Privacy Policy

Last updated: February 25, 2026

The Bulk Exchange (“the platform”, “we”, “us”) is a free, community-run service for trading Magic: The Gathering cards in person. This policy explains what personal data we collect, why we collect it, and what rights you have over it.

By creating an account you acknowledge that you have read this policy.

1. Data We Collect

Account data (required)

• Username — publicly visible to all users.
• Email address — used for login and password reset only. Not shared publicly by default.
• Password — stored as a bcrypt hash (cost 12). The plain-text password is never stored.

Contact methods (optional)

• Discord handle, phone number, and/or email address.
• These are shown on your public profile only if you explicitly enable contact info sharing in your settings. They are how other traders contact you to arrange in-person exchanges.

Card lists

• Your wantlist and haves (bulk) list, including card names, sets, condition, and language.
• These are visible to other users when your profile is public.

Avatar image

• Uploaded voluntarily. Stored in Vercel Blob storage as a publicly accessible URL.
• Deleted from storage when you remove your avatar or delete your account.

Pod membership

• Which pods (local groups or events) you have joined or created.

2. How We Use Your Data

• To authenticate you and maintain your session.
• To match your wantlist against other users' haves lists (and vice versa).
• To display your public profile and card lists to other traders.
• To send password-reset emails (transactional only — no marketing).

We do not sell, rent, or share your personal data with third parties for marketing purposes.

3. What Is Publicly Visible

When your profile is set to Public (the default), the following is visible to any signed-in user:

• Username and avatar.
• Card lists (wantlist and haves).
• Contact methods (Discord, phone, email) only if you have enabled “Show contact info” in your account settings.

When your profile is set to Private, no information is visible to other users.

Unauthenticated visitors (not logged in) cannot see any contact information.

4. Third-Party Services

Vercel (hosting & blob storage)

The platform is hosted on Vercel. Your avatar images are stored in Vercel Blob. Vercel processes data in accordance with their Privacy Policy.

Neon (database)

Your account data and card lists are stored in a Neon serverless Postgres database. See Neon's Privacy Policy.

Resend (transactional email)

Password reset emails are sent via Resend. Your email address is transmitted to Resend for this purpose only. See Resend's Privacy Policy.

Scryfall (card data)

Card names and set codes are queried against the Scryfall API to resolve card details and images. This is a server-side proxy — your IP address and identity are never sent to Scryfall.

GitHub (feedback)

If you submit feedback via the feedback form, the text of your submission is posted as a GitHub Issue. Do not include personal information in feedback messages.

5. Cookies & Sessions

We use a single HttpOnly, Secure session cookie to keep you logged in. It contains a signed JWT with your user ID, username, and email. It is valid for 30 days and is deleted when you log out.

We do not use advertising cookies, tracking pixels, or third-party analytics scripts.

6. Data Retention

Your data is retained for as long as you have an active account. When you delete your account:

• All account data, card lists, and pod memberships are permanently deleted from the database.
• Your avatar image is deleted from Vercel Blob storage.
• Existing login sessions are invalidated client-side immediately. Any outstanding JWT tokens expire within 30 days.

7. Your Rights

You have the right to:

• Access your data — via your profile settings and the data export feature.
• Rectify your data — edit your contact info, username, and card lists at any time.
• Delete your data — use “Delete Account” in your profile settings. Deletion is immediate and irreversible.
• Restrict visibility — set your profile to Private at any time to hide your data from other users.
• Control contact sharing — toggle “Show contact info” to control whether your Discord, phone, and email are visible on your profile.

8. Security

Passwords are hashed using bcrypt with a cost factor of 12, in accordance with OWASP recommendations. All communication is encrypted in transit via HTTPS. Password reset tokens are single-use and expire after 15 minutes.

No system is perfectly secure. If you discover a security issue, please report it via the feedback form.

9. Changes to This Policy

We may update this policy as the platform evolves. Material changes will be noted in the Releases changelog. Continued use of the platform after a change constitutes acceptance.

Contact

Questions about this policy? Use the feedback form at the bottom of any page.