TL;DR
- We collect only what is necessary to run the app: your email and your card collection.
- Your camera is used for card scanning — on your device only. No images are ever uploaded.
- We do not sell your data. We do not run ads. We do not track you across other apps.
- Pricing data is fetched anonymously — your identity is never sent to eBay or any pricing service.
- You can delete your account and all associated data at any time from the app's Profile tab.
1. Who We Are
BOBA Playbook is an independent companion app for the Bo Jackson Battle Arena trading card game, built by fans for fans. It is not affiliated with or endorsed by the game's publisher.
Questions about this policy can be directed to privacy@bobaplaybook.com.
2. What We Collect
Account credentials
If you create an account, we store your email address. Passwords are never stored in plain text — authentication is handled by Supabase with industry-standard hashing. If you use Sign in with Apple, Apple shares a relay email address with us and manages your credentials entirely on their side.
Your card collection
When you add cards to your collection, we store which cards you own, the designations you apply (Personal, For Sale, For Trade, Wanted, Grails), and any cost or estimated value data you enter. This data is linked to your account and stored in Supabase.
Aggregate page hits (web app only)
The web app at bobaplaybook.com uses Cloudflare Web Analytics to count page hits. This is cookieless, contains no personal identifiers, and is aggregated — we can see that 47 people loaded the search view yesterday, but not who they were. Visitor counts are derived from a hash of IP + user agent (computed by Cloudflare, not stored). No tracking pixels, no cross-site tracking, no advertising profiles. The iOS app collects no analytics whatsoever.
What we do not collect
- Your location — the app never requests location access.
- Camera images — the scan feature processes frames entirely on your device using Apple's Vision framework. No image or video is ever transmitted off your device.
- Crash data or behavioural analytics — we do not use any crash reporter, session recorder, or behavioural analytics SDK on either platform.
- Advertising identifiers (IDFA) — we have no ad network and never request tracking permission.
- Contact information beyond your email — no phone number, address, or social handle is requested.
3. Data Summary
| Data | Collected? | Where Stored | Sent To | Linked to You? |
|---|---|---|---|---|
| Email address | Yes | Supabase | Supabase only | Yes |
| Card collection | Yes | Supabase | Supabase only | Yes |
| Camera images | No | Never stored | Never sent | No |
| Pricing lookups | No | — | Card name + number only (no account data) | No |
| Aggregate page hits (web app only) |
Yes | Cloudflare Web Analytics | Cloudflare only | No |
| Location | No | — | — | No |
| Advertising ID | No | — | — | No |
4. Third-Party Services
Supabase
We use Supabase for account authentication and to store your card collection. Supabase is hosted on AWS infrastructure. You can review Supabase's privacy practices at supabase.com/privacy.
Cloudflare
Card images are served from Cloudflare R2. eBay pricing requests are proxied through a Cloudflare Worker — this proxy does not log or store any personal data.
The web app at bobaplaybook.com additionally uses Cloudflare Web Analytics to count page hits and unique visitors in aggregate. This service does not use cookies, does not fingerprint individual visitors, and does not track behavior across other sites. The iOS app does not include any analytics service.
Cloudflare's privacy policy is at cloudflare.com/privacypolicy.
eBay
When you view pricing information for a card, the app sends the card number and hero name to our Cloudflare Worker, which queries eBay's API. No account information or personal data is included in these requests. eBay's privacy policy is at ebay.com.
Apple — Sign in with Apple
If you choose to sign in with Apple, Apple handles authentication and provides us with a relay email address. Apple's privacy policy governs this data: apple.com/legal/privacy.
GitHub Pages
The web app at bobaplaybook.com is served by GitHub Pages. GitHub may collect standard server access logs (IP address, browser, pages visited). GitHub's privacy policy: github.com.
Google Fonts
The web app loads fonts from Google Fonts, which may log your IP address. The iOS app bundles fonts locally and makes no Google Fonts request.
5. iOS App — Specific Practices
Camera
The scan feature requests camera access to identify BOBA cards in real time. All processing happens on your device using Apple's Vision framework. The app never records, stores, or transmits any camera image or video.
Keychain
The iOS app stores your authentication tokens in the iOS Keychain — the most secure storage available on the platform. Tokens are not stored in UserDefaults or any file accessible to other apps.
Background activity
The app does not run in the background and does not use background fetch, location updates, or push notifications.
6. Data Retention and Deletion
Your account data is retained for as long as your account exists. You can delete your account at any time from the Profile tab in the app. Deletion removes your email address and all collection data from Supabase within 30 days.
To request manual deletion or if you encounter any issues, email privacy@bobaplaybook.com.
7. Children's Privacy
BOBA Playbook is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us at privacy@bobaplaybook.com and we will delete it promptly.
8. Security
We use industry-standard security practices: HTTPS for all data in transit, Supabase Row Level Security to ensure users can only access their own data, and iOS Keychain for credential storage. No security measure is perfect — if you discover a vulnerability, please report it to privacy@bobaplaybook.com.
9. Tracking and Advertising
BOBA Playbook does not track users across other companies' apps or websites. There are no advertisements in the app. We never request the App Tracking Transparency permission because we have no reason to.
10. Changes to This Policy
If we make material changes to this policy, we will update the "Last updated" date at the top of this page. Continued use of the app after changes constitutes acceptance of the updated policy. For significant changes, we will make a reasonable effort to notify users through the app.
11. Contact
For questions, data requests, or deletion requests:
You may also open an issue on the GitHub repository.