Privacy Policy

Effective date: 2026-06-04

This Privacy Policy describes how The Daily Rip ("we", "us", or "our") collects, uses, shares, and protects information about you when you use our mobile application, our website at thedailyrip.app, and any related services (collectively, the "Service").

We are committed to handling your information responsibly. If you have questions, email privacy@thedailyrip.app.

This Policy is incorporated into our Terms of Service.

1. Who we are

The Daily Rip is an independent collector tool operated as a sole proprietorship by Nicolas Coculuzzi, based in the United States. For purposes of the European Union General Data Protection Regulation (GDPR), the United Kingdom Data Protection Act 2018 ("UK GDPR"), and the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), we are the controller of personal information processed through the Service.

If you are in the EEA, UK, or Switzerland, you can contact us about your data at privacy@thedailyrip.app. We have not appointed an EU-based representative under Article 27 GDPR; if our user base in the EU grows materially we will do so.

2. Information we collect

We collect only what is necessary to operate the Service. Below is the full inventory.

2.1 Information you provide

Account information

Email address (required to sign in)
Password (stored hashed; we never see plain text)
Handle (username)
Optional: display name, bio, avatar image, 5-digit US ZIP code

Collection and portfolio data

Cards you mark as owned
Watchlist entries and any alert thresholds
Holdings (quantity, cost basis, optional acquisition date, optional grade bucket)
Photos you upload of cards you own (limited to images)

Communications with us

Email, in-app chat, or other support communications you send

AI assistant prompts

The text of your question and the relevant card identifier when you use the "Ask AI" feature

Camera scan photos

When you use the camera scanner to identify a card, the photo is sent to our AI provider (OpenAI) to recognize the card. The photo is processed in real time and not stored on our servers. OpenAI's API terms govern their handling of the request; we have not opted into any prompt-retention-for-training option.

2.2 Information collected automatically

Device and app metadata: app version, OS version, device model, language, timezone
Network metadata: IP address (used briefly for rate limiting and security; not retained long-term as a unique identifier)
Push notification tokens: anonymous device identifiers issued by Apple Push Notification service or Firebase Cloud Messaging, used solely to deliver notifications you have opted into
Crash and error reports: when crash reporting is enabled, we receive anonymous stack traces with no user identifiers attached (see Section 5.5)
Usage signals: aggregate, non-identifying counters (e.g., how many users opened a screen) used to improve the product

We do not use cookies on the mobile apps. The website uses only strictly-necessary cookies (e.g., for authentication); we do not use advertising or third-party analytics cookies that track you across sites.

2.3 Information from third parties

Subscription status from RevenueCat (which receives entitlement data from Apple or Google after you subscribe)
Public card and price data (eBay, PriceCharting, etc.) — this data is about cards, not about you, but it is associated with your watchlist and portfolio when you save it

We do not buy lists of personal information from data brokers.

2.4 What we do NOT collect

Real legal name (unless you put it in display name)
Phone number
Precise geolocation; we collect only your optional ZIP code if you choose to enter it
Government-issued ID
Health, biometric, or genetic data
Financial-account or payment-card information (handled by Apple/Google)
Contents of your Camera Roll beyond photos you specifically pick
Cross-app or cross-site advertising identifiers; the iOS app does not request App Tracking Transparency (ATT) permission because we do not track you across other companies' apps or websites

3. How we use your information

We use the information described above for the following purposes. Where required by law, we identify the legal basis under GDPR.

Purpose	Examples	GDPR legal basis
Provide the Service	Authenticate you; render your portfolio, watchlist, and feeds; deliver alerts you set up	Performance of a contract (Art. 6(1)(b))
Process subscriptions	Verify entitlement; deliver paid-tier features	Performance of a contract
Communicate with you	Account verification, billing receipts, security alerts, support replies	Performance of a contract / legitimate interests
Operate AI assistant	Send your prompt + card context to OpenAI to generate an answer	Performance of a contract
Prevent abuse and ensure security	Rate limits, free-tier caps, fraud detection	Legitimate interests (Art. 6(1)(f))
Comply with legal obligations	Tax records, valid law-enforcement requests	Legal obligation (Art. 6(1)(c))
Improve the product	Aggregate usage analytics, crash diagnosis	Legitimate interests
Marketing communications (only with consent)	Product newsletters, where you opt in	Consent (Art. 6(1)(a)) — withdrawable any time

We do not sell or share your personal information for cross-context behavioral advertising, and we do not use your data to train AI models (we have not opted into any AI training uses with our subprocessors).

4. Public content

By default, your profile is private. If you toggle your profile public from the in-app profile screen, the following becomes visible at thedailyrip.app/u/{your-handle}:

Your handle, display name, bio, avatar
Your card-photo gallery
Aggregate stats (total card count, total photo count)

You separately control whether your holdings list and your portfolio dollar value appear on the public profile. Both are off by default; turning them on is opt-in.

You may toggle any of these off at any time. We do not control copies that third parties may have already saved (e.g., screenshots, search-engine caches).

5. Sharing with third parties

We share information with the following categories of third parties. A current list of subprocessors is in Section 11.

5.1 Service providers (subprocessors)

We use the following providers to operate the Service. They process data on our behalf under written agreements that limit them to that purpose:

Supabase — hosting, database, authentication
Apple Push Notification service / Firebase Cloud Messaging — push notification delivery
RevenueCat — subscription state management
OpenAI — AI assistant (your prompt + card context only)
Sentry — anonymous crash and error reporting (when enabled)
Cloudflare — DNS, edge delivery, DDoS protection, website hosting

5.2 Marketplaces and data sources

We pull public price data from third parties (eBay, PriceCharting, etc.). We do not send your personal data to these sources.

5.3 Legal compliance

We may disclose information when we believe in good faith that it is necessary to:

Comply with applicable law, regulation, legal process, or governmental request;
Enforce these Terms, including investigation of potential violations;
Detect, prevent, or otherwise address fraud, security, or technical issues;
Protect against harm to our rights, property, or safety, or that of our users or the public.

Where legally permitted, we will notify you of a request before disclosing your information.

5.4 Business transfers

If we are involved in a merger, acquisition, sale of assets, financing, or bankruptcy, your information may be transferred to the acquiring or successor entity. We will notify you (e.g., via email and a notice on the Service) before your information is transferred and becomes subject to a different privacy policy.

5.5 Crash reporting

When enabled, anonymous crash and error reports are sent to Sentry. We configure Sentry not to capture user identifiers. Crash reports may include device model, OS version, app version, and a stack trace.

6. International data transfers

We are based in the United States. Information we collect is stored and processed in the U.S. and in any country where our subprocessors operate. If you are in the EEA, UK, or Switzerland, your data is transferred to the U.S. under appropriate safeguards, primarily the Standard Contractual Clauses approved by the European Commission (and, where applicable, the U.K. International Data Transfer Addendum). Copies are available on request.

7. Data retention

We retain your information for as long as your account is active and as needed to provide the Service. Specific retention rules:

Account profile: retained while your account is active
Holdings, watchlist, owned-card lists: retained while your account is active
Card photos: retained while you keep them in the app; deleted within 30 days of your removal of the photo
AI prompt history: retained for up to 90 days for abuse prevention, then de-identified or deleted
Push tokens: retained until you log out, disable notifications, or uninstall the app
Subscription records: retained as long as required by tax and accounting law (typically 7 years)
Anonymous crash reports: retained per Sentry's defaults (typically 90 days)
Backups: encrypted backups may persist beyond active deletion for up to 30 days, after which they are overwritten

When you delete your account (Section 9), we permanently remove identifiable data within 30 days, subject to the retention exceptions above.

8. Security

We use industry-standard technical and organizational measures to protect your information, including:

TLS (HTTPS) for all data in transit
Encryption at rest for the database
Row-level security (RLS) at the database layer — every query is automatically scoped to your auth.uid(), so even an application bug cannot expose another user's data
Hashed passwords (never stored in plain text)
Multi-factor authentication for admin access to our systems

No system is impenetrable. If we become aware of a personal-data breach affecting you, we will notify you and the relevant authorities as required by law (typically within 72 hours under GDPR).

9. Your rights and choices

9.1 In-app controls

From the in-app profile screen you can:

Edit or remove your handle, display name, bio, avatar, ZIP code
Toggle your profile public/private
Toggle public-holdings and public-portfolio-value
Add, edit, or delete watchlist entries, holdings, owned cards, photos, and alert thresholds
Export your portfolio as a CSV
Delete your account, which cascade-deletes your data within 30 days (see Section 7)

9.2 Email

You can opt out of marketing emails via the unsubscribe link in any marketing email. Transactional emails (account verification, billing, security alerts) cannot be opted out of while your account is active.

9.3 Push notifications

You can disable push notifications via the system settings on your device.

9.4 GDPR rights (EEA, UK, Switzerland users)

You have the right to:

Access the personal data we hold about you;
Rectify inaccurate or incomplete data;
Erase your data ("right to be forgotten");
Restrict or object to certain processing;
Data portability — receive your data in a structured, machine-readable format;
Withdraw consent at any time where processing is based on consent;
Lodge a complaint with your local supervisory authority;
Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

To exercise these rights, email privacy@thedailyrip.app. We will respond within one month (extendable to three months for complex requests, with notice). We may need to verify your identity before acting.

9.5 California rights (CCPA / CPRA)

If you are a California resident, you have the right to:

Know what categories of personal information we collect, the sources, the purposes, and the categories of third parties we share with (this Policy provides that information in Sections 2, 3, 5, and 11);
Access the specific pieces of personal information we have collected about you;
Delete your personal information, subject to certain exceptions;
Correct inaccurate personal information;
Limit use of sensitive personal information (we do not use sensitive personal information for any purpose other than as permitted by law without your consent);
Opt out of "selling" or "sharing" — we do not sell or share your personal information for cross-context behavioral advertising. There is therefore no opt-out link required, but you may confirm this with us at any time;
Non-discrimination — we will not discriminate against you for exercising any of these rights.

To exercise California rights, email privacy@thedailyrip.app with "California Privacy Request" in the subject line. You may designate an authorized agent to act on your behalf, in which case we will require written authorization and may verify your identity directly.

We respond to Global Privacy Control (GPC) signals on thedailyrip.app as a valid opt-out preference signal.

9.6 Other U.S. state rights

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Jersey, Tennessee, Maryland, Minnesota, New Hampshire, Indiana, Kentucky, Rhode Island, and other states with comprehensive privacy laws have similar rights to those listed in 9.5. Email privacy@thedailyrip.app with the subject line "Privacy Rights Request" and your state of residence. We honor verified requests within the timeframe required by your state's law.

9.7 Brazil (LGPD), Canada (PIPEDA), and other jurisdictions

Residents of Brazil, Canada, Australia, and other jurisdictions with data-protection laws have rights similar to those above. Use the same contact: privacy@thedailyrip.app.

10. Children's privacy (COPPA)

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected such information without verified parental consent, we will delete it promptly.

If you are a parent or guardian and believe your child under 13 has provided personal information to the Service, please contact us at privacy@thedailyrip.app and we will delete it.

For users between 13 and 16 in the EEA/UK, we rely on parental consent where required by local law.

11. Subprocessors

A current list of the third-party processors we use:

Subprocessor	Purpose	Region
Supabase, Inc.	Database, auth, storage, edge functions	United States
OpenAI, L.L.C.	AI assistant model inference	United States
RevenueCat, Inc.	Subscription state management	United States
Apple Inc.	App distribution + push notifications	United States
Google LLC	App distribution + Firebase Cloud Messaging	United States
Sentry (Functional Software, Inc.)	Crash reporting (when enabled)	United States
Cloudflare, Inc.	DNS, CDN, DDoS protection, website hosting	Global

We may add or remove subprocessors. Where required by law (e.g., GDPR Art. 28), we will notify you via email or in-app notice in advance of any new subprocessor with access to your personal data.

12. Do Not Track and Global Privacy Control

The mobile apps do not transmit "Do Not Track" or "Global Privacy Control" signals because we do not engage in cross-app tracking. The website at thedailyrip.app honors GPC signals as a valid opt-out preference signal under California law.

13. Third-party links and services

The Service contains links to third-party services (eBay, TCGplayer, help articles, etc.). Once you leave the Service, this Policy no longer applies. Please review the third party's privacy policy.

14. Changes to this Policy

We may update this Policy occasionally. If we make material changes, we will notify you via the Service or by email and update the Effective date at the top. Material changes take effect no sooner than 30 days after notice (or such shorter period as required by law). Your continued use of the Service after the new Policy takes effect constitutes acceptance.

15. Contact us

For privacy questions, requests, or complaints:

Email: privacy@thedailyrip.app
General support: support@thedailyrip.app
Web: thedailyrip.app

A postal address for legal notices is available upon written request via the email addresses above.

If you are not satisfied with our response, you may contact your local data-protection authority. EU/EEA users can find theirs at edpb.europa.eu. UK users: ico.org.uk.

Last updated: 2026-06-04.