Last updated: April 23, 2026
VNDR™, operated by TCG VNDR LLC ("we," "our," or "us"), is a platform built for TCG vendors to manage inventory, transactions, and show sessions. This Privacy Policy explains what information we collect when you use VNDR, how we use it, and who we share it with. This policy is part of our Terms of Service.
VNDR does not sell your data, run advertising, or use tracking analytics of any kind.
We support Google OAuth and Sign in with Apple for authentication. When you sign in, the provider shares the following with us:
We do not receive or store your password from either provider.
Everything you log inside VNDR is stored in your account:
Notes attached to transactions are free-form text you write. Do not include sensitive personal information about your customers in notes.
If you subscribe to a paid plan, payment is processed by Stripe (web) or Apple In-App Purchase (iOS app). We do not store your credit card number or full payment details. We receive and store:
If you use the camera card identification feature, the image you capture is sent to Ximilar's card recognition API to identify the card name, set, and number. If Ximilar is unavailable or unable to identify the card, the image may be sent to Anthropic's Claude API as a fallback. See Section 3 for details on third-party services.
We store a copy of the captured image on Vercel Blob storage, linked to the inventory item it identified, so you can view it later from the item's detail page. You can delete the image by deleting the inventory item, or clear all your data via Settings → Danger Zone.
If you manually upload an inventory photo or a batch-lot photo, that image is also stored on Vercel Blob storage under your account.
If you receive or share a referral code, we store:
When another user refers you, we show them a partially masked version of your email (e.g., jo***@***.com) so they can recognize friends they have referred. We never share your full email address or your Google or Apple display name with other users through the referral system.
Referral records are visible to VNDR administrators for fraud review. Administrative actions on referrals or credits (grant, reverse, adjust) are recorded in an internal audit log.
We do not use your data for advertising, profiling, or any purpose beyond operating the app for you.
VNDR relies on the following third-party services to function:
Your name, email, profile picture, and OAuth tokens are shared with Google as part of the sign-in flow.
VNDR is deployed on Vercel's infrastructure. Your requests pass through Vercel's servers. Vercel may log request metadata (IP addresses, user agents) per their standard practices.
All your account and business data is stored in a Neon-hosted PostgreSQL database. Neon is a Vercel Postgres provider. Data is encrypted at rest and in transit.
When you search for a card or sealed product, or when the daily price refresh runs, your search queries and card identifiers are sent to Scrydex's API to retrieve market pricing data. No personal account information is sent to Scrydex.
If you use the camera card identification feature, your card image is sent to Ximilar's TCG recognition API to identify the card name, set, and number. Ximilar's data usage policies apply to that image.
If Ximilar is unavailable or unable to identify a card, your card image may be sent to Anthropic's Claude API as a fallback. This also handles sealed products and graded slabs. Anthropic's data usage policies apply to that image.
Card scan images and manually uploaded inventory photos are stored on Vercel Blob, Vercel's managed object storage. Files are uploaded with unguessable random URLs. You can delete them by deleting the associated inventory item.
If you subscribe to a paid plan, payment is processed by Stripe. Stripe receives your payment card details, billing address, and email. We do not store your card number — Stripe handles this securely. We receive confirmation of payment status and subscription details.
If you use Sign in with Apple, Apple shares your name and email address (or a private relay address) with us. If you subscribe via In-App Purchase on iOS, Apple processes your payment. We do not receive your payment card details from Apple — we receive transaction IDs and subscription status via RevenueCat.
RevenueCat manages In-App Purchase subscriptions for our iOS app. It receives your app user ID and purchase events from Apple to track subscription status. RevenueCat does not receive your payment card details.
Resend delivers transactional emails (session summaries, subscription confirmations) and optional marketing emails if you opt in. You can manage your email preferences in Settings → Notifications.
When you submit feedback through the in-app help button, your name, email address, and message are sent to a private Discord channel via webhook so our team can respond. Only VNDR team members can see this channel.
If rate limiting is enabled, your IP address is temporarily stored in Upstash Redis to prevent API abuse. This data expires automatically within seconds.
If you connect your eBay account and list items, your card details (name, set, condition, grade, price) and card images are sent to eBay's Inventory and Media APIs to create listings on your behalf. Your eBay OAuth tokens (access and refresh tokens) are stored securely to maintain your connection. eBay's privacy policy governs data shared with them.
VNDR sets a single HTTP-only, secure session cookie (authjs.session-token) when you sign in. This cookie:
If you click a referral link or enter a referral code, we also set a short-lived cookie (vndr_ref) for 30 days to remember which code you used, so we can attribute the referral when you sign up. You can clear it at any time through your browser settings.
We set no advertising cookies, no tracking pixels, and no third-party analytics cookies.
Your business data (inventory, transactions, show sessions) is retained until you delete it. You can delete data from the Settings page inside the app:
Sign-up IP address, user-agent, and device fingerprint hash collected for referral fraud detection are retained while your account exists to support ongoing fraud review, and are deleted when you delete your account.
Your account information (name, email, profile picture) from Google or Apple is retained to keep your account active. You can delete your account from Settings → Danger Zone, which permanently removes all your data. If you need assistance with account deletion, contact us at the address below and we will process it within 30 days.
VNDR is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify you through the app, by email, or another reasonable means. Continued use of VNDR after changes constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or want to request deletion of your account data, reach out at:
support@tcgvndr.com