Privacy Policy
Last updated: 15 April 2026
This Privacy Policy explains what personal data 20cards collects, why it collects it, who it shares it with, and how you can exercise your rights under the EU General Data Protection Regulation (GDPR) and Italian Legislative Decree 196/2003 as amended.
1. Data controller
20cards is operated as a non-commercial fan project by a private individual based in Italy. The data controller can be contacted at:
Email: support@20cards.com
The controller's full legal identity and postal address are not published on this page in order to protect the operator's privacy as a private individual. They will be disclosed without undue delay upon a formal written request by:
- a data subject exercising their rights under GDPR Articles 15–22, sent from the email address tied to their 20cards account;
- the Italian data protection authority (Garante per la protezione dei dati personali) or another competent supervisory authority within the European Economic Area.
2. What data we collect
Depending on how you use the site, we may process the following categories of personal data:
- Account data (authenticated users only)
Email address and an encrypted password managed by our authentication provider. We never see or store your password in plain text. - Collection data
The list of Pokémon TCG Pocket cards you mark as owned (card IDs and counts) linked to your account. - Saved decks
Deck name, description, card list, cover card, and a visibility flag (public / private) that you control. - Anonymous decks (guest users)
If you save a deck without an account, the deck is stored without any personal identifier. A random identifier is kept in your browser so that the deck can be claimed by your account if you sign up later. - Technical and usage data (with consent)
If you accept analytics cookies, we use Google Analytics 4 to collect aggregated information about how the site is used: pages visited, browser and device type, approximate location based on IP, referral source. You can reject analytics at any time — see the Cookie Policy. - Performance and error data
We use Vercel Analytics and Vercel Speed Insights to collect anonymous, cookie-less performance metrics (page load times, core web vitals). These do not identify individual users.
We do not collect special categories of personal data (health, biometrics, political views, etc.). We do not ask for your real name, address, or payment information — the service is free and has no commercial transactions.
3. Why we process your data and legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Creating and managing your account, saving your decks and collection, showing you personalised features | Performance of a contract — Art. 6(1)(b) |
| Keeping the site secure, preventing abuse, enforcing fair-use limits on guest actions | Legitimate interest — Art. 6(1)(f) |
| Measuring usage via Google Analytics 4 | Your consent — Art. 6(1)(a) |
| Cookie-less performance and reliability metrics (Vercel Analytics / Speed Insights) | Legitimate interest — Art. 6(1)(f) |
4. Who we share your data with
We do not sell your data and we do not share it for marketing purposes. We do rely on a small set of carefully chosen service providers (“data processors”) that help us run the site:
- Supabase Inc. (USA)
Authentication, database, and backend storage. Your account credentials, collection and decks are stored on Supabase infrastructure. - Vercel Inc. (USA)
Hosting and deployment of the site, plus Vercel Analytics and Speed Insights for anonymous performance measurement. - Google Ireland Limited (IE) / Google LLC (USA)
Google Analytics 4 for usage measurement — loaded only after you give consent. Google Gemini generative AI may be used on the server for deck suggestion features; when this feature is active it only processes the card IDs you pick, never your account data.
These providers may process your data on servers outside the European Economic Area. Transfers to the United States are covered by the EU-US Data Privacy Framework and/or Standard Contractual Clauses approved by the European Commission. You can review each provider's privacy policy via the links in the Cookie Policy.
5. How long we keep your data
- Account data: kept as long as your account exists. When you delete your account, your email and authentication record are removed.
- Decks and collection: kept until you delete the deck, reset your collection, or delete your account.
- Anonymous decks without owner: kept until they are claimed by an account (via the signup flow) or manually removed by the site operator.
- Analytics data: retained according to Google Analytics 4 default retention settings (currently 14 months).
6. Your rights
Under GDPR Articles 15–22 you have the right to:
- Access — ask for a copy of the personal data we hold about you
- Rectification — correct inaccurate data
- Erasure — ask us to delete your data (“right to be forgotten”)
- Restriction — temporarily limit how we process your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent, withdraw it at any time (for analytics, use the Cookie preferences button in the footer)
To exercise any of these rights, email support@20cards.com from the address tied to your account. We will reply within 30 days.
7. Children
20cards is intended for users aged 14 and older. We do not knowingly collect personal data from children under 14. If you are under 14, please do not create an account and do not enable analytics cookies without a parent or guardian's consent.
If you believe a child under 14 has provided us personal data without parental consent, please contact support@20cards.com and we will delete the account and associated data promptly.
8. Security
All traffic to and from 20cards is encrypted via TLS. Passwords are hashed by the authentication provider and never stored in plain text. Database access is protected by row-level security policies so that users can only access their own data. Despite our best efforts, no online service can be guaranteed 100% secure; if we become aware of a breach that affects your personal data we will notify you and the competent authority as required by GDPR Art. 33–34.
9. Changes to this policy
We may update this Privacy Policy to reflect changes to the service or to legal requirements. When we do, we update the “Last updated” date at the top of this page and, for material changes, we will display a notice on the site.
10. Complaints
If you believe your rights have been violated, you have the right to lodge a complaint with the Italian data protection authority (Garante per la protezione dei dati personali) via garanteprivacy.it, or with the supervisory authority of your country of residence.