TCGKungfuTCGKungfuBack to Home

Privacy Policy

Last updated: February 2026Effective: February 11, 2026

TheForge, LLC ("we," "us," or "our") operates TCGKungfu (tcgkungfu.com), a multi-tenant SaaS platform for trading card game stores. This Privacy Policy describes how we collect, use, store, and protect your information.

1. Information We Collect

1.1 Store Owner Information

  • Email address
  • Store name, subdomain, and business information
  • Admin PIN (stored as a bcrypt hash — we never see your actual PIN)
  • Subscription tier selection

1.2 Staff Information

  • Staff names and assigned roles
  • Staff PINs (stored as bcrypt hashes)

1.3 Customer Information (Minimal)

We collect minimal customer data on behalf of stores:

  • Names (for loyalty program enrollment)
  • Trade-in transaction records
  • Loyalty point balances

Stores are the data controllers for customer data. We process it on their behalf.

1.4 Card Inventory Data

  • Card names, sets, conditions, quantities
  • Buy and sell prices, pricing rules
  • Trade-in history

1.5 Payment Information

Payments are processed entirely by Stripe. We do not store credit card numbers. See Stripe's Privacy Policy.

1.6 Usage Data

  • Pages viewed and features used (anonymized)
  • Browser type and device information
  • IP address (for security and fraud prevention)

1.7 Cookies

First-party only: JWT session cookies on .tcgkungfu.com for authentication. We do not use third-party tracking or advertising cookies.

2. How We Use Information

  • Operate the service: Provision subdomains, authenticate users, manage inventory, process trade-ins
  • Process billing: Manage subscriptions via Stripe
  • Provide support: Respond to inquiries and troubleshoot
  • Improve the platform: Analyze usage to build better features
  • Ensure security: Detect and prevent fraud and abuse
  • Legal compliance: Meet applicable laws and regulations

We do not use your data for advertising or sell it to third parties.

3. Data Sharing

We share data only with:

  • Stripe: Payment and subscription processing
  • Scryfall: Card metadata and pricing (no personal data sent)
  • Legal requirements: When required by law, subpoena, or court order
  • Business transfers: In the event of merger or acquisition, with advance notice

We do not sell, rent, or trade personal information.

4. Data Storage and Security

  • PostgreSQL databases on encrypted servers with restricted access
  • SSL/TLS encryption for all connections (HTTPS everywhere)
  • Server disks use full-disk encryption
  • PINs hashed with bcrypt (irreversible)
  • Role-based access controls for staff permissions
  • Firewalls, key-only SSH, and intrusion detection
  • Regular encrypted backups with geographic redundancy

5. Multi-Tenant Data Isolation

Each store's data is logically isolated. Every database query is scoped to a specific store. Staff from one store cannot access another store's data. Store subdomains are isolated.

Super-admin access (TheForge, LLC only) is restricted to platform maintenance and is logged for audit.

6. Your Rights

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data
  • Export: Export your store data as CSV or JSON
  • Withdraw consent: Where processing is based on consent

Contact admin@theforge.llc. We respond within 30 days.

Store customers: Contact the store directly. The store is the data controller for customer data.

7. Data Retention

  • Active accounts: Retained for the duration of your subscription
  • After termination: 30 days for export, then permanently deleted
  • Billing records: Retained up to 7 years for tax compliance
  • Anonymized analytics: May be retained indefinitely (not linkable to individuals)

8. Children's Privacy

TCGKungfu is a B2B service not directed at children under 13. We do not knowingly collect personal information from children in compliance with COPPA. Contact us if you believe a child has provided personal data.

9. Changes to This Policy

We provide at least 30 days' notice via email for material changes. Continued use after the effective date constitutes acceptance.

10. California Privacy Rights (CCPA)

  • Right to know: What personal information we collect and how it is used
  • Right to delete: Request deletion of personal information
  • Right to opt-out: We do not sell personal information
  • Non-discrimination: No penalty for exercising your rights

11. Contact Us

TheForge, LLC

Email: admin@theforge.llc

Website: tcgkungfu.com