puckly

Privacy Policy

Privacy Policy

Effective date: September 16, 2025

Puckly (“we,” “us,” “our”) provides tools for hockey card collectors, including product price aggregation, alerts, analytics, virtual tokenized hockey card repacks and a subscriber experience across our apps and sites (collectively, the “Service”).

This Privacy Policy explains what we collect, how we use it, how we share it, and the choices you have. If you use Google to sign in, this Policy also includes the disclosures required by Google for OAuth-based apps.

If you disagree with this Policy, please do not use the Service.

1) What we collect

a) Account & authentication data

  • Google Sign-In basics: when you log in with Google, we request only standard OpenID Connect scopes: openid, email, and/or profile as needed. These provide your Google account ID, email, and basic profile claims. We do not request Gmail, Drive, Contacts, or other sensitive/restricted scopes. Google for Developers+2Google for Developers+2

  • Internal identifiers: user ID, OAuth subject/issuer IDs, session tokens.

b) Subscription & payments

  • If you subscribe, Stripe processes payment data on our behalf. We receive non-card metadata (e.g., Stripe customer ID, plan, status) but never store full card numbers. Stripe acts as our processor for these transactions and may also be a controller for its own purposes. Stripe+2Stripe+2

c) Product & usage features

  • Price alerts & favorites you set inside Puckly.

  • Optional notifications: your email and/or (if you connect it) a Discord webhook URL or user ID to deliver alerts.

  • Support communications: messages you send us (e.g., support email).

d) Technical data

  • Device, browser, and app telemetry, IP address, timestamps, and event logs for security and reliability.

  • Cookies/local storage to keep you signed in, remember preferences, and measure basic usage.

2) How we use data

We use your data to:

  • Provide the Service: authenticate you, save your settings, show price data, send alerts you request.

  • Bill for the Service: manage subscriptions and invoices via Stripe.

  • Secure & improve: prevent abuse, debug issues, measure performance, and plan features.

  • Communicate with you: service emails (e.g., alerts, receipts, critical notices).

  • Legal & compliance: meet our obligations and enforce our terms.

When we use Google-provided user data, we comply with the Google API Services User Data Policy and the Limited Use requirements: we only use Google data to provide or improve user-facing features in the Service; we do not sell it; and we do not allow human access except as permitted (with consent, security needs, or legal obligations). Google for Developers

3) Data sharing

We do not sell personal information.

We share data only with:

  • Service providers (processors) working on our behalf and bound by contract, such as:

    • Supabase (database, auth sessions, storage), which maintains SOC 2 Type II compliance and other security controls; it may store data in the U.S. or other regions where Supabase operates. Supabase+2Supabase+2

    • Stripe (payments & invoicing). Stripe+1

    • Hosting/CDN/logging providers necessary to run our app.

    • Email/notification providers to deliver alerts you enable (and Discord only if you connect it).

  • Authorities if required by law, or to protect rights, safety, and the integrity of the Service.

  • Business transfers (e.g., merger or acquisition), with appropriate safeguards.

4) Google OAuth–specific disclosures

  • We request basic OpenID scopes (openid, email, profile) solely for authentication and account personalization (e.g., your display name or avatar if available). We do not request or access Gmail, Drive, Calendar, or other Google data. Google for Developers

  • Our use of Google information adheres to the Google API Services User Data Policy and Limited Use. Google for Developers

  • Revoking access: you can revoke Puckly’s Google access at any time from your Google Account’s “Security → Third-party access” settings.

  • Verification: we maintain a public privacy policy hosted on our authorized domain and linked on the OAuth consent screen, as required by Google’s verification process. Google Help+2Google for Developers+2

5) Legal bases & regional rights

Depending on your region, we rely on one or more of: contract (to provide the Service), legitimate interests (e.g., security, improvements), consent (e.g., marketing, optional integrations), and legal obligations.

You may have rights to access, correct, delete, port, or object/restrict certain processing. We will honor applicable rights under laws such as PIPEDA (Canada), GDPR (EEA/UK), and CCPA/CPRA (California). To exercise any rights, see Contact Us below.

6) Data retention

  • Account & subscription data: retained while your account is active and then as needed for legal/accounting obligations.

  • Price alerts & favorites: retained until you remove them or delete your account.

  • Logs: typically kept for up to ~90 days unless needed for security/abuse investigations.

  • Backups: time-limited rolling backups (typical window ~30–45 days).

7) International transfers

We may process data in countries other than your own (for example, the U.S. for Supabase hosting). Where required, we use appropriate safeguards (e.g., DPAs, standard contractual clauses) with our processors. Supabase

8) Security

We use technical and organizational measures appropriate to the risk, including encryption in transit, role-based access controls, and least-privilege operational practices. Our data platform leverages Supabase’s security controls (e.g., RLS access policies) and audited infrastructure (e.g., SOC 2 Type II). No method is 100% secure, but we work continuously to protect your data. Supabase+1

9) Your choices

  • Manage account data: update settings in your Puckly account.

  • Revoke Google access: via your Google Account’s third-party app settings.

  • Unsubscribe: opt out of non-essential emails via footer links; service/transactional emails will still be sent.

  • Delete account: request deletion (see Contact Us). We will also instruct our processors (e.g., Stripe, Supabase) to delete or pseudonymize associated personal data unless retention is required by law or for legitimate business purposes (e.g., fraud prevention, tax/audit).

10) Children

Puckly is not directed to children under 13 (or the relevant age in your jurisdiction). We do not knowingly collect personal information from children.

11) Changes to this Policy

We may update this Policy to reflect changes in our Service or legal requirements. If changes are material, we will provide notice (e.g., in-app banner or email) and indicate the “Effective date” above.

12) Contact us

  • Email: support@puckly.ca

We will respond to requests within the timelines required by applicable law.

© All right reserved

© All right reserved