Privacy Policy

1. What Data We Collect

Without a Community Account (Local Only)

If you use Decksmith without registering, no data leaves your device. Everything is stored locally:

• Your Magic: The Gathering card collection
• Deck lists you create
• User preferences (currency, display settings)

With a Community Account (Server-Side)

Creating a community account is voluntary. When you do, the following data is stored on our server:

• Email address — required for registration and login
• Username — publicly visible to other community members
• Password — stored as a bcrypt hash; your plaintext password is never stored
• Avatar image — optional profile picture you upload
• Device identifier and device name — to support multi-device login
• Authentication token — stored securely in the iOS Keychain on your device
• Account metadata — creation date, last login date, email verification status
• Follower/following relationships — which community members you follow
• Shared decks — deck name, description, format, and card list if you choose to share them
• Card collection — your collection is visible to users you follow and who follow you

Data We Never Collect

• Real name or postal address
• Usage analytics or behavioral tracking data
• Payment information (the app is free)

2. How We Use Your Data

All data is used exclusively to provide the app's functionality. We do not use your data for advertising or sell it to third parties.

• Card Collection & Deck Building: To display, organize, and manage your MTG cards and decks locally on your device
• Price Tracking: To fetch current market prices from Scryfall
• Authentication: Your email and password hash are used to verify your identity when logging in to your community account
• Community Features: Your username, avatar, shared decks, and card collection are made available to other community members you follow or who follow you
• Multi-Device Support: Device identifier and name are used to manage active login sessions across your devices
• Preferences: Currency and language settings are synced to your account so they persist across devices

Legal Basis: Data processing is based on Art. 6(1)(b) GDPR — processing is necessary for the performance of the service you requested. Where community features involve optional sharing of your data with other users, the legal basis is Art. 6(1)(a) GDPR (your consent, given by voluntarily creating an account and choosing to share content).

3. Third-Party Services

Decksmith Community Server

Community account data (email, username, avatar, shared decks, follower relationships) is stored on our own server at app.decksmith.community. This server is operated by Waldemar Schneider and is located in the EU. No community data is shared with third-party cloud providers beyond the hosting infrastructure.

Scryfall API

Decksmith uses the Scryfall API to search for cards, download card images and data, and fetch current prices. When you search for cards, requests are sent directly to Scryfall. Please review Scryfall's Privacy Policy for details.

Apple App Store

Decksmith is distributed via Apple's App Store. Apple may collect crash reports and usage data as outlined in Apple's Privacy Policy.

4. Data Storage & Security

On Your Device

• Local database: Card collection, decks, and preferences are stored using Apple's SwiftData framework in the app's sandboxed storage
• Keychain: Your authentication token is stored in the iOS Keychain, which is encrypted and inaccessible to other apps
• Backups: Local app data is included in your device's iCloud or iTunes backups (controlled by you)

On Our Server (Community Accounts Only)

• Database: Account data is stored in a MySQL database on our server at app.decksmith.community
• Passwords: Passwords are hashed using bcrypt before storage — we cannot recover your plaintext password
• Transport security: All communication between the app and our server uses HTTPS/TLS encryption
• Avatar images: Uploaded avatar images are stored as files on our server and served via a public URL

5. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Right to Access: You can view your local data directly in the app. For community account data held on our server, contact us at info@decksmith.community to request a copy
• Right to Rectification: You can update your username, avatar, and currency preference directly in the app's account settings
• Right to Erasure: Local data is deleted when you uninstall the app. To delete your community account and all associated server-side data (email, username, avatar, shared content, follower relationships), contact us at info@decksmith.community
• Right to Data Portability: Export features are planned for a future update. For now, contact us to request your data in a structured format
• Right to Withdraw Consent: You may withdraw your consent to community features at any time by requesting account deletion. This does not affect the lawfulness of processing prior to withdrawal
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. The competent authority for Germany/Bavaria is: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany — poststelle@lda.bayern.de

To exercise any rights relating to server-side data, please contact us at info@decksmith.community. We will respond within 30 days.

6. Children's Privacy

The community features of Decksmith require account registration, which involves processing an email address. Under GDPR, users under 16 years old require parental or guardian consent to create an account. If you become aware that a child under 16 has registered without consent, please contact us at info@decksmith.community and we will delete the account promptly. Users who do not create a community account can use the app without any age restriction, as no personal data is collected.

7. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal reasons. When we do:

• The "Last updated" date at the top will be revised
• We'll notify you through the app, via App Store update notes, or on our website
• Continued use of the app constitutes acceptance of changes

8. Data Controller

The person responsible for data processing within the meaning of Art. 4(7) GDPR is:

9. Contact Us

If you have questions about this Privacy Policy or Decksmith's privacy practices, please contact us: