Privacy Policy
Last updated: 8 July 2026
1. Data controller
The controller responsible for the personal data collected via the www.opitem.xyz website and the OpItem application is:
SAS POKEITEM (OpItem)
Email: [email protected]
2. Data collected
Depending on the services you use, the following data may be collected:
| Data | Source | Required |
|---|---|---|
| Email address | Account registration | Yes |
| Password (hashed) | Account registration | Yes |
| Nickname / username | Account registration | Yes |
| Profile picture | User profile | No |
| Collection data (cards) | App usage | No |
| Purchase prices entered | App usage | No |
| Card condition / grade | App usage | No |
| Payment data | Premium subscription (via Stripe) | No |
| IP address, browser | Automatic browsing | No |
| Usage data (pages visited) | Anonymous analytics | No |
| Card photos (scan) | The app's scan feature | No |
Stripe note: payment data (card number, etc.) is never stored by OpItem. It is processed exclusively by Stripe, a PCI DSS–certified payment provider. OpItem retains only the transaction identifier, the subscription status and the billing dates.
OpItem never collects sensitive data within the meaning of the GDPR (health data, ethnic origin, political opinions, etc.).
3. Purposes of processing
Personal data is processed for the following purposes:
- Creating and managing user accounts
- Providing the Service (collection management, price estimates)
- Identifying cards (scan feature)
- Managing the Premium subscription and billing
- Sending transactional emails (confirmation, renewal reminder)
- Improving the Service (anonymous analytics)
- Complying with legal obligations (accounting record-keeping)
4. Legal basis for processing
| Purpose | Legal basis |
|---|---|
| Account and Service management | Performance of the contract (Art. 6.1.b GDPR) |
| Billing and subscription | Performance of the contract (Art. 6.1.b GDPR) |
| Accounting obligations | Legal obligation (Art. 6.1.c GDPR) |
| Anonymous analytics | Legitimate interest (Art. 6.1.f GDPR) |
| Marketing emails (where applicable) | Consent (Art. 6.1.a GDPR) |
5. Retention period
| Data | Period |
|---|---|
| Active user account | Lifetime of the account |
| Account data after deletion | 30 days (permanent purge) |
| Billing data | 10 years (legal obligation) |
| Connection logs | 12 months |
| Anonymous analytics data | 26 months |
| Scanned card photos | Not retained by OpItem (ephemeral processing) |
6. Data recipients
Users' personal data is processed by SAS POKEITEM (OpItem) and its technical subprocessors:
- Railway Corp. (United States), hosting of the website and web application
- Stripe, Inc. (United States / Ireland), processing of web transactions (Premium subscription via the website)
- Apple Inc. (United States), authentication via "Sign in with Apple" and iOS in-app purchases
- Google LLC (United States), authentication via "Sign in with Google" (OAuth 2.0) and Android in-app purchases
- TCG API, tcgapi.io (European Union), card recognition and valuation used by the scan feature. Only the card image is transmitted, with no user identifier; it is not retained after identification.
OpItem does not sell, rent or transfer its users' personal data to third parties for commercial purposes.
7. Transfers outside the European Union
Some services involve a transfer of data to the United States. These transfers are governed by the Standard Contractual Clauses (SCCs) approved by the European Commission (decision 2021/914) and/or the EU–United States Data Privacy Framework (DPF), ensuring an adequate level of protection in accordance with the GDPR.
TCG API (tcgapi.io) is hosted in the European Union: no transfer outside the EU for this service.
8. Your rights (GDPR)
In accordance with Regulation (EU) 2016/679 (GDPR), you have the following rights over your personal data:
- Right of access, to obtain a copy of your data
- Right to rectification, to correct inaccurate data
- Right to erasure, to request the deletion of your data
- Right to portability, to receive your data in a structured format
- Right to object, to object to certain processing
- Right to restriction, to temporarily restrict processing
- Right to withdraw your consent at any time
To exercise these rights, contact us at [email protected]. We undertake to respond within one month. If our response is unsatisfactory, you may lodge a complaint with the CNIL (the French data protection authority), www.cnil.fr.
9. Cookies and trackers
The www.opitem.xyz website uses:
| Tool / Cookie | Purpose | Consent |
|---|---|---|
| Technical cookies | Website operation, user session | No |
| Authentication cookies (JWT) | Keeping the logged-in session active | No (necessary) |
| Analytics cookies | Anonymized traffic statistics | Yes (via banner) |
Any analytics tools are loaded only after your explicit consent via the cookie banner. If you decline, no analytics script is run. You can change your choice at any time via the "Manage cookies" link at the bottom of the page.
10. Data security
OpItem implements appropriate technical and organizational measures to protect your personal data against any unauthorized access, loss, alteration or disclosure, including:
- Encryption of communications (HTTPS/TLS)
- Secure hashing of passwords
- Data access restricted to authorized personnel
- Hosting on certified infrastructure
In the event of a data breach likely to create a risk to your rights, you will be informed as soon as possible, in accordance with Article 34 of the GDPR.
11. Changes to this policy
OpItem reserves the right to amend this privacy policy at any time, in particular to comply with regulatory developments. Material changes will be notified to users by email or through the Service. The version in force is the one published on this page, with the last-updated date shown at the top of the page.
For any questions: [email protected]