Privacy Policy

Last updated: May 10, 2026

Overview

RareDex is a Pokémon TCG card scanner that identifies cards and retrieves market prices. This policy explains what data we collect, how we use it, and what we don't do with it.

Data We Collect

Google account email — collected when you sign in with Google. Used to identify your account and display your initial in the header. Not used for marketing.
OAuth tokens — a Google access token and refresh token are stored in your server-side session. These are used solely to write to your own Google Sheet when you export a scan list. We do not access any other Google data.
Scan history — card name, set, collector number, and market price for each card you scan. Stored in our database and used to power aggregate analytics (e.g. what cards are scanned most). No scan is linked to personally identifying information beyond your account email.
Session ID — a random identifier generated per browser session to group your scans. Not tied to your device or IP address.

Data We Do Not Collect

GPS coordinates or precise location
IP address per scan
Device identifiers or fingerprints
Card images — photos are processed in memory and immediately discarded

Google API Usage

RareDex uses the Google Sheets API exclusively to append rows to a Google Sheet in your own Google Drive when you tap "Export to Google Sheets." We request the minimum scopes needed for this:

openid and email — to identify you
https://www.googleapis.com/auth/spreadsheets — to write to your sheet
https://www.googleapis.com/auth/drive.file — to create a sheet in your Drive if one doesn't exist yet

RareDex's use of Google user data is limited to what is described in this policy. We do not use Google user data to serve advertising, and we do not share or transfer Google user data to third parties except as required to operate the app (i.e., the Google APIs themselves). Our use complies with the Google API Services User Data Policy, including the Limited Use requirements.

Data Sharing

We do not sell, rent, or share your personal data with third parties. The only external services that receive data are:

Google — OAuth authentication and Sheets export, as described above
Limitless TCG / TCGPlayer — card identifiers are sent to retrieve market prices. No account data is transmitted.

Data Retention

Scan records are retained indefinitely for aggregate analytics. If you would like your account data deleted, email us at the address below and we will remove it within 30 days.

Security

OAuth tokens are stored in server-side sessions and are not exposed to the browser. Connections to RareDex are encrypted via HTTPS.

Changes to This Policy

If we make material changes we will update the "Last updated" date at the top of this page. Continued use of the app after changes constitutes acceptance.

Contact

Questions or deletion requests: [email protected]