Legal
Privacy Policy
Last updated: May 2026
Grand Line Navigator (“we”, “the app”) is a trade-matching service for One Piece TCG players. This policy explains what personal data we collect, why, and your rights under the GDPR.
01 — Who We Are
Controller: Carlos Javier Guzman Güell
Address: Amsterdam, Netherlands
Contact: privacy@grandlinenavigator.com
A Data Protection Officer (DPO) is not required at our current scale under Article 37 of the GDPR.
02 — What Data We Collect
- Email address (waitlist sign-up and Supabase Auth)
- Username, bio, and avatar image — stored in a private bucket and accessible only to authenticated users via short-lived signed links.
- City name — typed by you, not GPS. We geocode it to coordinates on our server for trade matching.
- Card inventory: card IDs, conditions, languages, and optional photos and comments
- OAuth tokens from Google or Discord, if you choose those sign-in providers (managed by Supabase Auth)
- IP addresses — processed transiently by Supabase, Vercel, and Plausible. Not stored by us.
- Beta access allowlist — email addresses of invited beta testers, held in a separate access-control table for the duration of the closed beta.
03 — Why We Collect It and Legal Basis
| Activity | Legal Basis |
|---|---|
| Account creation and authentication | Contract (Art. 6(1)(b)) |
| Profile data — username, bio, avatar | Contract (Art. 6(1)(b)) |
| City name and trade matching | Contract (Art. 6(1)(b)) — core to the service |
| Card inventory — haves and wants | Contract (Art. 6(1)(b)) |
| Waitlist email collection | Consent (Art. 6(1)(a)) |
| Plausible Analytics | Legitimate interest (Art. 6(1)(f)) |
| Security logging | Legitimate interest (Art. 6(1)(f)) |
| Beta access control (allowlist) | Legitimate interest (Art. 6(1)(f)) — managing access to a closed beta |
04 — Sub-Processors and Data Recipients
- Supabase Inc. — Database, authentication, and file storage. EU region.
- Vercel Inc. — Hosting and CDN. US company — Standard Contractual Clauses (SCCs) are in place under GDPR Art. 46(2)(c).
- Plausible Analytics — Cookieless, privacy-friendly analytics. No personal data stored. No cookies set.
- Komoot GmbH (Photon) — Geocoding your city name to coordinates via Photon, an OpenStreetMap-based service hosted in Germany. Called server-side only — your IP is never sent to Komoot.
- Google / Discord — Only if you choose to sign in with those providers. OAuth only.
05 — Data Shared with Other Users
When the matching feature finds a compatible trade, the following data about you becomes visible to that matched user:
- Your username, bio and avatar
- The name(s) of your saved location(s) and the approximate distance from their search
- The cards in your inventory relevant to the match — names, conditions, languages, and photos where you have uploaded them
On the match detail page, all of your active saved locations are also shown to the matched user.
The app does not access your device's location. Saved locations are cities you enter manually in the app.
06 — International Transfers
- Our Supabase project is hosted in an EU region — no transfer of your data outside the EU via Supabase.
- Vercel is a US company. The transfer is covered by Standard Contractual Clauses (SCCs) included in Vercel's DPA.
- Plausible Analytics is EU-based. No personal data is transferred.
07 — Data Retention
| Data | Retention Period |
|---|---|
| Active user account | Duration of account + 30 days post-deletion |
| Waitlist entries | 12 months from sign-up, or until invite sent |
| Inactive accounts (no login for 24 months) | Deletion warning sent, then removed |
| Plausible analytics | 3 years (aggregate, anonymised — no personal data stored) |
| Auth sessions | ~7 days (Supabase JWT default) |
| Card images and avatars | Deleted with account |
| Beta allowlist entries | Removed when the closed beta ends or when the entry's account is deleted |
08 — Your Rights
Under GDPR Articles 15–22 you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data — the “right to be forgotten” (Art. 17)
- Data portability — receive your data in a structured format (Art. 20)
- Restrict processing in certain circumstances (Art. 18)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent for waitlist at any time (Art. 7)
To exercise any right, email privacy@grandlinenavigator.com. We will respond within 30 days.
09 — Analytics
We use Plausible Analytics. Plausible does not set cookies, does not track you across sites, and stores no personal data. No cookie consent banner is required.
10 — Cookies
We use strictly necessary session cookies to keep you signed in. These are managed by Supabase Auth and are required for the service to function. They do not track you across sites and do not require consent under the ePrivacy Directive.
11 — Supervisory Authorities
If you believe we are processing your data unlawfully, you have the right to lodge a complaint with your national supervisory authority. Relevant authorities for our user base:
- Netherlands: Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl
- Spain: Agencia Española de Protección de Datos (AEPD) — aepd.es
12 — Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via the app. The “Last updated” date at the top reflects the most recent revision.