Privacy Policy

Effective date: 15 April 2026

1. Who We Are

Cardikyu ("we", "us", "our") is an AI and machine learning platform for trading card and collectibles intelligence. Our services include a browser extension for live auction stream analysis, an inventory scanning service, and pricing and market analytics. This policy covers all Cardikyu services, including the browser extension, web application, and all services hosted on cardikyu.com and its subdomains.

We are committed to protecting your privacy and being transparent about what data we collect and why. We operate under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data We Collect

We collect only what is necessary to operate and improve the service.

Account Information

When you create a Cardikyu account, we collect your email address and any profile information you provide. A JWT authentication token is stored locally in your browser extension to authenticate API requests. We do not store your password in the extension.

Video Frame Captures

Video frame captures from supported live streams are sent to our server for card detection and identification. Detected card crops and related scan artifacts are retained for up to 30 days to support incremental improvements to our detection models, after which they are automatically deleted. You can view your captured frames and their matched results in the app, and delete them manually at any time.

Scanner Model Testing

By default, your account may help us test scanner improvements by comparing the current production detector with a candidate detector. When this is enabled, we may store the source frame, detector-generated debug crops, detector metadata, and result metadata for paired evaluation under the same 30-day retention policy. You can turn this off at any time in the extension setting "Help test scanner improvements"; opting out stops future model-testing routing and shadow evaluation.

Camera and Webcam Captures

If you use the inventory scanning feature, images captured via your device camera are sent to our server for card identification. These follow the same 30-day retention policy as stream frame captures and can also be viewed and deleted in the app.

Card Match Confirmations

When you confirm or correct a card identification, that confirmation is recorded alongside the associated frame capture. On the Free plan, confirmation is required for every scan. On paid plans, confirmation is optional. This data is used to improve the accuracy of our detection models.

Sale Price Data

When a card is matched during a live stream and a sale occurs, the sale price, currency, and card identification are recorded. On the Free plan, this data is submitted automatically for matched cards. This data is used to provide pricing history and market analytics across the platform.

Stream Metadata

Stream identifiers, streamer usernames, and sale events are recorded to provide sales history and analytics features.

Device Identifier

A randomly generated UUID is stored locally to associate preferences with your browser. It is not linked to your identity.

User Preferences

Settings such as scan mode, capture region, model-testing preference, and UI preferences are stored locally in your browser.

3. Data We Do Not Collect

  • Browsing history or activity outside of supported platforms
  • Cookies or tracking identifiers from any website
  • Financial information or payment details via the extension
  • Personal communications or messages
  • Data from any platform other than those the extension is explicitly enabled on

4. How We Use Your Data

  • Card identification — Video frames and camera captures are processed by our detection models to identify cards and return pricing information.
  • Model training and improvement — Retained frame captures, camera captures, detector experiment artifacts, and card match confirmations are used to evaluate, train, and improve the accuracy of our AI detection models. Data used for training is aggregated and not used to identify individual users.
  • Pricing and sales history — Sale events and price data are stored to provide historical pricing trends, market analytics, and deal analysis features.
  • Authentication — Tokens are used solely to verify your identity when making API requests.
  • Service operation — Account information is used to manage your subscription, communicate with you about the service, and provide support.

5. Legal Basis for Processing

Under UK GDPR, we process your data on the following bases:

  • Contract — Processing your account information, authentication, and providing the card identification service is necessary to deliver the service you have signed up for.
  • Legitimate interest — Retaining frame captures, detector experiment artifacts, and confirmations for model training, and recording sale prices for market analytics, are in our legitimate interest to improve and operate the service. We have assessed that these interests do not override your rights, particularly given the 30-day retention limit, your ability to delete captures at any time, and your ability to opt out of scanner model testing.
  • Consent — Where required, such as for optional features or communications, we will ask for your explicit consent.

6. Data Sharing

We do not sell, rent, or share your personal data with third parties.

Data is processed on our own infrastructure hosted on Amazon Web Services (AWS). No analytics or advertising SDKs are included in the extension.

Aggregated, anonymised sale price and market data may be used in our products and analytics features. This data cannot be used to identify individual users.

7. Data Storage and Security

  • Authentication tokens and preferences are stored locally in your browser via chrome.storage.local
  • Server-side data is stored in encrypted databases on AWS with access restricted to authorised personnel
  • All communication between the extension and our servers uses HTTPS/TLS
  • Frame captures, detector experiment artifacts, and camera captures are stored securely and automatically deleted after 30 days

8. Data Retention

Data Retention
Video frame captures30 days
Detector experiment artifacts30 days
Camera/webcam captures30 days, or until manually deleted by you
Card match confirmationsRetained for as long as your account is active
Sale price dataRetained for as long as your account is active
Stream metadataRetained for as long as your account is active
Account informationRetained until you request account deletion
Local storage (tokens, preferences)Cleared when you uninstall the extension or clear browser data

9. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

  • Access — You can request a copy of the personal data we hold about you.
  • Rectification — You can ask us to correct any inaccurate or incomplete data.
  • Erasure — You can request deletion of your account and all associated data. You can also delete individual frame captures and camera captures directly in the app at any time.
  • Restriction — You can ask us to restrict processing of your data in certain circumstances.
  • Portability — You can request your data in a structured, commonly used format.
  • Objection — You can object to processing based on legitimate interest, including the use of your data for model training.
  • Withdrawal of consent — Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, contact us at privacy@cardikyu.com. We will respond within 30 days.

Uninstalling the extension automatically removes all locally stored data.

10. Extension Permissions

The Cardikyu Chrome extension requests the following permissions:

  • activeTab — Allows us to access the current tab to capture video frames from live streams for card detection. We only access tabs on supported platforms.
  • storage — Used to save your authentication token, preferences, and capture settings locally in your browser.
  • scripting — Allows us to display the card identification overlay on supported platform pages, including when the extension is enabled or updated on an already-open tab.
  • camera — Used by the inventory scanning feature to capture images of physical cards for identification. Camera access is only activated when you explicitly use the scanning feature.
  • Host permissions (whatnot.com) — Allows content scripts to run on Whatnot pages to display the card identification overlay and read auction events.
  • Host permissions (api.cardikyu.com, app.cardikyu.com) — Allows the extension to communicate with our API for card identification and to relay authentication from the web app.

11. Children

The service is not directed at anyone under 18. We do not knowingly collect data from anyone under 18. If we become aware that we have collected data from someone under 18, we will delete it promptly.

12. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated effective date. If we make significant changes, we will notify you through the extension or by email.

13. Contact

Questions about this policy? Contact us at privacy@cardikyu.com.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.