← Back to Nerd 401k

Privacy Policy

Effective May 6, 2026

Nerd 401k (“we,” “us,” “our”) is operated by Osof Studios. This Privacy Policy explains what information we collect when you use the Nerd 401k mobile app and the website at nerd401k.com (together, the “Service”), how we use it, and the choices you have. If you do not agree with this policy, please do not use the Service.

1. Information we collect

We only collect what we need to operate the Service. Specifically:

1.1 Account information

  • Email address — used to authenticate you and to send transactional messages (e.g., password reset). If you sign in with Apple or Google, we receive the email associated with that identity.
  • Display name and avatar URL — optional; you can leave them blank.
  • Account identifier — a random UUID we use to associate your data with your account.

1.2 Collection data

  • Holdings — the cards you have added to your portfolio, including the card identifier, quantity, condition, optional purchase price, and how you acquired the card (retail, auction, trade, or pack pull).
  • Watchlist, binders, vault layout, trade history, and credit balance — stored only in association with your account.

1.3 Card scan data

  • Photos you submit to the scan feature — when you tap the capture button or pick an image from your library, the image is sent over HTTPS to our scan service for one-time identification. We do not retain the image after the scan completes.
  • Scan telemetry — for each scan we record the suggested game (TCG), the model’s confidence, the matched card identifier (if any), latency, and the outcome (added to vault, opened in search, failed, abandoned). We use this to improve match accuracy. It is associated with your account.

1.4 Information we do NOT collect

  • We do not use any tracking or advertising identifier (IDFA) and do not perform cross-app tracking. The app declares NSPrivacyTracking = false in its privacy manifest.
  • We do not sell your information to anyone.
  • We do not use third-party analytics SDKs in the mobile app at this time.
  • We do not access your contacts, microphone, location, or motion sensors.

2. How we use the information

  • To create and authenticate your account and keep you signed in.
  • To save and display your portfolio, vault, watchlist, binders, and trades.
  • To identify cards you scan and match them to entries in our catalog.
  • To compute prices, profit/loss, and other portfolio metrics from public market data.
  • To respond to support inquiries and keep the Service secure.

3. Service providers we share data with

We use a small number of vendors to operate the Service. Each receives only what is needed for its function. We do not allow them to use your data for their own advertising.

  • Supabase, Inc. — authentication, database, and storage. Holds your account data, holdings, scan telemetry, and related records.
  • Vercel, Inc. — hosting and edge networking for nerd401k.com and the Service’s API endpoints.
  • Google LLC (via the Vercel AI Gateway) — receives the image you submit during a scan and returns identification text. Per Google’s zero-data-retention terms via the AI Gateway, the image is processed in-flight and discarded.
  • Apple Inc. and Google LLC — if you use Sign in with Apple or Sign in with Google, the chosen provider authenticates you and shares an account identifier and email with us.

4. Where your data is stored

Your account, holdings, and telemetry are stored in Supabase’s cloud infrastructure. Storage location depends on your account’s home region; for new accounts created in the United States, that is generally a U.S.-based facility. By using the Service you consent to your data being processed in the United States or other countries where our service providers operate.

5. How long we keep it

  • Account data — kept while your account is active. When you tap “Delete account” in the app, your account is marked for deletion and all associated holdings, vault contents, watchlist, binders, trades, and scan telemetry are removed within 30 days. Backups roll off within 30 additional days.
  • Scan images — never persisted. The image is forwarded once for identification and discarded.
  • Service logs — generic web request logs are retained for up to 30 days for security and abuse prevention.

6. Your choices

  • Access & export — email support@osof.studio to request a copy of your data.
  • Correction — most fields can be edited directly in the app (Settings).
  • Deletion — open the mobile app → Settings → Delete account. This is irreversible. You may also email support@osof.studio to request deletion.
  • Opt-out of email — transactional messages (password reset, security alerts) are required while your account is active. We do not currently send marketing email; if we ever do, every message will include an unsubscribe link.

7. Children

Nerd 401k is not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with information, please contact support@osof.studio and we will delete the account.

8. California residents (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we hold about you, request deletion, request correction, and not receive discriminatory treatment for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising. To exercise any of these rights, email support@osof.studio.

9. EEA / UK residents (GDPR)

If you are in the European Economic Area or the United Kingdom, our legal bases for processing are: (a) performance of the contract to provide the Service to you, (b) our legitimate interest in operating and securing the Service, and (c) your consent where applicable (e.g., when you submit a card image). You have the right to access, correct, delete, and port your data, restrict or object to processing, and lodge a complaint with your local supervisory authority. To exercise any of these rights, email support@osof.studio.

10. Security

All connections between the app and our servers use HTTPS. Account passwords (when applicable) are stored hashed by our authentication provider. Database access is controlled by row-level security so each account can only read and write its own records. No system is perfectly secure; please use a strong, unique password and notify us at support@osof.studio if you suspect unauthorized access.

11. Changes to this policy

We will update this policy as the Service changes. The “Effective” date at the top reflects the latest revision. If we make a material change to how we use your information, we will notify you within the app or via email before the change takes effect.

12. Contact

Questions about this Privacy Policy or your data can be sent to support@osof.studio.

HomeTerms of Service© 2026 Osof Studios