Privacy Policy

Last updated: May 2026

Independent Platform Notice: PokéBay is an independent, unaffiliated peer-to-peer marketplace. We are not affiliated with The Pokémon Company International, Nintendo, Game Freak, or Creatures Inc.

1. Who We Are

PokéBay ("we", "us", "our") operates an independent peer-to-peer marketplace at pokebay.shop for collectors of second-hand Pokémon Trading Card Game cards. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our platform.

2. Information We Collect

Information You Provide

  • Account data: Email address, username, password (stored as a bcrypt hash — we never store your raw password)
  • Profile data: Bio, avatar URL, location (if provided)
  • Listing data: Card details, descriptions, photos you upload
  • Messages: Messages exchanged with other users on the platform
  • Transaction data: Order history, shipping addresses (collected and stored by Stripe during checkout)

Information Collected Automatically

  • Server logs: IP address, browser type, pages visited, timestamps — used for security and debugging only
  • Session data: An authentication token stored as an httpOnly cookie to keep you logged in
  • Fraud-prevention signals: The IP address used at account registration and at checkout, a normalized form of your email address (used to detect duplicate accounts that try to use Gmail dot/+ aliases), and the timestamp at which your account becomes eligible to onboard to Stripe Connect. These signals are stored only on your user record and are used solely for fraud detection and platform safety.

Information We Do NOT Collect

  • We do not store full payment card numbers, CVV codes, or bank account details — all payment processing is handled directly by Stripe
  • We do not use third-party tracking cookies or advertising pixels
  • We do not sell your data to third parties

3. How We Use Your Information

  • To operate and provide the PokéBay marketplace service
  • To process transactions through Stripe (see Stripe's Privacy Policy at stripe.com/privacy)
  • To send transactional notifications: bids, messages, sales, shipping updates, and password resets
  • To enforce our Terms of Service and Anti-Counterfeit Policy
  • To investigate fraud, abuse, or security incidents — including detecting self-purchase by matching the registration IP of buyers and sellers, and detecting duplicate accounts by matching normalized email addresses
  • To enforce the Stripe Connect onboarding cooldown for newly registered accounts
  • To comply with legal obligations

4. Information Sharing

We do not sell your personal information. We share information only in these circumstances:

  • With Stripe: For secure payment processing. Stripe is PCI-DSS compliant.
  • Between users: Your username, listing details, and shipping address are shared with transaction counterparties as needed to complete orders
  • Legal compliance: If required by law, court order, or to cooperate with law enforcement investigations — including counterfeit card cases
  • Rights protection: To protect the legal rights, property, or safety of PokéBay, our users, or others
  • Business transfers: In the event of a merger or acquisition, user data may be transferred as part of that transaction

5. Data Storage & Security

  • Passwords are hashed using bcrypt with a cost factor of 12
  • Authentication uses signed JWT tokens with 7-day expiry
  • All data in transit is encrypted via HTTPS/TLS
  • Database access is restricted to application processes only
  • We implement industry-standard security practices, but no system is 100% secure — use a strong, unique password

6. Cookies

We use one essential cookie:

  • token — an httpOnly, secure cookie containing your signed authentication token. Required for login to function. Expires after 7 days or on logout.

We do not use advertising cookies, analytics cookies, or any third-party cookies.

7. Data Retention

  • Account data: Retained while your account is active. Deleted or anonymized within 30 days of an account deletion request.
  • Transaction records: Retained for up to 7 years for financial and legal compliance purposes, even after account deletion.
  • Server logs: Retained for up to 90 days, then purged.
  • Messages: Retained while both user accounts are active.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Ask us to correct inaccurate data
  • Deletion: Request deletion of your account and associated personal data (subject to retention requirements above)
  • Portability: Request your data in a portable format
  • Objection / Restriction: Object to certain processing of your data

To exercise any of these rights, email us at privacy@pokebay.shop. We will respond within 30 days.

9. Children's Privacy

PokéBay is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, please contact us immediately at support@pokebay.shop.

10. International Users

PokéBay is operated from the United States. If you access the platform from outside the US, your data may be transferred to and processed in the United States. By using PokéBay, you consent to this transfer.

For EU/UK users, we process your data based on: (a) contract performance — to operate the marketplace; (b) legitimate interests — for fraud prevention and security; and (c) legal compliance.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify registered users of material changes by email or platform notification. The "Last updated" date at the top reflects the most recent revision.

12. Contact

Privacy questions or rights requests: privacy@pokebay.shop
General support: support@pokebay.shop