Privacy Policy

Effective date: 2026-05-05

This Privacy Policy describes how The Daily Rip ("we", "us", or

"our") collects, uses, shares, and protects information about you

when you use our mobile application, our website at thedailyrip.app,

and any related services (collectively, the "Service").

We are committed to handling your information responsibly. If you

have questions, email privacy@thedailyrip.app.

This Policy is incorporated into our Terms of Service.

1. Who we are

The Daily Rip is operated by [LEGAL ENTITY NAME — to be filled in by

publisher; e.g., "The Daily Rip, Inc.", "Nicolas Coculuzzi (sole

proprietor)", or your LLC name]. For purposes of the European Union

General Data Protection Regulation (GDPR), the United Kingdom Data

Protection Act 2018 ("UK GDPR"), and the California Consumer Privacy

Act as amended by the California Privacy Rights Act ("CCPA/CPRA"),

we are the controller of personal information processed through

the Service.

If you are in the EEA, UK, or Switzerland, you can contact us about

your data at privacy@thedailyrip.app. We have not appointed an

EU-based representative under Article 27 GDPR; if our user base in

the EU grows materially we will do so.

2. Information we collect

We collect only what is necessary to operate the Service. Below is

the full inventory.

2.1 Information you provide

Account information

Email address (required to sign in)
Password (stored hashed; we never see plain text)
Handle (username)
Optional: display name, bio, avatar image, 5-digit US ZIP code

Collection and portfolio data

Cards you mark as owned
Watchlist entries and any alert thresholds
Holdings (quantity, cost basis, optional acquisition date, optional

grade bucket)

Photos you upload of cards you own (limited to images)

Communications with us

Email, in-app chat, or other support communications you send

AI assistant prompts

The text of your question and the relevant card identifier when

you use the "Ask AI" feature

2.2 Information collected automatically

Device and app metadata: app version, OS version, device model,

language, timezone

Network metadata: IP address (used briefly for rate limiting and

security; not retained long-term as a unique identifier)

Push notification tokens: anonymous device identifiers issued

by Apple Push Notification service or Firebase Cloud Messaging,

used solely to deliver notifications you have opted into

Crash and error reports: when crash reporting is enabled, we

receive anonymous stack traces with no user identifiers attached

(see Section 5.5)

Usage signals: aggregate, non-identifying counters (e.g., how

many users opened a screen) used to improve the product

We do not use cookies on the mobile apps. The website uses only

strictly-necessary cookies (e.g., for authentication); we do not use

advertising or third-party analytics cookies that track you across

sites.

2.3 Information from third parties

Subscription status from RevenueCat (which receives entitlement

data from Apple or Google after you subscribe)

Public card and price data (eBay, PriceCharting, etc.) — this

data is about cards, not about you, but it is associated with your

watchlist and portfolio when you save it

We do not buy lists of personal information from data brokers.

2.4 What we do NOT collect

Real legal name (unless you put it in display name)
Phone number
Precise geolocation; we collect only your optional ZIP code if you

choose to enter it

Government-issued ID
Health, biometric, or genetic data
Financial-account or payment-card information (handled by Apple/

Google)

Contents of your Camera Roll beyond photos you specifically pick
Cross-app or cross-site advertising identifiers; the iOS app does

not request App Tracking Transparency (ATT) permission because

we do not track you across other companies' apps or websites

3. How we use your information

We use the information described above for the following purposes.

Where required by law, we identify the legal basis under GDPR.

Purpose	Examples	GDPR legal basis
Provide the Service	Authenticate you; render your portfolio, watchlist, and feeds; deliver alerts you set up	Performance of a contract (Art. 6(1)(b))
Process subscriptions	Verify entitlement; deliver paid-tier features	Performance of a contract
Communicate with you	Account verification, billing receipts, security alerts, support replies	Performance of a contract / legitimate interests
Operate AI assistant	Send your prompt + card context to OpenAI to generate an answer	Performance of a contract
Prevent abuse and ensure security	Rate limits, free-tier caps, fraud detection	Legitimate interests (Art. 6(1)(f))
Comply with legal obligations	Tax records, valid law-enforcement requests	Legal obligation (Art. 6(1)(c))
Improve the product	Aggregate usage analytics, crash diagnosis	Legitimate interests
Marketing communications (only with consent)	Product newsletters, where you opt in	Consent (Art. 6(1)(a)) — withdrawable any time

We do not sell or share your personal information for cross-

context behavioral advertising, and we do not use your data to

train AI models (we have not opted into any AI training uses with

our subprocessors).

4. Public content

By default, your profile is private. If you toggle your profile

public from the in-app profile screen, the following becomes visible

at thedailyrip.app/u/{your-handle}:

Your handle, display name, bio, avatar
Your card-photo gallery
Aggregate stats (total card count, total photo count)

You separately control whether your holdings list and your

portfolio dollar value appear on the public profile. Both are

off by default; turning them on is opt-in.

You may toggle any of these off at any time. We do not control

copies that third parties may have already saved (e.g., screenshots,

search-engine caches).

5. Sharing with third parties

We share information with the following categories of third parties.

A current list of subprocessors is in Section 11.

5.1 Service providers (subprocessors)

We use the following providers to operate the Service. They process

data on our behalf under written agreements that limit them to that

purpose:

Supabase — hosting, database, authentication
Apple Push Notification service / Firebase Cloud Messaging —

push notification delivery

RevenueCat — subscription state management
OpenAI — AI assistant (your prompt + card context only)
Sentry — anonymous crash and error reporting (when enabled)
Cloudflare / [HOSTING PROVIDER] — DNS, edge delivery, DDoS

protection for the website

5.2 Marketplaces and data sources

We pull public price data from third parties (eBay, PriceCharting,

etc.). We do not send your personal data to these sources.

5.3 Legal compliance

We may disclose information when we believe in good faith that it is

necessary to:

Comply with applicable law, regulation, legal process, or

governmental request;

Enforce these Terms, including investigation of potential

violations;

Detect, prevent, or otherwise address fraud, security, or

technical issues;

Protect against harm to our rights, property, or safety, or that

of our users or the public.

Where legally permitted, we will notify you of a request before

disclosing your information.

5.4 Business transfers

If we are involved in a merger, acquisition, sale of assets,

financing, or bankruptcy, your information may be transferred to the

acquiring or successor entity. We will notify you (e.g., via email

and a notice on the Service) before your information is transferred

and becomes subject to a different privacy policy.

5.5 Crash reporting

When enabled, anonymous crash and error reports are sent to Sentry.

We configure Sentry not to capture user identifiers. Crash reports

may include device model, OS version, app version, and a stack

trace.

6. International data transfers

We are based in the United States. Information we collect is stored

and processed in the U.S. and in any country where our subprocessors

operate. If you are in the EEA, UK, or Switzerland, your data is

transferred to the U.S. under appropriate safeguards, primarily the

Standard Contractual Clauses approved by the European Commission

(and, where applicable, the U.K. International Data Transfer

Addendum). Copies are available on request.

7. Data retention

We retain your information for as long as your account is active and

as needed to provide the Service. Specific retention rules:

Account profile: retained while your account is active
Holdings, watchlist, owned-card lists: retained while your

account is active

Card photos: retained while you keep them in the app; deleted

within 30 days of your removal of the photo

AI prompt history: retained for up to 90 days for abuse

prevention, then de-identified or deleted

Push tokens: retained until you log out, disable notifications,

or uninstall the app

Subscription records: retained as long as required by tax and

accounting law (typically 7 years)

Anonymous crash reports: retained per Sentry's defaults

(typically 90 days)

Backups: encrypted backups may persist beyond active deletion

for up to 30 days, after which they are overwritten

When you delete your account (Section 9), we permanently remove

identifiable data within 30 days, subject to the retention exceptions

above.

8. Security

We use industry-standard technical and organizational measures to

protect your information, including:

TLS (HTTPS) for all data in transit
Encryption at rest for the database
Row-level security (RLS) at the database layer — every query

is automatically scoped to your auth.uid(), so even an

application bug cannot expose another user's data

Hashed passwords (never stored in plain text)
Multi-factor authentication for admin access to our systems

No system is impenetrable. If we become aware of a personal-data

breach affecting you, we will notify you and the relevant

authorities as required by law (typically within 72 hours under

GDPR).

9. Your rights and choices

9.1 In-app controls

From the in-app profile screen you can:

Edit or remove your handle, display name, bio, avatar, ZIP code
Toggle your profile public/private
Toggle public-holdings and public-portfolio-value
Add, edit, or delete watchlist entries, holdings, owned cards,

photos, and alert thresholds

Export your portfolio as a CSV
Delete your account, which cascade-deletes your data within 30

days (see Section 7)

9.2 Email

You can opt out of marketing emails via the unsubscribe link in any

marketing email. Transactional emails (account verification,

billing, security alerts) cannot be opted out of while your account

is active.

9.3 Push notifications

You can disable push notifications via the system settings on your

device.

9.4 GDPR rights (EEA, UK, Switzerland users)

You have the right to:

Access the personal data we hold about you;
Rectify inaccurate or incomplete data;
Erase your data ("right to be forgotten");
Restrict or object to certain processing;
Data portability — receive your data in a structured,

machine-readable format;

Withdraw consent at any time where processing is based on

consent;

Lodge a complaint with your local supervisory authority;
Not be subject to a decision based **solely on automated

processing** that produces legal or similarly significant effects.

To exercise these rights, email privacy@thedailyrip.app. We will

respond within one month (extendable to three months for complex

requests, with notice). We may need to verify your identity before

acting.

9.5 California rights (CCPA / CPRA)

If you are a California resident, you have the right to:

Know what categories of personal information we collect, the

sources, the purposes, and the categories of third parties we

share with (this Policy provides that information in Sections 2,

3, 5, and 11);

Access the specific pieces of personal information we have

collected about you;

Delete your personal information, subject to certain

exceptions;

Correct inaccurate personal information;
Limit use of sensitive personal information (we do not use

sensitive personal information for any purpose other than as

permitted by law without your consent);

Opt out of "selling" or "sharing" — we do not sell or share

your personal information for cross-context behavioral

advertising. There is therefore no opt-out link required, but you

may confirm this with us at any time;

Non-discrimination — we will not discriminate against you for

exercising any of these rights.

To exercise California rights, email privacy@thedailyrip.app with

"California Privacy Request" in the subject line. You may designate

an authorized agent to act on your behalf, in which case we will

require written authorization and may verify your identity directly.

We respond to Global Privacy Control (GPC) signals on

thedailyrip.app as a valid opt-out preference signal.

9.6 Other U.S. state rights

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon,

Montana, Iowa, Delaware, New Jersey, Tennessee, Maryland, Minnesota,

New Hampshire, Indiana, Kentucky, Rhode Island, and other states

with comprehensive privacy laws have similar rights to those listed

in 9.5. Email privacy@thedailyrip.app with the subject line "Privacy

Rights Request" and your state of residence. We honor verified

requests within the timeframe required by your state's law.

9.7 Brazil (LGPD), Canada (PIPEDA), and other jurisdictions

Residents of Brazil, Canada, Australia, and other jurisdictions with

data-protection laws have rights similar to those above. Use the

same contact: privacy@thedailyrip.app.

10. Children's privacy (COPPA)

The Service is not directed to children under 13, and we do not

knowingly collect personal information from children under 13. If we

learn that we have collected such information without verified

parental consent, we will delete it promptly.

If you are a parent or guardian and believe your child under 13 has

provided personal information to the Service, please contact us at

privacy@thedailyrip.app and we will delete it.

For users between 13 and 16 in the EEA/UK, we rely on parental

consent where required by local law.

11. Subprocessors

A current list of the third-party processors we use:

Subprocessor	Purpose	Region
Supabase, Inc.	Database, auth, storage, edge functions	United States
OpenAI, L.L.C.	AI assistant model inference	United States
RevenueCat, Inc.	Subscription state management	United States
Apple Inc.	App distribution + push notifications	United States
Google LLC	App distribution + Firebase Cloud Messaging	United States
Sentry (Functional Software, Inc.)	Crash reporting (when enabled)	United States
Cloudflare, Inc.	DNS, CDN, DDoS protection	Global
[HOSTING PROVIDER]	Web hosting for thedailyrip.app	[REGION]

We may add or remove subprocessors. Where required by law (e.g.,

GDPR Art. 28), we will notify you via email or in-app notice in

advance of any new subprocessor with access to your personal data.

12. Do Not Track and Global Privacy Control

The mobile apps do not transmit "Do Not Track" or "Global Privacy

Control" signals because we do not engage in cross-app tracking.

The website at thedailyrip.app honors GPC signals as a valid opt-

out preference signal under California law.

13. Third-party links and services

The Service contains links to third-party services (eBay, TCGplayer,

help articles, etc.). Once you leave the Service, this Policy no

longer applies. Please review the third party's privacy policy.

14. Changes to this Policy

We may update this Policy occasionally. If we make material

changes, we will notify you via the Service or by email and update

the Effective date at the top. Material changes take effect no

sooner than 30 days after notice (or such shorter period as required

by law). Your continued use of the Service after the new Policy

takes effect constitutes acceptance.

15. Contact us

For privacy questions, requests, or complaints:

Email: privacy@thedailyrip.app
General support: support@thedailyrip.app
Web: thedailyrip.app

Postal address: [TO BE FILLED IN BY PUBLISHER]

If you are not satisfied with our response, you may contact your

local data-protection authority. EU/EEA users can find theirs at

edpb.europa.eu. UK users: ico.org.uk.

Last updated: 2026-05-05.