Privacy Policy
Last updated: April 6, 2026
What We Collect
ScrollVault does not require user accounts or passwords. We do not use cookies. Here is everything we collect:
| Data | Purpose | Stored Where | Retention |
|---|---|---|---|
| IP address, browser type, pages visited | Server security and abuse prevention | Hosting provider logs | 30 days |
| IP address (hashed) | Rate limiting on deck saves (max 10/hour) | Temporary server files | 1 hour |
| Page views, clicks, scroll depth | Anonymous site analytics | Google Analytics 4 | 14 months (Google default) |
| Session recordings (mouse movement, clicks, page interactions) | UX improvement and bug detection | Microsoft Clarity | 30 days (Clarity default) |
| Decklists, commander names, bracket results | Gallery feature (user-initiated save only) | SQLite database on our server | Until deleted by user or us |
| Edit keys for saved decks | Allow deck owners to edit/delete without an account | Your browser (localStorage) | Until you clear browser data |
| UI preferences (panel collapse state) | Remember your layout choices | Your browser (localStorage) | Until you clear browser data |
We do not collect names, email addresses, or payment information. We do not use advertising or ad-tracking services. We do not sell or share personal data with third parties for marketing purposes.
Third-Party Services
When you use our tools, data is sent to these external services:
- Google Analytics 4 — anonymous page view and engagement analytics. Google Privacy Policy.
- Microsoft Clarity — session recording and heatmap analysis. Clarity records mouse movements, clicks, scrolls, and page content (including text you type into tool inputs) to help us identify usability issues. No personally identifiable information is collected. Clarity Privacy Disclosure.
- Scryfall API — when you analyze a deck, card names are sent to Scryfall to retrieve card data. Scryfall may log your IP address per their privacy policy.
- Commander Spellbook API — card names are sent to check for known combos. Commander Spellbook may log your IP address.
- Google Fonts — typefaces are loaded from Google servers. Google may collect anonymous usage data.
Legal Basis for Processing (GDPR)
We process data under legitimate interest (Article 6(1)(f) GDPR) for analytics, security, and service operation. Deck saving is based on your voluntary action (you choose to click “Save & Share”). We do not process sensitive personal data.
Your Rights
Under GDPR (EU/EEA) and CCPA (California), you have the right to:
- Access — request what data we hold about you
- Deletion — request deletion of your saved decks or any associated data
- Object — opt out of analytics by using a browser ad-blocker or the Google Analytics opt-out extension
- Data portability — your decklists are always visible and copyable from the gallery
To exercise any right, email support@scrollvault.net. We will respond within 30 days.
Do Not Sell My Personal Information (CCPA)
We do not sell personal information. We do not share personal information with third parties for their direct marketing purposes.
Children
ScrollVault is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has provided data to us, contact us and we will delete it.
External Links
Our content may link to external sites (Wizards of the Coast, MTGGoldfish, etc.). We are not responsible for the privacy practices of those sites.
Changes to This Policy
We may update this policy when we add features or change data practices. The “last updated” date at the top reflects the most recent revision.
Contact
Questions about this policy? Email support@scrollvault.net.