Privacy Policy

If you browse without an account, we collect minimal anonymous data:

• Anonymous session ID— a randomly generated UUID stored in your browser's localStorage. It is not linked to your name or email and is used solely to group your searches and clicks for aggregate analytics.
• Search queries — the text you type into the search bar, the number of results returned, and the timestamp.
• Outbound clicks— when you click “Visit” to go to a shop, we log which card listing was clicked and which shop.

If you sign in with Google, we additionally collect and store:

• Name — as provided by your Google account
• Email address — as provided by your Google account
• Profile picture URL — as provided by your Google account
• Google user ID — a stable identifier Google provides so we can recognise you on return visits
• Your watchlist — the cards you save to your account

We do not collect or store your Google password, and we never receive it. Authentication is handled by Google and our auth provider (Supabase).

• To understand which cards and shops are most popular
• To identify missing cards (zero-result searches)
• To measure which shops receive traffic from CardHunt SA
• To keep your watchlist available across devices when you sign in
• To display your name and avatar to you in the interface (we do not show these to other users unless you enable a public watchlist)

We do not sell or share your data with third parties for marketing purposes.

Application data (including account profiles, watchlists, and analytics) is stored in a secured PostgreSQL database hosted on Railway (EU region). Anonymous session data is retained for up to 12 months and then deleted.

We rely on the following third-party processors to operate the service:

• Supabase — handles Google OAuth sign-in and issues the authentication cookies that keep you signed in. Supabase stores a copy of your account profile (name, email, Google ID).
• Google— authenticates you via OAuth. Google's privacy policy governs what Google does with your sign-in activity.
• Railway — hosts our backend servers and database.
• Vercel — hosts our frontend website.

CardHunt SA uses the following storage mechanisms:

• ch_session_id — a random UUID in localStorage used for anonymous analytics. Clearing browser storage removes it.
• ch_watchlist — your locally saved watchlist (used only when you are signed out).
• Supabase authentication cookies (HttpOnly session cookies, set only when you sign in) — these keep you signed in between visits. Signing out removes them.

We do not use any advertising, tracking, or third-party analytics cookies.

As a data subject under POPIA, you have the right to:

• Access — request a copy of any personal information we hold about you
• Correction — request that inaccurate information be corrected
• Deletion — request that your account and associated data be deleted
• Objection — object to the processing of your information

If you have an account, we can identify your records using the email address linked to your Google sign-in. If you browse anonymously, you can find your session ID in your browser's localStorage under the key ch_session_id.

To exercise your rights, contact us at: info@cardhunt.co.za

CardHunt SA links to external shop websites (e.g. Bob Shop, Poke Bulk, Poke PlugZA). We are not responsible for the privacy practices of these third parties. Please review their privacy policies before purchasing.

CardHunt SA is not directed at children under 13. We do not knowingly collect any information from children.

We may update this policy from time to time. The “last updated” date at the top of this page reflects the most recent revision. Continued use of CardHunt SA after changes constitutes acceptance of the updated policy.

Information Officer (as required by POPIA):
CardHunt SA
South Africa
info@cardhunt.co.za