timestamps, and request paths. We use this for security, abuse prevention, and debugging.
• Communications — if you contact support, we keep your message and our reply.

We use personal information for the purposes listed below. For users in the EEA, UK, and Switzerland, the legal basis under GDPR Article 6 is shown in parentheses. For users in Canada, processing is based on your express or implied consent under PIPEDA and applicable provincial law.

• To create and authenticate your account, deliver grading results, and enforce plan limits (performance of a contract).
• To process subscription payments and prevent payment fraud (performance of a contract; legitimate interest in fraud prevention).
• To send transactional emails such as receipts, password resets, and important service notices (performance of a contract).
• To send marketing emails about new features, but only if you have opted in (consent; you can withdraw at any time).
• To secure the Service, prevent abuse, detect bots and credential-stuffing, and enforce our Terms (legitimate interest).
• To comply with legal obligations, including tax, accounting, and lawful requests from authorities (legal obligation).
• To improve the Service through aggregated, de-identified analytics. We do not use your card images to train, fine-tune, or evaluate any AI model, and our AI processor is contractually prohibited from doing so (legitimate interest).

We do not sell your personal information. We do not share it with advertisers, and we do not engage in “cross-context behavioral advertising” as defined by the CCPA/CPRA. We do not currently use any analytics, tracking pixels, or cross-site cookies.

We rely on a small number of vetted sub-processors to operate the Service. Each is bound by a written data-processing agreement and is permitted to process personal information only on our instructions and only as needed for the categories below.

• Authentication and database — to register your account, authenticate sign-in, and store account-related data. Data residency is the region you selected at signup.
• AI processing — to analyse the images you submit for grading. Our AI provider is contractually prohibited from using your data to train any model and retains data only for short-term abuse monitoring.
• Payment processing — to process subscription payments. Our payment processor is PCI-DSS Level 1 certified; we never receive your full card number, CVC, or bank credentials.
• Cloud hosting and bandwidth — to operate the website, mobile back-end, and Discord bot. Standard server logs (IP, user-agent, request path) are retained for up to 30 days for security and reliability purposes.
• Transactional email — to deliver receipts, password resets, and service notices.
• Discord (if you use the Discord bot) — the Discord platform processes the slash commands you send to the bot under Discord’s own privacy policy.
• Mobile app stores — handle app distribution, in-app receipts, and crash reporting under their own policies.

An up-to-date list of named sub-processors, including legal entity names and processing locations, is available on request from privacy@pokegemhq.com. We do not publicly disclose the identities of our backend service providers.

We are based in Canada. Some of our sub-processors are located in the United States or other countries outside Canada, the EEA, the UK, and Switzerland. Canada benefits from a partial adequacy decision from the European Commission for commercial-sector personal information processed under PIPEDA, which permits routine transfers from the EEA to Canada. For onward transfers from us to non-adequate jurisdictions, we rely on appropriate safeguards including the European Commission’s Standard Contractual Clauses (SCCs) and equivalent UK and Swiss mechanisms. You may request a copy of the relevant transfer mechanism by emailing privacy@pokegemhq.com.

The grading feature applies an AI model to your uploaded image to produce an estimated grade. This is automated processing, but the result is an estimateonly — it does not produce a legal effect on you and is not used to deny you access to financial, employment, housing, or similar opportunities. You are not subject to a decision based solely on automated processing of the kind covered by GDPR Article 22 or Quebec Law 25’s automated-decision provisions.

You can always request human review of any grading result by emailing us, and you can choose not to use the grading feature without losing access to other parts of the Service.

We use a small number of strictly-necessary cookies and equivalent local-storage entries to keep you signed in, remember your plan, and protect against cross-site request forgery. We do not currently run any analytics, advertising, or cross-site tracking technologies.

If we add analytics in the future, we will update this policy and, where required, ask for your consent before any non-essential tracker loads. You can clear cookies and local storage at any time through your browser settings.

• Account data — kept for as long as your account is active.
• Card images — processed entirely in memory and never written to persistent storage on our servers. Bytes exist only for the duration of a single request and are discarded immediately after the AI response is returned.
• Grading results, certificates, and scan history — kept for as long as your account is active so that you can refer back to them. You can delete individual entries from your account at any time.
• Portfolio, binder, and wantlist — kept for as long as your account is active or until you delete the entries.
• Server logs — up to 30 days, then deleted or anonymised.
• Discord-bot operational logs — up to 30 days for security and debugging, then deleted.
• Support correspondence — up to 24 months from the last interaction.
• Account deletion — when you ask us to delete your account (see Section 10), we delete or anonymise your personal information within 30 days, except for records we are required to keep by law (for example, tax and accounting records, retained for up to 7 years) and minimal records needed to defend legal claims.
• Payment records — our payment processor retains payment records for up to 7 years as required by financial regulations.

We use industry-standard technical and organisational measures including TLS encryption in transit, encryption of sensitive fields at rest, role-based access controls, secret rotation, audit logging, and least-privilege access for employees and contractors. Access to production systems is limited to personnel who need it for a specific business purpose.

No system can be guaranteed 100% secure. If a personal-information breach occurs that creates a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada and affected users as required by PIPEDA, and the relevant EU/UK supervisory authority within 72 hours where GDPR applies.

Depending on where you live, you may have some or all of the following rights:

• Access — a copy of the personal information we hold about you.
• Correction — fix inaccurate or incomplete data.
• Deletion / erasure — request that we delete your personal information.
• Portability — receive your personal information in a structured, commonly used, machine-readable format.
• Objection / restriction — object to or restrict certain processing.
• Withdraw consent — where processing is based on your consent, withdraw it at any time without affecting prior processing.
• Lodge a complaint — with your local privacy authority (in Canada, the Office of the Privacy Commissioner of Canada or your provincial equivalent; in the UK, the Information Commissioner’s Office; in the EU, your member-state supervisory authority).

To exercise any of these rights:

• Data export: use the in-app CSV export available from your account page.
• Account deletion: email privacy@pokegemhq.com from the address on your account. We will verify your identity and complete deletion within 30 days.
• Other requests (access, correction, objection, etc.): email privacy@pokegemhq.com with details of your request.

We will respond within 30 days (extendable by a further 60 days where the request is complex, in which case we will tell you why). We do not charge a fee for reasonable requests and will not discriminate against you for exercising your rights.

If you are a California resident, you have the rights described above plus the following, regardless of whether you have an account:

• Right to know the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose, and the categories of third parties with whom we share it.
• Right to delete personal information we have collected from you, subject to certain exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of. We do not knowingly sell or share the personal information of consumers under 16.
• Right to limit use of sensitive personal information — we do not collect sensitive personal information for the purpose of inferring characteristics about you.
• Right of non-discrimination — we will not deny you the Service, charge you a different price, or provide a different level of quality because you exercised a privacy right.

Categories collected (last 12 months): identifiers (name, email, IP), commercial information (subscription tier, transaction history), internet/network activity (log data), visual information (card images, processed in memory and not retained), and inferences drawn from the foregoing. Sources: directly from you, your device, and our payment processor. Disclosed for a business purpose to the sub-processors described in Section 4.

To exercise your California rights, email privacy@pokegemhq.com. You may designate an authorized agent in writing.

If you are a Quebec resident, your personal information is also protected by Quebec’s Act respecting the protection of personal information in the private sector (Law 25). In addition to the rights described above, you have the right to be informed of any automated decision made exclusively about you and to request that a human review it. You may contact our privacy contact at privacy@pokegemhq.com to exercise your Quebec rights or to file a complaint with the Commission d’accès à l’information du Québec.

The Service is restricted to users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you believe a person under 18 has provided us with personal information, please contact us at privacy@pokegemhq.com and we will delete it promptly.

Our iOS and Android apps may request access to your camera and photo library so that you can upload a card image. These permissions are requested at the moment of use and can be revoked at any time in your device settings. Crash and diagnostic reports may be processed by the relevant app store under its own policy; you can opt out in your device settings.

If you access the Service under an enterprise plan or pursuant to a written Master Services Agreement and Data Processing Agreement with us, the terms of those agreements govern the processing of your organisation’s personal information and supersede this Privacy Policy to the extent of any conflict. Individual end-users of an enterprise plan continue to have the rights described in this policy.

The Service may contain links to third-party websites or services we do not control. This Privacy Policy does not apply to those sites; please review their privacy policies before providing them with personal information.

We may update this policy from time to time. Material changes will be communicated by email or in-app notice at least 14 days before they take effect. The “Last updated” date at the top of this page always reflects the current version. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

Questions or concerns about this policy or our handling of your personal information? Reach the privacy team at privacy@pokegemhq.com or for general support at hello@pokegemhq.com.