← Back to Home

Privacy Policy

Effective date: 16 February 2026

Last updated: 16 February 2026

1. Introduction

TCG.SG ("we", "us", or "our") operates a trading card game platform accessible at tcg.sg (the "Platform"). This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you access or use our Platform.

We are committed to complying with the Personal Data Protection Act 2012 ("PDPA") of Singapore and ensuring that all personal data collected is handled responsibly and transparently.

By using our Platform, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your personal data as described herein.

2. Data We Collect

2.1 Account Information

When you register for an account, we collect:

• Username and display name
• Email address
• Password (stored as a bcrypt hash; we never store plaintext passwords)

2.2 Profile Data

You may optionally provide additional profile information, including:

• Biography / about section
• Profile photo
• Social media handles (e.g., Telegram, WhatsApp, Instagram)
• Location preferences

2.3 Listing and Auction Data

When you create listings or participate in auctions, we collect:

• Listing details (card name, description, pricing, condition, images)
• Auction bids and bidding history
• Wishlist and saved listing data

2.4 Transaction Records

We maintain records of transactions facilitated through the Platform, including:

• Buyer and seller details
• Transaction amounts and payment references
• Delivery and fulfilment status
• Dispute and resolution records

2.5 AI Scan Data

When you use our AI Card Scanner feature, we collect:

• Card images submitted for scanning and grading
• AI-generated identification and grading results
• Scan history and usage frequency

2.6 Technical and Usage Data

We automatically collect certain technical information when you use the Platform:

• Device type and browser information (user agent)
• IP addresses
• Cookies and similar tracking technologies
• Pages visited, features used, and interaction patterns
• Access timestamps and session duration
• Referral URLs

3. How We Use Your Data

We use the personal data we collect for the following purposes:

• Account management — To create, maintain, and secure your account, and to authenticate your identity
• Facilitating listings and transactions — To enable you to list, buy, sell, and trade trading cards through the Platform
• AI card scanning and grading — To process card images through our AI-powered identification and pre-grading system
• Fraud detection and prevention — To analyse listings and user behaviour for signs of fraudulent activity, scams, or policy violations
• Email communications — To send transactional emails (account verification, password resets, transaction notifications) via Brevo (formerly Sendinblue) from noreply (at) tcg dot sg
• Platform improvements — To analyse usage patterns and improve the functionality, performance, and user experience of the Platform
• Community features — To operate posts, comments, follows, mentorship programmes, and other social features
• Legal compliance — To comply with applicable laws, regulations, and legal processes

4. Legal Basis for Processing (PDPA)

Under the PDPA, we process your personal data on the following legal bases:

• Consent — You provide consent to the collection and use of your personal data when you register for an account and agree to this Privacy Policy. You may withdraw your consent at any time, subject to legal and contractual restrictions.
• Contractual necessity — Processing is necessary for the performance of our contract with you, including facilitating transactions, managing your account, and providing Platform services.
• Legitimate interests — We process certain data for legitimate business interests, including fraud prevention, platform security, and service improvement, where such interests are not overridden by your data protection rights.
• Legal obligations — We may process your data where required to comply with applicable Singapore laws, regulations, court orders, or regulatory requirements.

5. Data Sharing and Disclosure

We may share your personal data in the following circumstances:

5.1 With Other Users

When you engage in transactions, certain information (such as your username and contact details) may be shared with other users (buyers or sellers) based on your privacy settings to facilitate communication and deal completion.

5.2 Service Providers

We engage trusted third-party service providers to support our Platform operations:

• Brevo (formerly Sendinblue) — For transactional and notification email delivery
• OpenAI — For AI-powered card scanning, identification, grading analysis, and content moderation
• PayPal — For payment processing services
• Cloudflare — For security, DDoS protection, and bot prevention (Turnstile)

5.3 Law Enforcement and Legal Requirements

We may disclose your personal data to law enforcement agencies, government authorities, or other third parties where required by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Data Retention

• Active accounts — Your personal data is retained for as long as your account remains active and you continue to use the Platform.
• Deleted accounts — Upon account deletion, your personal data will be removed from our systems within 90 days, except where we are required by law to retain certain records.
• Transaction records — Transaction and financial records are retained for a minimum of 7 years in accordance with Singapore regulatory requirements (including the Income Tax Act and Companies Act).
• AI scan data — Card images submitted for AI scanning may be retained for service improvement purposes unless you request their deletion.

7. Your Rights Under PDPA

Under Singapore's Personal Data Protection Act 2012, you have the following rights:

• Right of access — You may request access to your personal data held by us and information about how it has been used or disclosed within the past year.
• Right of correction — You may request correction of any inaccurate or incomplete personal data.
• Right to withdraw consent — You may withdraw your consent for the collection, use, or disclosure of your personal data at any time by contacting us. Please note that withdrawal of consent may affect your ability to use certain features of the Platform.
• Right to data portability — You may request a copy of your personal data in a commonly used, machine-readable format.
• Right to complain — If you believe your personal data has been mishandled, you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore.

How to Exercise Your Rights

To exercise any of your rights, please contact our Data Protection Officer at dpo (at) tcg dot sg. We will respond to your request within 30 days of receipt. We may require verification of your identity before processing your request.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit — All data transmitted between your browser and our servers is encrypted using HTTPS/TLS protocols.
• Password hashing — Passwords are securely hashed using bcrypt; we never store or have access to your plaintext password.
• Secure session management — Sessions are managed with secure, HTTP-only cookies and CSRF protection tokens.
• Regular security reviews — We conduct periodic reviews of our security practices, access controls, and infrastructure to identify and address potential vulnerabilities.
• Rate limiting and IP protection — We implement rate limiting and IP-based protections to prevent abuse and brute-force attacks.

9. Cookies

We use cookies and similar technologies to operate the Platform, maintain your session, and remember your preferences. For detailed information about the types of cookies we use, their purposes, and how to manage them, please refer to our Cookie Policy.

10. Children's Privacy

Our Platform is not intended for use by children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have inadvertently collected personal data from a child under 13, we will take steps to delete such data as soon as reasonably practicable. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at dpo (at) tcg dot sg.

11. International Data Transfers

Your personal data may be transferred to and processed in countries outside of Singapore, including but not limited to the United States, where our third-party service providers (such as OpenAI and PayPal) operate their servers.

Where your data is transferred internationally, we ensure that appropriate safeguards are in place to protect your personal data in accordance with the PDPA, including contractual protections with our service providers requiring them to maintain standards of data protection comparable to those under Singapore law.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make material changes, we will notify you by:

• Sending an email notification to the address associated with your account
• Displaying a prominent notice on the Platform
• Updating the "Last updated" date at the top of this page

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

13. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how your personal data is handled, please contact: