Privacy Policy

Last updated: 29 May 2026.

This page explains what personal data Sneaky Cards collects when you use this website, why we collect it, who has access to it, and your rights over it. We aim to keep this policy short and honest. If anything is unclear, email info@sneakycards.com.

Who we are

Sneaky Cards is a personal-scale project operated by Cody Borst (Colorado, USA). For purposes of EU/UK data-protection law, Cody Borst is the data controller. You can reach the controller at info@sneakycards.com.

What we collect

We collect only what's needed to run the site. There is no advertising network and no behavioral profiling. We do use Google Analytics 4 to count page views in aggregate; that is described below under "Analytics" and "Cookies and similar technologies".

Account data. When you sign up we store your email address (used as your login identifier) and a username. Optionally you can add a display name and a preferred language.
Authentication metadata. Firebase Authentication generates a unique user id (UID), records sign-in timestamps, and stores a hashed credential. We do not see your raw password at any time.
Deck registrations. When you register a deck we store the deck code and the UID of the registering account. This is what links a printed deck to your account.
Tracking events. When you log a GIVE or RECEIVE on a card, we store the action, the approximate geolocation (latitude / longitude or city / state / country, as you provide it), the card and deck identifiers, the timestamp, and your UID if you are signed in. Tracking is allowed without signing in; in that case no UID is stored.
Comments. Comments attached to a tracking event are stored verbatim alongside your UID. Anyone visiting the tracking page can read them; that's the point.
Server logs. Our hosting provider (Google Firebase Hosting) records standard access logs (IP address, user agent, requested path, response code, timestamp) for security and abuse-prevention purposes. Logs are kept for 30 days and then deleted.
Analytics events. Google Analytics 4 (measurement ID G-TC7N939XL8) records anonymous page-view events when you navigate the site. Each event includes the page URL, the referring URL, an approximate location derived from your IP, the device / browser type, and a randomly-assigned client id that GA4 stores in a first-party cookie so repeated visits within a session can be collapsed into a single visitor count. We do not configure GA4 to collect IP addresses, user ids, or any other identifier we could tie back to your account.

How we use it

To authenticate you and keep your session alive between visits.
To display your decks, your tracked cards, and your comments back to you.
To render the public tracking map for each card (the GIVE / RECEIVE pin chain).
To respond to support emails you send us.
To investigate and prevent abuse (server logs only, never combined with profile data).

We do not sell or share your personal data with third parties for advertising or marketing purposes, ever. If we ever change this we will email every account holder before doing so and give you the chance to delete your account first.

Legal basis for processing (GDPR)

Performance of a contract. Storing your email, UID, deck registrations, and tracking history is necessary to provide the site to you (GDPR Art. 6(1)(b)).
Legitimate interests. Short-lived server logs are kept under our legitimate interest in operating and securing the site (GDPR Art. 6(1)(f)).
Consent. Submitting your email to the launch-signup form is processed on the basis of your consent (GDPR Art. 6(1)(a)); you can withdraw it at any time by emailing us.

Analytics

Sneaky Cards uses Google Analytics 4 (measurement ID G-TC7N939XL8) for aggregate, anonymous page-view counting. We use this to understand which pages get used and where to focus our maintenance time. We do not run remarketing, retargeting, demographic profiling, or any other GA4 advertising feature.

If you would prefer not to be counted, the Google Analytics Opt-out Browser Add-on blocks the tracking script across every site that uses GA4, including this one. Browser tracking-protection features (Firefox "Strict" mode, Brave Shields, Safari ITP) and most ad blockers also block the GA4 request.

Cookies and similar technologies

Sneaky Cards does not set any advertising cookies. The cookies and browser-storage keys we do set are listed below, grouped by purpose so you can see what consents to what.

Strictly necessary (exempt from consent requirements under the EU ePrivacy Directive Recital 66 and national implementations):

Firebase Authentication session. A small IndexedDB record + JWT in memory that keeps you signed in. Cleared on sign-out.
Card-maker draft. A single localStorage key (sneaky.create.draft.v3) that holds your unsaved custom card so a refresh doesn't lose your work. Cleared from the "Reset" button on the maker, or by clearing site data in your browser.

Analytics (Google Analytics 4):

_ga and _ga_TC7N939XL8 cookies, set as first-party cookies by GA4's gtag.js script. They store the random client id (_ga) and the session state for our property (_ga_TC7N939XL8). Both are first-party, retained for up to 13 months (_ga) or 24 hours (_ga_TC7N939XL8). They contain no personally-identifying information by themselves; the random id only gains meaning when combined with the page-view stream we receive from your browser.

If you open a card's tracking page (/track/<code>) we load Google Maps to display the GIVE / RECEIVE pin chain. Google may set its own cookies for that map tile request; the Google Privacy Policy governs how Google handles them. We don't read or write to those cookies, and they aren't set on pages where no map is rendered.

Third parties we use

The only third-party services involved in operating this site are:

Google Firebase (US): Authentication, Firestore (database), Hosting, and Cloud Functions. Google acts as our data processor under a standard Google Cloud Data Processing Addendum.
Google Maps JavaScript API (US): only loaded on the per-card tracking page, only to render pins. No personal data from you is sent to Maps; just the latitude/longitude of each tracking event so it can position the marker.
Google Analytics 4 (US): aggregate page-view analytics. Google acts as our data processor under the standard Google Analytics Data Processing Terms. Advertising features (remarketing, demographics, signals) are disabled on our property. See "Analytics" and "Cookies" above.

How long we keep it

Account profile + deck registrations: until you delete your account.
Tracking events: kept indefinitely on the card's public history (they're the point of the site). You can request that we anonymize or remove events you logged by emailing us.
Comments: kept until you delete your account or delete the comment.
Server access logs: 30 days, then automatically rotated and deleted.
Launch-signup emails: until our launch, then deleted unless you become an account holder in the meantime.

Your rights

If you are in the EEA, UK, California, or any other jurisdiction with similar protections, you have the following rights. To exercise any of them, email info@sneakycards.com from the address associated with your account.

Access. Get a copy of the personal data we hold about you.
Rectification. Correct inaccurate or incomplete data. Most fields are editable directly under account settings.
Erasure ("right to be forgotten"). Delete your account and associated personal data. The self-serve delete button under account settings is the fastest path.
Portability. Export your data in a machine-readable format.
Restriction. Ask us to pause processing while we resolve a dispute.
Objection. Object to processing based on legitimate interests.
Withdraw consent. Where processing relies on consent (launch-signup), withdraw it at any time.
Complain. Lodge a complaint with your local supervisory authority. In the UK that's the ICO; for EU residents it's your national DPA.
CCPA rights (California). Right to know what categories of personal information we collect, right to delete, right to non-discrimination for exercising your rights. We do not "sell" personal information as defined by the CCPA.

We respond to verified requests within 30 days. We do not charge a fee for the first request in any 12-month period.

International transfers

Our hosting infrastructure (Google Firebase) processes data in Google Cloud regions located in the United States. Where data about EEA / UK users is transferred to the US, that transfer is covered by Google's Standard Contractual Clauses with us, plus Google's certification under the EU-US Data Privacy Framework where applicable.

Children's data

Sneaky Cards is not directed at children under 13 (or 16 in jurisdictions that require it for digital-service consent). We don't knowingly collect personal data from anyone in that age range. If you believe we hold data about a child without parental consent, email us and we will delete it.

Security

Passwords are never stored in plaintext; Firebase Authentication keeps them as salted one-way hashes. All traffic is served over HTTPS. Database access is gated by Firestore security rules so the same access controls apply whether a request comes from the website or a misbehaving client.

No system is perfect. If you suspect your account has been compromised or you've found a vulnerability, email info@sneakycards.com. We don't currently run a bug-bounty program, but we acknowledge reports and treat them seriously.

Accessibility

We aim for the WCAG 2.1 Level AA standard, which also satisfies the substantive requirements of the US Americans with Disabilities Act for non-government web content. Every interactive control is reachable by keyboard, every image has descriptive alt text, and we test the color palette for contrast. If you encounter a barrier, please report it to info@sneakycards.com and include the page URL and the assistive technology you were using.

Changes to this policy

We may revise this policy from time to time. Material changes (anything that affects how we collect or use your data) will be announced via email to account holders at least 14 days before they take effect. Cosmetic changes (typos, clearer wording) may happen silently. The "last updated" date at the top of this page is authoritative.