Privacy Policy

Last updated: February 19, 2026

This Privacy Policy describes how TCG API (“we”, “us”, “our”) collects, uses, and protects your information when you use our service at tcgapi.dev and api.tcgapi.dev (“Service”).

1. Information We Collect

Account Information

Email address — used for account creation, billing, and service communications
Password — stored as a cryptographic hash; we never store or have access to your plain-text password

Billing Information

Payment details (credit card number, expiration, billing address) are collected and processed by Stripe, our payment processor. We do not store your full payment details on our servers. We receive and store your Stripe customer ID and subscription status.

Usage Data

API request logs — endpoint accessed, timestamp, response status, API key used
Rate limit counters — request counts per time window

Technical Data

IP address, user agent, and request headers sent with API calls

2. Information We Do Not Collect

No tracking cookies — we do not use third-party tracking cookies or advertising pixels
No analytics cookies — our website analytics (Umami) are privacy-friendly and cookie-free
No third-party data sharing for advertising — we do not sell, rent, or share your data with advertisers

3. How We Use Your Information

We use the information we collect to:

Provide and maintain the Service (account management, API access)
Process billing and payments
Enforce rate limits and prevent abuse
Monitor service health and performance
Communicate service updates, security notices, and billing information
Comply with legal obligations

4. Third-Party Services

We use the following third-party services that may process your data:

Stripe — payment processing (Stripe Privacy Policy)
Cloudflare — infrastructure, CDN, and DDoS protection (Cloudflare Privacy Policy)
Umami — privacy-focused website analytics, no cookies, no personal data collection (Umami Privacy)

We do not share your personal information with any other third parties.

5. Data Retention

Account data — retained until you request account deletion
API usage logs — retained for 90 days, then automatically deleted
Billing records — retained as required by law (typically 7 years for tax purposes)

6. Data Security

We protect your data using:

Encrypted connections (HTTPS/TLS) for all API and website traffic
Cryptographic password hashing
API key authentication with secure key generation
Cloudflare network security and DDoS protection
Access controls limiting data access to essential operations only

7. Your Rights

All Users

Access — request a copy of your personal data
Correction — request correction of inaccurate data
Deletion — request deletion of your account and associated data
Export — request an export of your data in a machine-readable format

California Residents (CCPA)

Under the California Consumer Privacy Act, you have the right to:

Know what personal information we collect and how it is used
Request deletion of your personal information
Opt out of the sale of personal information (we do not sell personal information)
Non-discrimination for exercising your privacy rights

If you are in the European Economic Area, you have additional rights including:

Right to data portability
Right to restrict processing
Right to object to processing
Right to withdraw consent

8. Children’s Privacy

The Service is not intended for children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 14 days before the changes take effect. The “Last updated” date at the top reflects the most recent revision.

10. Contact

For privacy-related questions or to exercise your data rights, contact us at [email protected].