Bulkratte Logo

Privacy Policy

Last updated: April 2025

1. Data Controller

Bulkratte is operated by:
Progani GmbH
Osterstr. 8
20259 Hamburg
Germany
Contact: kontakt@progani.com

2. What Data We Collect

When you sign in with Discord or Google, we receive and store the following data provided by those services:

  • Display name
  • Email address
  • Profile picture URL
  • OAuth account identifiers and tokens (used only to maintain your session)

As you use Bulkratte, we also store data you create:

  • Your Pokémon card collection (cards, conditions, variants, notes)
  • Photos you upload of your cards
  • Custom sets you create
  • Wantlist share links and their access timestamps
  • Trade connections and invite links

3. Why We Process Your Data

Authentication & account management — to verify your identity and maintain a secure session across visits. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

Core functionality — storing your collection, sets, photos, wantlists, and trade connections is the entire purpose of the service. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

Language preference — we store your preferred language in a cookie to make the site work in your language on every visit. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

4. Cookies

We use two cookies:

  • Session cookie (authjs.session-token) — keeps you logged in. This cookie is strictly necessary for the service to function.
  • Language cookie (preferred-locale) — remembers your language preference. This cookie is strictly functional.

Neither cookie is used for tracking or advertising. No third-party cookies are set by Bulkratte.

5. Analytics

We use Plausible Analytics to understand how the site is used in aggregate. Plausible is privacy-friendly by design: it sets no cookies, does not track individuals across sites, and does not collect any personal data. Statistical data is processed on Plausible's EU infrastructure.

We also use Vercel Speed Insights to monitor page performance. This service measures technical metrics (load times, Core Web Vitals) and does not store personal data.

6. Third-Party Services

Discord & Google — used solely for authentication. We do not share your data back with them beyond what is required for the OAuth login flow.

Vercel — our hosting provider. Your requests are processed on Vercel's infrastructure. See Vercel's Privacy Policy.

Cloudflare R2 — used to store card photos you upload. Images are served via Cloudflare's infrastructure. See Cloudflare's Privacy Policy.

7. Data Retention

Your account and all associated data (collection, sets, photos, wantlists, trade connections) are kept for as long as your account exists. If you want your data deleted, contact us at the address above and we will remove it within 30 days.

Auth session tokens expire automatically and are removed from our database when they do.

8. Your Rights (GDPR)

As a user in the EU/EEA you have the following rights regarding your personal data:

  • Access — request a copy of the data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — request deletion of your account and all associated data.
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Restriction — ask us to pause processing while a dispute is resolved.

To exercise any of these rights, contact us at the email address in section 1. You also have the right to lodge a complaint with your national data protection authority.

9. Changes to This Policy

We may update this privacy policy from time to time. The "last updated" date at the top of this page will reflect any changes. We encourage you to review this page periodically.