Privacy Policy
Last updated: 2026-05-29
Plain-English summary (not legally binding):We collect the data we need to run the Service — your account info, the card photos you upload, basic device and usage data, and payment data through Stripe. We share data only with the third-party providers that actually run parts of the Service (Stripe, eBay, Firebase / Google, Anthropic, AWS, Deepgram, Sentry, PSA, and shipping carriers). We do not sell your data. California residents and residents of other US states with comparable privacy laws can ask us to access, correct, delete, or export their data. Users must be at least 13 to use the Service; financial features require age 18+. If you live outside the US or Canada, this Service is not for you.
1. Who we are
This Privacy Policy describes how Rebellion LLC, a Kentucky limited liability company ("Rebel Cards", "we", "us", "our"), collects, uses, and shares information when you use rebel-cards.comand the related mobile applications (the "Service").
Business address: Rebellion LLC, c/o Registered Agents Inc, 212 N. 2nd St. STE 100, Richmond, KY 40475
Privacy contact: privacy@rebel-cards.com. We respond to privacy requests within 30 days (extendable to 60 days for complex requests, with notice).
2. Scope and audience
The Service is available to users who are at least 13 years old and who reside in the United States or Canada. Users aged 13–17 ("Teen Members") have access to browse, collect, and AI-grading features only; financial features (buying, selling, payouts) require age 18+. We do not knowingly collect personal information from anyone under 13. If you are under 13, do not use the Service. We do not serve users in the European Union, United Kingdom, or other jurisdictions outside the US and Canada, and make no GDPR or UK GDPR compliance representation.
If you are outside the US or Canada, do not use the Service.
3. Information we collect
3.1 Information you provide
- Account information: email address, display name, and authentication provider (Google via Firebase, or email/password via Firebase).
- Profile data: business name (for sellers), shipping and return address if you opt into our physical custody service, phone number (optional).
- Card content: photos of cards you scan or upload (stored in AWS S3), condition notes, price estimates, descriptions, and inventory metadata.
- Marketplace credentials: OAuth access tokens we hold on your behalf to post listings to eBay. We never see your eBay password.
- Support communications: messages, emails, or attachments you send us.
3.2 Information collected automatically
- Device and technical data: IP address, browser type and version, operating system, device identifiers, app version, language, and time zone.
- Usage data: pages visited, features invoked, click events, error reports, and performance traces.
- Voice input (with permission):if you use voice-command features, short audio segments are processed by Deepgram (see Section 5). We do not record audio continuously or outside of an active voice command session. We have opted out of Deepgram's model-improvement program (MIPP) and have executed a Data Processing Agreement with Deepgram.
- Camera (with permission): the in-app card-scanning feature uses your device camera to capture card images.
- Cookies and similar technologies: we use first-party session cookies for authentication (keeping you signed in) and a small set of first-party analytics events. We do not currently use third-party advertising cookies, cross-site tracking pixels, or session-replay tools.
3.3 Information from third parties
- Stripe: payment status, last four digits of card, billing country, and fraud signals. We do not receive or store your full payment card number.
- eBay (via OAuth you authorize): your seller-account data, listing status, order data, and fee data — limited to the OAuth scopes you grant.
- PSA (if you opt into custody): grade results, cert numbers, and slabbed-card photos for cards we submitted on your behalf.
4. Why we use the information ("purposes")
- To run the Service: authenticate you, store your inventory, run AI grading and pricing (powered by Anthropic Claude only — we do not use OpenAI), post eBay listings, process payments, and manage physical card custody.
- To improve our AI models: we use anonymized and de-identified card photos and grade data to train and evaluate our grading and pricing models. You can opt out by emailing the privacy contact in Section 1; opting out does not affect your normal use of the Service.
- To communicate with you: transactional emails (receipts, password resets, custody status updates, security alerts), and marketing only if you opted in.
- For safety, fraud prevention, and legal compliance: detecting abuse, responding to lawful requests, and enforcing our Terms of Service.
- For aggregate business analytics: feature adoption and conversion trends — no individual user is identified in this analysis.
5. How we share information
We share information only with the following categories of recipients. We do not sell your personal information. We do not share personal information with advertising networks or allow third parties to use data we share with them for their own independent purposes.
| Recipient | Purpose | Data shared |
|---|---|---|
| Stripe, Inc. | Payment processing | Email, billing address, purchase amounts (card details entered directly on Stripe-hosted forms) |
| eBay Inc. | Marketplace listing | Listing content you create; OAuth-scoped seller-account data |
| Google LLC / Firebase | Authentication | Email, display name, OAuth token |
| Anthropic, PBC | AI grading, chat features, pricing analysis | Card photos, card metadata, conversation prompts |
| Amazon Web Services, Inc. | Hosting, storage, databases | All Service data (stored in US AWS regions) |
| Sentry | Error monitoring | Stack traces, browser type, user identifier (pseudonymized) |
| Deepgram | Speech-to-text for voice features | Short audio segments captured during voice commands (MIPP opt-out in effect; DPA executed) |
| PSA (Professional Sports Authenticator) | Submission of cards in custody | Card identifying details, submitter name and address |
| Shipping carriers (USPS, UPS, FedEx) | Card shipping for custody service | Name, shipping address, declared value |
Legal disclosures: We may disclose information when legally required (subpoena, court order, lawful government request), when necessary to protect our rights, property, or safety, or in connection with a business transfer (merger, acquisition, or sale of assets). In the case of a business transfer, we will notify affected users at the email on file before their data is transferred.
6. Where the data lives and how long we keep it
All Service data is stored in AWS data centers in the United States.
Retention periods:
| Data type | Retention |
|---|---|
| Account data (email, name, preferences) | While active + 90 days post-deletion, then permanently deleted |
| Card photos and inventory records | Same as account data |
| Payment records | 7 years (US tax and accounting requirements) |
| Support communications | 2 years |
| Error logs and audit trails | 1 year |
| Custody records (chain of custody) | 5 years (dispute resolution) |
| eBay OAuth tokens | Deleted within 30 days of account deletion or token revocation |
| Anonymized model-training data | May be retained indefinitely once de-identified |
7. Your rights
7.1 All users
You may, at any time:
- Access the personal information we hold about you by emailing privacy@rebel-cards.com.
- Correct inaccurate information from the in-app Settings page or by emailing us.
- Delete your account from the Settings page or by emailing us. Deletion is processed within 30 days (plus the 90-day backup window in Section 6).
- Export your data (cards, photos, inventory records, sales records) from the Settings page or on request.
- Opt out of AI model training by emailing us; we will exclude your future uploads from training pipelines. Opting out does not affect normal Service operation.
- Opt out of marketing email via the unsubscribe link in any marketing message. Transactional messages (receipts, password resets, custody updates) cannot be turned off while your account is active.
7.2 California residents (CCPA / CPRA)
If you reside in California, you have the following additional rights:
- The right to know what categories of personal information we collect, the purposes, and the categories of recipients.
- The right to request deletion of personal information, subject to certain exceptions.
- The right to correct inaccurate personal information.
- The right to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CPRA.
- The right to limit the use of sensitive personal information. We do not use sensitive personal information for any purpose beyond what is necessary to provide the Service.
- The right to non-discrimination for exercising any of these rights.
- The right to data portability — to receive your personal information in a commonly used, machine-readable format.
To exercise California rights, email privacy@rebel-cards.com with the subject line "California Privacy Request" and include your account email address so we can verify your identity.
7.3 Other US state privacy laws
We extend equivalent access, deletion, correction, and portability rights to residents of any US state with a comparable consumer privacy law, including Virginia, Colorado, Connecticut, Utah, and Texas. Email privacy@rebel-cards.com with the subject line "[State] Privacy Request."
7.4 Canadian users (PIPEDA / Quebec Law 25)
Canadian users may request access to or correction of personal information under PIPEDA. Quebec residents have additional rights under Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), including the right to data portability and the right to be informed of privacy incidents. Email privacy@rebel-cards.com with the subject line "Canadian Privacy Request."
8. Billing and taxes
Subscription fees are displayed on our pricing page at the time of purchase. Prices exclude applicable sales tax, which may apply based on your billing address and applicable law. We process payments via Stripe, Inc. and do not store full payment card numbers.
9. Children's privacy
The Service is not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If we learn we have collected information from a person under 13, we will delete it promptly. If you believe we have inadvertently collected such information, contact us at privacy@rebel-cards.com.
10. Security
We protect personal information using industry-standard measures, including:
- TLS encryption in transit (HTTPS everywhere).
- Encryption at rest (AWS-managed keys for S3 storage and Aurora databases).
- Role-based access controls and row-level security in our database.
- Audit logging of administrative actions.
- Multi-factor authentication for staff with production access.
No system is perfectly secure. If a security incident affects your personal information, we will notify you within the timeframes required by applicable law.
11. Cookies
We use first-party cookies for:
- Authentication (keeping you signed in).
- Session state (remembering UI preferences).
- First-party analytics (counting page views and feature usage).
We do not currently use third-party advertising cookies, cross-site tracking pixels, or session-replay tools. If we add any of those in the future, we will update this Policy and (where required) provide an in-app consent banner.
You can disable cookies in your browser. Disabling cookies may break sign-in.
12. App store data-collection disclosures
For mobile users, our App Store and Google Play data-collection declarations mirror this Privacy Policy. We declare the following data types as collected and linked to your identity:
- Contact info (email)
- Account identifiers
- Photos (card images you upload)
- Usage data (feature interactions)
- Diagnostics (crash logs, performance data)
- Camera input (for card scanning, with permission)
- Microphone input (for voice commands, with permission)
- Location (shipping address only — entered manually by you)
We do not collect or share data for third-party advertising or cross-app tracking.
13. International users and geographic scope
The Service is intended for users in the United States and Canada. All data is stored in the United States. We currently geo-block users in the European Union and United Kingdom. We do not claim GDPR or UK GDPR compliance and do not offer EU standard contractual clauses. If you access the Service from outside the US or Canada, you do so outside the intended scope of this Policy.
14. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be announced by email to the address on your account at least 14 days before they take effect. Continued use of the Service after that date constitutes acceptance of the updated Policy.
15. How to contact us
For all privacy questions, requests, complaints, or to exercise your rights:
- Email: privacy@rebel-cards.com
- Mail: Rebellion LLC, c/o Registered Agents Inc, 212 N. 2nd St. STE 100, Richmond, KY 40475
We respond within 30 days (extendable to 60 days for complex requests, with notice).