Privacy notice
Last updated: May 10, 2026
This privacy notice for Duck Collector ("Company", "we", "us", or "our") describes how and why we might collect, store, use, and/or share ("process") your information when you use our services ("Services"), such as when you:
- Visit our website at https://www.duckcollector.net
- Sign in to save your Psyduck collection, preferences, and related activity on the site
Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at james@jmason.dev.
Duck Collector is an unofficial fan project for tracking Psyduck / Pokémon TCG cards; it is not affiliated with Nintendo, The Pokémon Company, or related rights holders.
1. Information we collect
We collect information in the following situations:
1.1 Information you provide
- Account. If you sign in with Google, we receive identifiers and profile-related fields made available by Google and processed through Supabase Auth (for example a unique user id and email address). The exact fields depend on your Google account settings and our OAuth configuration.
- Collection content. Cards you mark as collected, optional notes you add, and timestamps associated with those entries.
- Preferences. Settings such as enabled languages and how your collection list is filtered (for example TCG vs non-TCG and featuring modes).
- Deletion confirmation. If you delete your account, we ask you to type your email to confirm the request (processed only to perform deletion).
1.2 Information collected automatically
- Technical and usage data. Our hosting infrastructure and Supabase may process technical data such as IP addresses, device and browser signals, and server logs when you use the service. Exactly what is logged depends on your browser, our configuration, and those providers' practices.
- Cookies and local storage. We use essential storage for sign-in and theme preference. Optional Instagram embeds load only after you accept them in our banner. Details are in our cookie notice.
1.3 Information from third parties
- Google (OAuth provider), when you choose "Continue with Google".
- Meta / Instagram, only if you accept optional embeds and your browser loads Instagram previews (for example on Duck of the Week).
2. How we use information & legal bases (GDPR)
Where GDPR applies, we must identify a legal basis for each purpose. The applicable basis can depend on your situation and local law; the table below summarizes how we typically treat each purpose.
| Purpose | Typical basis |
|---|---|
| Provide accounts; authenticate you; sync your collection and settings | Performance of a contract / steps prior to entering a contract |
| Operate optional Instagram embeds | Consent (cookie banner) |
| Secure the service; detect abuse; debugging | Legitimate interests and/or legal obligation |
| Respond to privacy requests and legal inquiries | Legal obligation and/or legitimate interests |
We do not sell your personal information. This application does not include advertising or cross-site tracking pixels in the codebase we ship; if that ever changes, we will update this notice.
3. How we share information
We share personal data with service providers that help us run the service ("processors" / subprocessors), including:
- Supabase Inc. — hosted authentication and database.
- Google LLC — OAuth sign-in.
- Meta Platforms, Inc. — only when Instagram embeds load after consent.
- Hosting / CDN — whichever cloud or edge network serves this website to visitors (depends on where Duck Collector is deployed).
We may disclose information if required by law, court order, or to protect rights, safety, and integrity of the service.
4. Retention
We keep account-related personal data until you delete your account unless a longer retention period is required by law. Deleting your Supabase Auth account removes linked rows in our application database that reference your user id (such as collection entries and settings).
Backup systems operated by Supabase or our hosting provider may retain residual copies for a period defined by those providers' retention policies.
5. Your rights and choices
Depending on where you live, you may have rights to access, rectify, erase, restrict or object to certain processing, export data in a portable format, withdraw consent where processing is based on consent, and lodge a complaint with a supervisory authority.
- Export: signed-in users can download a JSON export from the Account page.
- Deletion: signed-in users can delete their account from the same page after confirming their email.
- Optional embeds: you can change your choice via the cookie banner when it appears, or reset preferences from the cookie notice.
To exercise other rights, contact us at james@jmason.dev. We aim to respond within a reasonable time. Where applicable law sets a deadline (for example one month under the GDPR for many requests), we will comply with that timeframe.
6. International transfers
Supabase, Google, Meta, and many hosts process data in multiple countries, including outside the EEA/UK. Where GDPR applies, international transfers may rely on mechanisms such as Standard Contractual Clauses and our subprocessors' data processing terms; see each provider's privacy documentation for the specifics that apply to their services.
7. Security
We implement reasonable technical and organizational measures appropriate to the risk, including access controls on application data (for example row-level security in our database) and security headers on the web application. No method of transmission over the Internet is completely secure.
8. Children
The service is not directed at children under 13. If you believe we have collected personal information from a child without appropriate consent, contact us at james@jmason.dev and we will take appropriate steps.
9. Changes to this notice
We may update this notice from time to time. We will adjust the "Last updated" date above. Material changes may require additional notice where applicable law requires it.