VNDR

Buy · Sell · Trade

Privacy Policy

Last updated: March 10, 2026

VNDR, operated by TCG VNDR LLC ("we," "our," or "us"), is a platform built for TCG vendors to manage inventory, transactions, and show sessions. This Privacy Policy explains what information we collect when you use VNDR, how we use it, and who we share it with. This policy is part of our Terms of Service.

VNDR does not sell your data, run advertising, or use tracking analytics of any kind.

1. Information We Collect

Account information (via Google Sign-In)

We use Google OAuth to authenticate you. When you sign in, Google shares the following with us:

  • Your name
  • Your email address
  • Your Google profile picture URL
  • OAuth tokens (access token, refresh token) required to maintain your session

We do not receive or store your Google password.

Business data you enter

Everything you log inside VNDR is stored in your account:

  • Inventory items — name, set, type, condition, grade, quantity, cost basis, market value
  • Transactions — type (buy/sell/trade), payment method, agreed prices, optional notes
  • Show sessions — name, location, date
  • App settings — default buy and trade percentages

Notes attached to transactions are free-form text you write. Do not include sensitive personal information about your customers in notes.

Payment information (if subscribing)

If you subscribe to a paid plan, payment is processed by Stripe. We do not store your credit card number or full payment details. We receive and store:

  • Stripe customer ID and subscription ID
  • Subscription status and billing period
  • Last four digits of your payment card (for display purposes only)

Card images (optional)

If you use the camera card identification feature, the image you capture is sent to Ximilar's card recognition API to identify the card name, set, and number. If Ximilar is unavailable or unable to identify the card, the image may be sent to Anthropic's Claude API as a fallback. We do not store the image on our servers. See Section 3 for details on third-party services.

2. How We Use Your Information

  • To authenticate you and maintain your session
  • To store and display your inventory, transactions, and sessions
  • To calculate P&L, cash differences, and session summaries
  • To fetch live market prices for cards and sealed products from Scrydex
  • To generate CSV exports you request
  • To run a daily background job that refreshes market prices on your inventory
  • To deliver feedback you submit (bug reports, feature requests) to our support team via email and Discord

We do not use your data for advertising, profiling, or any purpose beyond operating the app for you.

3. Third-Party Services

VNDR relies on the following third-party services to function:

Google (Authentication)Privacy Policy ↗

Your name, email, profile picture, and OAuth tokens are shared with Google as part of the sign-in flow.

Vercel (Hosting)Privacy Policy ↗

VNDR is deployed on Vercel's infrastructure. Your requests pass through Vercel's servers. Vercel may log request metadata (IP addresses, user agents) per their standard practices.

Neon (Database)Privacy Policy ↗

All your account and business data is stored in a Neon-hosted PostgreSQL database. Neon is a Vercel Postgres provider. Data is encrypted at rest and in transit.

Scrydex (Market Pricing)Privacy Policy ↗

When you search for a card or sealed product, or when the daily price refresh runs, your search queries and card identifiers are sent to Scrydex's API to retrieve market pricing data. No personal account information is sent to Scrydex.

Ximilar (Card Identification)Privacy Policy ↗

If you use the camera card identification feature, your card image is sent to Ximilar's TCG recognition API to identify the card name, set, and number. Ximilar's data usage policies apply to that image. We do not store the image.

Anthropic (Card Identification — Fallback)Privacy Policy ↗

If Ximilar is unavailable or unable to identify a card, your card image may be sent to Anthropic's Claude API as a fallback. This also handles sealed products and graded slabs. Anthropic's data usage policies apply to that image. We do not store the image.

Stripe (Payments)Privacy Policy ↗

If you subscribe to a paid plan, payment is processed by Stripe. Stripe receives your payment card details, billing address, and email. We do not store your card number — Stripe handles this securely. We receive confirmation of payment status and subscription details.

Resend (Email)Privacy Policy ↗

If email notifications are enabled, your email address and session summary data are sent to Resend to deliver session close emails with CSV attachments. Emails are transactional only — no marketing emails are sent.

Discord (Feedback Notifications)Privacy Policy ↗

When you submit feedback through the in-app help button, your name, email address, and message are sent to a private Discord channel via webhook so our team can respond. Only VNDR team members can see this channel.

Upstash Redis (Rate Limiting, optional)Privacy Policy ↗

If rate limiting is enabled, your IP address is temporarily stored in Upstash Redis to prevent API abuse. This data expires automatically within seconds.

4. Cookies and Session Storage

VNDR sets a single HTTP-only, secure session cookie (authjs.session-token) when you sign in. This cookie:

  • Contains a signed JWT identifying your session
  • Expires after 8 hours
  • Is HTTP-only (not accessible to JavaScript)
  • Is only sent over HTTPS

We set no advertising cookies, no tracking pixels, and no third-party analytics cookies.

5. Data Retention and Deletion

Your business data (inventory, transactions, show sessions) is retained until you delete it. You can delete data from the Settings page inside the app:

  • Delete transactions — removes all transaction records
  • Delete everything — removes all transactions, inventory, and sessions

Your Google account connection (name, email, profile picture) is retained to keep your account active. It cannot currently be deleted through the app interface. To request full account deletion — including your Google auth record — contact us at the address below and we will remove it from our database manually within 30 days.

6. Data Security

  • All data is transmitted over HTTPS
  • Database connections use TLS encryption
  • Session tokens are signed and HTTP-only
  • Authentication is handled entirely by Google OAuth — we never see your password
  • API routes are protected and require an authenticated session

7. Children's Privacy

VNDR is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.

8. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we'll update the "Last updated" date at the top of this page. Continued use of VNDR after changes constitutes acceptance of the updated policy.

9. Contact

If you have questions about this Privacy Policy or want to request deletion of your account data, reach out at:

support@tcgvndr.com