LegalEffective 1 April 2026·Last updated 1 April 2026

Privacy Policy

We handle your personal data with care. This policy explains what we collect, why we collect it, and what you can do about it.

Who we are

Carder is operated by Scott Barker, a sole trader registered in the United Kingdom (trading as "Carder"). For the purposes of UK data protection law, Scott Barker trading as Carder is the data controller for personal data collected through the Carder app and website.

If you have any questions about how we handle your data, you can reach our privacy contact at the address below.

Privacy contact

privacy@carder.uk

Data we collect

We collect only what is necessary to operate the Carder marketplace. Here is a plain-English breakdown of every category of personal data we hold.

Account information

  • Your name and email address, provided on registration
  • A profile photo and short bio, if you choose to add them
  • Your account settings and preferences

Delivery addresses

  • Postal addresses you provide when checking out as a buyer
  • Your default delivery address, if saved in settings

Collection data

  • Which Pokémon TCG cards you have added to your collection
  • Quantities and condition grades per card
  • Set and series completion percentages (derived from your card data)
  • Collection settings and preferences

Transaction records

  • Orders you have placed as a buyer and received as a seller
  • Order amounts, delivery fees, and platform fee amounts
  • Dispatch information including carrier and tracking number
  • Order status history and timestamps

Listing data

  • Cards you list for sale, including prices, conditions, and quantities
  • Your seller settings, including delivery tier pricing

Listing photos

For cards listed at £25 or more, sellers are required to upload photos. These are stored on Cloudflare R2. Photos are deleted when the listing is removed.

Opening verification videos

Retention note: Opening verification videos are stored on Cloudflare R2 and are automatically deleted 90 days after the associated order is marked as completed or cancelled. Videos are used only for dispute resolution within this window.

  • Video recordings of sealed product openings, created for dispute resolution purposes
  • Uploaded only where both parties have agreed to the opening verification process

Reviews

  • Star ratings and tags you leave for sellers after completed orders
  • Star ratings and tags left for you by buyers
  • Reviews are permanent and cannot be deleted — they form part of the public trust record

Push notification tokens

  • Device push tokens used to deliver order and activity notifications
  • Only collected if you grant notification permission on your device

Basic usage data

  • App feature usage patterns used to improve the product
  • Error logs and crash reports for debugging
  • We do not run advertising analytics or third-party tracking

How we use your data

We use your personal data for the following purposes:

  • Operating the marketplace — matching buyers to relevant sellers, processing orders, and maintaining your account
  • Enabling transactions — sharing your delivery address with the seller when you complete a purchase so they can dispatch your order
  • Delivering notifications — sending push notifications about your orders and activity, where you have granted permission
  • Sending transactional emails — order confirmations, dispatch notifications, and account-related communications via Resend
  • Resolving disputes — using opening verification videos during their 90-day retention window to assist with disputed sealed product orders
  • Improving the platform — aggregated and anonymised usage data to understand which features are most valuable
  • Legal compliance — retaining financial records as required by UK tax law (HMRC requirements)
  • Fraud prevention and platform security — detecting and preventing misuse of the platform

Data sharing

We do not sell your personal data. We do not share it with advertisers or data brokers. We share data only in the following circumstances.

With Stripe (payment processing)

Stripe processes all payments on the platform. Stripe is an independent data controller — see the Stripe section below for details. We do not store payment card details.

With other Carder users

  • Your seller profile, name, and active listings are visible to all Carder users
  • When you complete a purchase, your delivery address is shared with the seller so they can dispatch your order. It is not shared for any other purpose and sellers are bound by these terms to use it only for order fulfilment
  • Star ratings and reviews you leave are attributed to you publicly by display name

With data processors

We share data with processors who act on our instructions and must meet our data protection standards. See the Data Processors section for the full list.

Where required by law

We may disclose personal data where required to do so by law, court order, or to prevent or detect fraud or criminal activity.

Stripe

Stripe is an independent data controller. When you make or receive a payment through Carder, your payment data is handled directly by Stripe, Inc. Carder does not store or have access to your payment card details at any point.

Stripe's processing of your data is governed by their own privacy policy, available at stripe.com/gb/privacy. We encourage you to read it.

Sellers connect to Stripe Connect to receive payouts. Stripe collects additional verification information from sellers (such as identity and bank account details) as part of their Know Your Customer (KYC) obligations. This information is processed by Stripe under their own legal bases and privacy policy.

Data processors

The following companies process personal data on our behalf as data processors. They act only on our instructions and are contractually bound to protect your data.

  • Cloudflare, Inc. (USA) — Cloudflare R2 storage for listing photos and opening verification videos; CDN and DDoS protection for the app and website
  • Railway, Inc. (USA) — Hosting and running the Carder API and application infrastructure
  • Resend, Inc. (USA) — Delivery of transactional emails (order confirmations, dispatch notifications, account communications)
  • Supabase, Inc. (USA) — Hosted PostgreSQL database storing your account data, collection data, transaction records, and all other app data

Where processors operate outside the UK, we rely on appropriate safeguards as described in the International Transfers section below.

International transfers

All four of our primary data processors (Cloudflare, Railway, Resend, and Supabase) are headquartered in the United States. Transferring personal data to the US requires appropriate safeguards under UK GDPR Chapter V.

We rely on the following mechanisms as appropriate for each processor:

  • UK International Data Transfer Agreements (IDTAs) or equivalent Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
  • UK adequacy regulations where the destination country or framework has been assessed as providing adequate protection

If you would like details of the specific safeguards in place for any processor, contact privacy@carder.uk.

Data retention

We keep your data only for as long as necessary. Here is our retention schedule for each category:

  • Account data (name, email, profile, settings) — deleted within 30 days of a verified account deletion request
  • Collection data — deleted on account deletion
  • Transaction records — retained for 7 years from the date of each transaction, as required by HMRC under UK tax law. Deletion requests cannot be honoured for this category within this period
  • Opening verification videos — automatically deleted 90 days after the associated order is completed or cancelled, with no manual intervention required
  • Listing photos — deleted when the listing is removed
  • Reviews — permanent. Reviews form part of the public trust record of the platform and cannot be deleted, even on account deletion. Attributed reviews will be anonymised to "Former User" if you delete your account
  • Push notification tokens — deleted when you disable notifications in device settings or delete your account
  • Usage and error logs — retained for up to 12 months for security and debugging purposes, then deleted
  • Delivery addresses — retained on your account until you delete them or delete your account. Addresses embedded in transaction records are retained with those records per the 7-year schedule above

Your rights

Under UK GDPR, you have the following rights regarding your personal data. We make most of these available directly in the app.

Right of access

You may request a copy of the personal data we hold about you. An in-app data export is available in Settings → Privacy. You can also request a full export by emailing privacy@carder.uk.

Right to erasure

You may request deletion of your account and personal data via Settings → Delete Account. Note that transaction records must be retained for 7 years per our legal obligation, and reviews are permanent.

Right to rectification

You may correct inaccurate personal data at any time through your in-app account settings. Contact privacy@carder.uk if you cannot correct something in-app.

Right to restriction

You may request that we restrict processing of your data in circumstances where you contest its accuracy, object to processing, or require it for legal claims. Contact privacy@carder.uk.

Right to object

You may object to processing based on our legitimate interests. Contact privacy@carder.uk with details of your objection.

Right to data portability

You may receive your data in a structured, commonly-used, machine-readable format (JSON). This is available via the in-app data export function.

Right to withdraw consent

Where processing is based on consent (push notifications), you may withdraw consent at any time by disabling notifications in your device settings.

Right to complain to the ICO

If you believe we have not handled your data in accordance with UK data protection law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

We would appreciate the opportunity to address your concern before you contact the ICO. Please email privacy@carder.uk first.

Children

The Carder app is not directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13. If you believe a child under 13 has created an account or provided us with personal data, please contact privacy@carder.uk and we will take steps to delete the data promptly.

Users must be 18 or over to sell on Carder, as required by our Terms of Service.

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes — changes that affect how we use your data or your rights — we will communicate them via:

  • A push notification or in-app message, where you have notifications enabled
  • An email to the address associated with your account

The "Last updated" date at the top of this page will always reflect the most recent revision. Continued use of the Carder app after a material change constitutes acceptance of the updated policy.

For minor changes (corrections, clarifications that do not affect data processing), we will update the policy without individual notice.

Contact

If you have any questions about this Privacy Policy, want to exercise a data right not available in-app, or have concerns about how we handle your data, please contact us.

Data controller contact

privacy@carder.uk

We aim to respond to all data-related enquiries within 30 days. For urgent matters, please indicate this in your subject line.

You may also unsubscribe from marketing and transactional emails using the unsubscribe link in the footer of any email we send. Note that unsubscribing from transactional emails (such as order confirmations) is not possible while your account is active, as these are necessary to fulfil your contract with us.