Privacy Policy

Rarix is operated by Rarix LLC (Delaware, USA). One human (Andrei) does the engineering, support, and these legal pages. If anything below sounds vague, email [email protected] and we’ll explain or fix it.

To make accounts and the vault work:

• Email + password. Email is your login. The password is hashed (bcrypt via Better-Auth) — we never see or store the plaintext.
• Handle + display name. Public on rarix.app/u/@handle if you make a binder public.
• Avatar + collection data. What you own / want / have for trade. Set completion %. Foil & condition. Notes.
• Scan attempts. When you scan a card or figure, we store the image, the embedding, the top-K matches, and which one you confirmed. Used to improve the recognition model.
• Push tokens. If you opt in to notifications, we store the Expo push token + platform.
• Sessions. A signed cookie identifying your logged-in browser/device. Better-Auth handles rotation.
• Server-side error logs. When the API errors, we log a stack trace + the request path. No request bodies, no cookies.

We don’t run third-party analytics. No Google Analytics, no Segment, no Meta pixel. No ads anywhere.

• To run the service you signed up for (Art. 6(1)(b), contract performance) — accounts, vault, scan, public showcase.
• To improve recognition (Art. 6(1)(f), legitimate interest) — scan_attempts data trains the matcher. You can delete your account and all of it goes (or gets anonymized, see retention).
• To send you push notifications (Art. 6(1)(a), consent) — opt-in only, off by default. You toggle it in Settings.
• To maintain security & prevent abuse (Art. 6(1)(f), legitimate interest) — rate limits, B2B API key tracking, honest fraud prevention.

• Account + collection data: until you delete your account. After that, fully removed within 30 days from live + backups.
• Scan attempts: 90 days at full fidelity (linked to your user_id), then anonymized — the row stays in the aggregate ML dataset, but your user_id is set to NULL so the scan can’t be tied back to you. Fully removed if you delete your account before the 90-day mark.
• Sessions + access tokens: session lifetime is 30 days; revoked on sign-out or account delete.
• Server logs: 30 days, then rotated out.
• Backups: rolling 30-day window. Account deletion includes a backup-purge step at the next backup rotation (≤30 days).

We use the following infrastructure providers. Each only sees the data needed to do its job.

• Postgres database — self-hosted on a Tailscale private network. Your data lives here.
• Cloudflare R2 (when configured) — image storage. Owned content (Scryfall licensed art, your uploads) stays in r2://owned/; scraped sources stay in r2://cached/ and are never publicly served.
• Expo push service — relays push notifications to iOS / Android. Sees the push token + the notification body.
• Dokploy + the deploy host (GCP) — runs the containers.
• Better-Auth — open-source library, runs in our process. No external SaaS auth provider.

We never sell your data, never share it with advertisers, never use it to train a third party’s model. If that ever changes — it won’t, but if — this page changes first and you get an email.

Under GDPR (if you’re in the EU/UK) and CCPA (if you’re in California), and as a default for everyone else:

• Access: see what we have. The whole vault is visible in-app — but if you want a JSON dump, email [email protected] and we’ll send one within 30 days.
• Deletion: in-app, instantly, in two taps. Settings → Danger zone → Delete account. Same on web at /app/you.
• Correction: edit your handle, display name, bio, and showcase visibility in Settings.
• Export: portfolio CSV export is available in-app under Portfolio. Full account export by email request while we ship the in-app version.
• Withdraw consent: turn off push, make your showcase private, or delete the account. All instant.
• Complain: if you’re in the EU, you can lodge a complaint with your local data protection authority. We’d rather hear from you first so we can fix whatever’s wrong.

Rarix is not for anyone under 13. We don’t knowingly collect data from children under 13. If you’re between 13 and 16 and in the EU, check with a parent first. If you suspect a child under 13 has an account, email us and we’ll delete it.

HTTPS everywhere. Passwords hashed via bcrypt. Postgres on a private Tailscale network — not publicly addressable. Row-level security enforces ownership at the SQL layer (you can only ever read/write your own rows, even if the API has a bug). B2B API keys are sha256-hashed at rest, never stored in plaintext.

We’re a small team. If a breach happens, we’ll email affected users within 72 hours and post a public incident report.

If we change this policy materially (new sub-processor, new data class, new purpose), we’ll email everyone with an account and bump the date below. Version history lives in our public repo.

[email protected] for privacy + GDPR + CCPA requests. We answer within 5 business days, usually same day.