Privacy Policy

1. Who We Are

Middlewest Cards ("we," "us," "our") operates the Card Intelligence Engine at middlewest.cards. This Privacy Policy explains what data we collect, how we use it, and your rights regarding it.

2. Information We Collect

Account information: When you sign up, we collect your email address, a display name, and a hashed password. We never store your password in plaintext.

Subscription data: If you subscribe, Stripe processes your payment. We store only a Stripe customer ID — we never see or store your full card number.

Usage data: We log which features you use (e.g. watchlist adds, chat queries) to improve the product. Logs do not contain card numbers or passwords.

Chat interactions: Messages sent to the AI chat are logged with your user ID for quality and debugging purposes. Do not include personally sensitive information in chat messages.

3. How We Use Your Information

• To provide and improve the Service.
• To process your subscription via Stripe.
• To send transactional emails (account confirmation, password reset). We do not send marketing emails without your consent.
• To diagnose bugs and monitor system health.
• To comply with legal obligations.

4. Data We Do Not Collect

• We do not run advertising or analytics SDKs.
• We do not sell, rent, or trade your personal data to third parties.
• We do not use cookies beyond what is strictly necessary for session authentication.
• We do not collect device fingerprints or behavioral tracking data.

5. Third-Party Services

We use the following third-party services, each governed by their own privacy policies:

• Stripe — payment processing. stripe.com/privacy
• Anthropic — AI chat responses. Your chat messages are sent to Anthropic's API. anthropic.com/privacy
• CardHedge — card pricing data. Queries include card identifiers but not personal data.

Baseball statistics are sourced from public data providers (MLB Stats API, FanGraphs). No personal data is shared with these sources.

6. Data Retention

We retain your account data for as long as your account is active. If you close your account, we will delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g. billing records).

Anonymized usage logs may be retained indefinitely for product improvement.

7. Security

We use industry-standard measures to protect your data: bcrypt password hashing, HTTPS in transit, httpOnly session cookies, and WAL-mode SQLite with regular backups. No system is perfectly secure, and we cannot guarantee absolute security.

8. Your Rights

You have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your account and associated data.
• Withdraw consent where processing is consent-based.

To exercise any of these rights, email us at james@middlewest.cards.

9. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy. We will notify you of material changes via email or an in-app notice at least 7 days before they take effect. Your continued use of the Service after that date constitutes acceptance.