v1.03

Privacy Policy

Last updated: 2026-05-15

Draft notice. OP-Atlas is in open beta and in the process of forming as a Thai company. This policy reflects our current practice and will be re-published with finalised legal-entity details and jurisdiction-specific clauses on incorporation. The data-handling commitments described below apply from today regardless.

สรุปนโยบายความเป็นส่วนตัว (ภาษาไทย)

ผู้ควบคุมข้อมูล: OP-Atlas (ผู้ดูแลรายเดียว อยู่ระหว่างจัดตั้งบริษัทในประเทศไทย). ติดต่อ: privacy@op-atlas.app

ข้อมูลที่เก็บ: อีเมล + ชื่อแสดง (เมื่อเข้าสู่ระบบ), ข้อมูลการมีส่วนร่วม (รายงานราคาผิด, คะแนน), IP สำหรับจำกัดอัตราคำขอ, ข้อมูลวิเคราะห์ Google Analytics (เฉพาะเมื่อคุณยินยอม).

วัตถุประสงค์: ยืนยันตัวตน, ปรับปรุงความแม่นยำของราคา, ป้องกันการโจมตี, วิเคราะห์การใช้งานเว็บไซต์ (เมื่อยินยอม). ไม่ขายข้อมูลของคุณ ไม่ทำโฆษณา.

ผู้รับข้อมูลภายนอก: Vercel (โฮสติ้ง), Supabase (ฐานข้อมูล/Auth), Google (Analytics + OAuth), Resend (อีเมล). ผู้ให้บริการทั้งหมดอยู่ในสหรัฐฯ ภายใต้ EU-US Data Privacy Framework / SCC.

สิทธิของคุณภายใต้ PDPA: ขอเข้าถึง / แก้ไข / ลบ / ส่งออก / คัดค้านการประมวลผล / ถอนความยินยอม / ร้องเรียนต่อสำนักงาน PDPC. ส่งคำขอที่ privacy@op-atlas.app — เราจะตอบกลับภายใน 30 วัน.

ฉบับเต็มเป็นภาษาอังกฤษอยู่ด้านล่าง. ในกรณีที่มีข้อขัดแย้งระหว่างฉบับย่อภาษาไทยและฉบับเต็มภาษาอังกฤษ ฉบับภาษาอังกฤษถือเป็นฉบับหลัก.

1. Who runs this service

OP-Atlas (the "Service", "we") is currently operated by:

OP-Atlas (sole operator, pending Thai entity incorporation)
Contact: privacy@op-atlas.app
Operator email (interim): a.becker@beendesign.de
Registered office: [PENDING — Thai incorporation in progress]

Once the Thai entity is registered we'll update this section with the company name, registration number, registered address, and (if applicable) the Data Protection Officer's contact.

2. What data we collect

Account data (when you sign in)

  • Email address (always)
  • Display name (if you set one)
  • Google account identifier + profile-image URL (if you sign in via Google OAuth)
  • A session refresh token stored as a browser cookie

Contribution data

  • Card-data flags / swap proposals / trust verdicts you submit, linked to your user ID
  • Points balance and contribution stats derived from your activity
  • Optional shipping address if you claim a physical reward (only collected when you fill the form)

Technical data (every visit)

  • IP address (transient — used for rate-limiting; held in memory for ~60s per request)
  • Browser user-agent and language preference
  • The page you're viewing and the time

Analytics data (only if you consent)

  • Aggregated page views, scroll depth, and outbound-link clicks via Google Analytics 4
  • Aggregated visit counts via Vercel Analytics
  • Anonymised Core Web Vitals via Vercel Speed Insights

Analytics cookies are not set until you accept them via the cookie banner. If you decline or ignore the banner, no analytics cookies are stored and Google Analytics runs in "consent mode v2" — meaning Google receives only aggregated, cookieless signals.

3. Why we collect it (lawful basis)

DataPurposeLawful basis (GDPR / PDPA)
Account + sessionAuthenticate you; let you submit flagsContract performance (Art. 6(1)(b))
Contribution dataImprove price accuracy across the indexContract + legitimate interest (Art. 6(1)(f))
IP rate-limitPrevent abuse / DoSLegitimate interest (security)
Shipping addressSend the physical reward you claimedContract performance
AnalyticsUnderstand traffic patterns + improve UXConsent (Art. 6(1)(a))

4. Who we share data with

We don't sell data. Operating the service requires sharing some of it with infrastructure providers ("processors") under contractual restrictions on what they can do with it. The full list:

  • Vercel Inc. (USA) — hosting + edge network + analytics. Vercel is certified under the EU-US Data Privacy Framework. privacy policy
  • Supabase Inc. (USA, AWS us-east-1) — database + authentication. Operates under Standard Contractual Clauses for EU data transfers. privacy policy
  • Google LLC (USA) — Analytics + OAuth (only if you sign in with Google). Certified under the EU-US Data Privacy Framework. privacy policy
  • Resend (USA) — transactional email delivery (reward notifications). Only used when you claim a reward. privacy policy

Card-price data is fetched from public sources (Cardmarket, TCGplayer, CardTrader, PriceCharting, yuyu-tei, eBay). No user data is shared with those sources — the requests are made server-side from our infrastructure and do not include identifiers tying back to you.

5. International transfers

All listed processors are based in the United States. EU/EEA/UK personal data transfers rely on:

  • EU-US Data Privacy Framework certifications (Vercel, Google)
  • Standard Contractual Clauses (Supabase, Resend)

Once OP-Atlas is incorporated in Thailand, the same processors continue to apply; Thai PDPA transfer requirements will be addressed in the next revision.

6. How long we keep it

  • Account + display name: until you request deletion
  • Session refresh token: rotated every ~60 min; revoked on sign-out
  • Contribution data (flags, swaps, points): retained for audit + reward calculation. Anonymisable on request — we can disassociate it from your user ID while keeping the data-quality signal.
  • Shipping address: deleted 30 days after the reward is shipped
  • IP rate-limit data: in-memory only, ~60 second window
  • Analytics: Google Analytics defaults to 14 months; can be configured shorter on request

7. Your rights

Under GDPR (EU/EEA/UK), PDPA (Thailand) and equivalent regimes, you have the right to:

  • Access the data we hold about you
  • Rectify incorrect data (display name on /me, or by email request)
  • Delete your account and associated personal data
  • Export a portable copy of your data
  • Object to specific processing (e.g. analytics — handled via the cookie banner)
  • Withdraw consent for analytics at any time via the cookie banner
  • Lodge a complaint with your local supervisory authority (e.g. the Thai PDPC, or your EU country's DPA)

To exercise any of these, email privacy@op-atlas.app. We aim to respond within 30 days.

8. Cookies and similar technologies

We use a small number of cookies. Essentials cannot be disabled (the site wouldn't work); analytics cookies are loaded only after explicit consent.

CookiePurposeLifetime
sb-*-auth-tokenEssential — keeps you signed in~60 min, auto-rotated
op-atlas-consent-v1 (localStorage)Remembers your cookie-banner choice12 months
_ga, _ga_*Google Analytics (consent-gated)Up to 24 months
localStorage entriesUI prefs, queued flag draftsUntil you clear them

9. Security

We use HTTPS everywhere, strict Content-Security-Policy headers, per-IP rate limiting on public endpoints, row-level security on all user-data tables in Supabase, and require admin role for any data-modification surface. No system is perfectly secure; we don't store payment information, but we still encourage you to use a unique password if you sign in via email (magic-link only — there is no password to steal).

10. Children

OP-Atlas is not directed at children under 13 (under 16 in the EU, under 20 in Thailand). We don't knowingly collect data from minors. If you believe a minor has created an account, please contact us and we'll delete it.

11. Changes to this policy

We'll update the "Last updated" date at the top of this page and, for material changes, surface a notice on first visit after the change. The big revision pending is the move from this draft to the finalised version when the Thai company is registered.

12. Contact

For privacy questions or to exercise your rights: privacy@op-atlas.app

See also our Imprint for operator details.