Privacy Policy

Account data:When you sign up, we collect your email address. That’s the only personally identifying information we require — there’s no name, phone number, or address on file.

Usage data:We record your pulls (which cards you’ve drawn, when, and the rarity outcomes), purchases (which packs you bought and when), fragment balance, and binder contents. This data powers your collection and the admin metrics dashboard.

Device and technical data: Our infrastructure providers (Supabase and Vercel) collect IP addresses, browser type, and device information as part of normal server operations and fraud prevention.

Consent records: When you accept our Terms and Privacy Policy at sign-up, and when you acknowledge the immediate-delivery waiver at checkout, we directly record and store your IP address and browser user-agent, along with a timestamp and the version of the Terms then in effect, as evidence that you gave that consent.

Lawful bases for processing (EU/UK users). Where the GDPR or UK GDPR applies, we process your personal data on the following lawful bases:

• To provide the Service (create your account, generate and store your collection, process pulls and purchases): performance of a contract with you (Art. 6(1)(b)).
• To send transactional messages (receipts, account and security notices): performance of a contract and our legitimate interests in operating the Service (Art. 6(1)(b) and (f)).
• To prevent fraud and abuse, secure the Service, and debug errors: our legitimate interests in keeping the Service safe and functional (Art. 6(1)(f)).
• To comply with legal and tax obligations (e.g., payment record-keeping): compliance with a legal obligation (Art. 6(1)(c)).
• For any optional, non-essential communications: your consent (Art. 6(1)(a)), which you may withdraw at any time.
• Legal obligation and our legitimate interests in record-keeping: we keep records of the consents you provide (timestamp, Terms version, IP address, and device/user-agent) to evidence that consent and meet our legal obligations (Art. 6(1)(c) and (f)).

Where we rely on legitimate interests, you have the right to object; contact us at privacy@fanpush.com.

We use your information to: provide and operate the Service (generate cards, manage your binder, process purchases); send transactional emails (purchase receipts, legendary pull notifications, account-related messages); prevent fraud and abuse; debug errors; and improve the product based on aggregated usage patterns.

We do not sell your data. We do not use your data for advertising. We do not share your personal data with third parties except as described in Section 3 (service providers necessary to operate the platform).

We use the following services to operate FANPUSH. Each is bound by its own privacy policy and data processing agreements:

• Supabase — Authentication, database storage (your account, pulls, purchases, collection)
• Stripe — Payment processing — we never see or store your full card number
• Resend — Transactional email delivery
• Anthropic — AI generation of card takes — your persona, match, and mode selections are passed to the Claude API
• Vercel — Web hosting and infrastructure
• Sentry — Error monitoring and crash reporting

When you generate a card take, the AI service (Anthropic) receives the persona, match details, and generation mode — but not your email address or any other personal identifier.

We keep your data for as long as your account is active. When you delete your account, we permanently erase your personal data and account contents — your email, collection, pull history, and local purchase records. We retain records evidencing the consents you provided, and when you delete your account we remove the direct association between those records and your account. Payment records are retained by Stripe as described above. Some data may persist in encrypted database backups for up to 30 days before being permanently purged.

Stripe retains transaction records as required by payment regulations (typically 7 years). We have no control over this retention — it’s a legal requirement for payment processors.

You have the right to: access the personal data we hold about you; correct or rectify inaccurate data; request deletion of your data; export your data in a portable format; restrict our processing of your personal data in certain circumstances; and opt out of non-essential communications.

To exercise any of these rights, email privacy@fanpush.com. We’ll respond within 30 days. Deletion requests will be processed within 30 days. Identity verification may be required.

You also have the right to object to processing based on our legitimate interests, and the right to withdraw consent at any time where we rely on consent (without affecting processing already carried out). If you are in the EU or UK, you have the right to lodge a complaint with a data protection supervisory authority — in the EU, the authority in your country of residence or place of the alleged infringement; in the UK, the Information Commissioner’s Office (ICO) at ico.org.uk. We would, however, appreciate the chance to address your concerns first at privacy@fanpush.com.

We use a small number of first-party cookies to operate the Service:

• auth session cookie — keeps you logged in (Supabase-managed, http-only)
• fanpush_signed_up — a local flag that controls the sign-in gate on the homepage CTA
• fanpush_ref — records a referral code when you arrive through a referral link, so we can credit the referrer; first-party, expires after 30 days

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. All cookies above are first-party.

FANPUSH is intended for adults aged 18 and older. We do not knowingly collect personal information from anyone under 18. If we learn that a user is under 18, we will promptly delete their account and associated data. If you believe someone under 18 has created an account, please contact privacy@fanpush.com.

FANPUSH is operated by Mind Vision LLC, incorporated in Wyoming, USA. Our infrastructure and service providers — including authentication, database storage, payment processing, email delivery, AI generation, web hosting, and error monitoring — are based in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States.

Because our providers are in the United States, your personal data is transferred to and processed there. Where required for EU/UK users, we rely on appropriate safeguards for this transfer (such as Standard Contractual Clauses or equivalent measures with our processors) in addition to the technical protections described above (including TLS encryption in transit). You can request more information about these safeguards at privacy@fanpush.com.

We’ll notify you of material changes to this policy at least 30 days before they take effect via email. The “last updated” date at the top of this page always reflects the current version.

We use industry-standard measures to protect your data, including encryption in transit (TLS/HTTPS) and encryption at rest through our infrastructure providers. No method of transmission or storage is completely secure, but we take reasonable steps to safeguard your information.

Data controller. The controller responsible for your personal data is Mind Vision LLC, 30 N Gould St Ste N, Sheridan, WY 82801, USA, reachable at privacy@fanpush.com.

For privacy-related questions or requests: email privacy@fanpush.com. Mind Vision LLC, 30 N Gould St Ste N, Sheridan WY 82801.