Pack Goblin
Sign inCart

Privacy Policy

Pack Goblin (packgoblin.com) is a small card shop and deck-building toolkit operated from California, USA by [LEGAL ENTITY NAME]. This policy explains what data we collect, why, and what control you have over it. Short version: we collect the minimum needed to run a card shop and useful deck tools, we don't run ad trackers, and we never see your card number. We hoard cards, not your data.

What we collect

  • Account info. Accounts are optional. If you create one, we store your email address and account profile. Sign-in is by email magic link — there's no password for us to store (or lose).
  • Order and shipping info. When you buy singles, checkout happens on Shopify. Shopify sends us your name, shipping address, and the items you ordered so we can pack and ship them.
  • Your content. Decks, collections, and wishlists you build with our tools (features rolling out).
  • Restock alerts. If you ask to be notified when a card restocks, we keep your email and alert preferences. Every alert email has an unsubscribe link.
  • Server logs. Standard logs (IP address, request time, page requested) to keep the site running and to fight abuse.
  • Usage analytics. Pseudonymous, server-side event analytics (which pages and features get used), with no tracking cookies involved.

What we do not collect

  • Payment card numbers. Payments are processed entirely by Shopify at checkout. Card data never touches our servers.
  • Advertising or cross-site tracking cookies. None. Zero.
  • Sensitive personal information (as the CCPA defines it). We have no use for it.
  • We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

How we use your information

To run the shop and the tools: fulfill and ship orders, sign you in, save your decks, collections, and wishlists, send alerts you explicitly requested, answer support email, keep the site secure, and understand in aggregate which features are useful. All email today is transactional (sign-in links and alerts you asked for). We will only ever send marketing email with your consent.

Service providers

A few providers help us operate. Each one processes data only on our behalf and only to provide their service to us:

  • Shopify — checkout, payments, and order management
  • Supabase — database and account sign-in
  • Vercel — website hosting
  • PostHog — pseudonymous usage analytics (server-side)
  • Our email provider — delivery of sign-in links and alerts

Cookies

We use essential cookies only:

  • `pg_cart` — keeps your cart together between pages (httpOnly). Essential.
  • Auth session cookies — keep you signed in. Essential.

No advertising cookies, no third-party tracking cookies, no cross-site tracking.

Affiliate links

Some outbound links (to TCGplayer, eBay, Card Kingdom, and Mana Pool) may earn us a commission — see our Disclosures page for details. When you click one, you leave Pack Goblin and the destination site's own privacy policy applies; we don't pass your Pack Goblin account data along with the link.

Data retention

  • Orders are kept as long as tax, accounting, and other legal requirements demand.
  • Your content (decks, collections, wishlists): when you delete something, it's soft-deleted with a 30-day recovery window, then permanently erased.
  • Accounts have two paths. *Deactivation* keeps your data recoverable for 30 days in case you change your mind. *Privacy deletion* permanently erases your personal data — we honor CCPA deletion requests, keeping only order records the law requires us to retain.
  • Server logs are kept briefly for security and debugging, then discarded.

Your rights (including CCPA)

If you're a California resident — and we extend these rights to everyone — you can:

  • Access the personal information we hold about you
  • Correct anything inaccurate
  • Delete your personal information (subject to the legal-retention exceptions above)
  • Opt out of sale or sharing — though since we don't sell or share personal information for cross-context behavioral advertising, there's nothing to opt out of

You can do most of this yourself, signed in, at your privacy settings: export your data, deactivate, or permanently delete your account. Or email support@packgoblin.com — from the email address on your account where possible, since that's how we verify it's really you. We'll respond within 45 days, and we will never treat you worse for exercising your rights.

Children

Pack Goblin is intended for users 13 and older. Purchases require the ability to form a contract — 18+, or with a parent or guardian involved. We do not knowingly collect personal information from children under 13. If you believe we have, email support@packgoblin.com and we'll delete it.

Security

Data is encrypted in transit (HTTPS everywhere), and access to production data is limited to the minimum needed to operate the service. Magic-link sign-in means there's no Pack Goblin password to steal. No system is perfectly secure, but we keep our attack surface deliberately small.

Where we operate

Pack Goblin sells and ships within the United States only and operates from California, USA. This policy is governed by California law.

Changes to this policy

If we make material changes, we'll post the updated policy on this page with a new effective date. We won't quietly start tracking you — that's not how goblins with a reputation to protect do business.

Contact

Questions or privacy requests: support@packgoblin.com. Operated by [LEGAL ENTITY NAME], California, USA.

Effective date: June 11, 2026. Material changes to this policy will be posted on this page.