Privacy Policy

Last updated: March 27, 2026

1. Data Controller

The data controller responsible for your personal data is:

Company registration details will be provided upon registration.

2. Introduction

This Privacy Policy explains how Fablecard ("we," "us," or "our") collects, uses, discloses, and safeguards your personal data when you use our platform, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Bulgarian Personal Data Protection Act (Закон за защита на личните данни).

By accessing or using Fablecard, you acknowledge that you have read and understood this Privacy Policy.

3. Data We Collect

3.1 Account Data

When you register, we collect:

Username
Email address
Password (stored as a secure bcrypt hash — we never store your plaintext password)
Google account identifier (if you register via Google OAuth)

3.2 Gameplay Data

As you use Fablecard, we store:

Your card collection and inventory
Pack opening history
Gold balance and transaction history
Referral activity
Daily streak progress
Set focus preferences

3.3 Technical Data

We automatically collect:

IP address (for security and abuse prevention)
Browser type and version
Device type and operating system
Pages visited and timestamps
Referral source (how you arrived at the Platform)

3.4 Payment Data

If you make purchases, payment processing is handled entirely by Stripe (Stripe, Inc., USA). We never receive or store your full credit card number, CVV, or banking details. We retain only purchase records (amount, date, Gold credited, Stripe customer ID) for our internal ledger and legal obligations.

3.5 Contact Data

If you contact us via the Contact page, we collect the name, email, category, subject, and message you provide.

4. How We Use Your Data

Provide the game: Manage your account, collection, packs, and Gold balance
Process purchases: Facilitate Gold purchases and maintain transaction records
Security: Detect and prevent fraud, abuse, and unauthorized access
Communication: Send transactional emails (password resets, admin notices, referral notifications)
Legal compliance: Fulfill tax, accounting, and regulatory obligations
Improvement: Analyze aggregated, anonymized usage patterns to improve the platform
Support: Respond to your contact messages and support requests

5. Legal Basis for Processing (GDPR Article 6)

We process your personal data under the following legal bases:

Contract performance (Art. 6(1)(b)): Processing necessary to provide you with the game — account management, gameplay features, purchases, and referral system
Legal obligation (Art. 6(1)(c)): Processing required to comply with tax, accounting, and anti-fraud laws applicable in Bulgaria and the EU
Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, platform improvement through anonymized analytics, and protecting our legal rights. We have conducted a balancing test and concluded these interests do not override your fundamental rights
Consent (Art. 6(1)(a)): Where we send optional marketing communications (you can withdraw consent at any time by contacting us or using the unsubscribe link)

6. Data Sharing & International Transfers

We do not sell your personal data. We share data only with the following third-party processors:

Stripe (Stripe, Inc., USA) — Payment processing for Gold purchases. Stripe is certified under the EU-US Data Privacy Framework. Stripe Privacy Policy
Resend (Resend, Inc., USA) — Transactional email delivery (password resets, notifications, admin messages). Resend Privacy Policy
Vercel (Vercel, Inc., USA) — Platform hosting and content delivery. Vercel Privacy Policy

These services may process your data outside the European Economic Area (EEA). Where data is transferred to the USA, we rely on the EU-US Data Privacy Framework adequacy decision, or where applicable, Standard Contractual Clauses (SCCs) approved by the European Commission, to ensure an adequate level of data protection as required by GDPR Chapter V.

7. Data Retention

Active accounts: Your data is kept for as long as your account remains active
Deleted accounts: Upon account deletion, personal data is erased within 30 days. Anonymized, aggregated gameplay statistics may be retained for analytics
Payment records: Purchase history is retained for 10 years after the transaction, as required by Bulgarian tax and accounting legislation (Закон за счетоводството, Art. 12)
Contact messages: Retained for up to 2 years after resolution, unless a longer period is required for legal proceedings
Server logs: Technical/access logs are retained for up to 12 months for security purposes

8. Your Rights Under GDPR

As a data subject, you have the following rights:

Access (Art. 15): Request a copy of the personal data we hold about you
Rectification (Art. 16): Request correction of inaccurate or incomplete data
Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations
Restriction (Art. 18): Request that we restrict the processing of your data in certain circumstances (e.g., while we verify the accuracy of contested data)
Data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON), and request its transfer to another controller
Object (Art. 21): Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests
Withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
Automated decisions (Art. 22): We do not make decisions based solely on automated processing that produce legal effects concerning you. Pack opening randomization is a game mechanic, not an automated decision about your personal rights

To exercise any of these rights, contact us via the Contact page or email us at [email protected]. We will respond within one month, as required by GDPR Article 12(3). In complex cases, this period may be extended by an additional two months, and we will inform you of any extension.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption of data in transit (TLS/HTTPS)
Secure password hashing (bcrypt)
CSRF protection on all forms
Role-based access controls for administrative functions
Regular security reviews and dependency updates

While we strive to protect your personal data, no method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please report it to us immediately via the Contact page.

10. Cookies

Fablecard uses only essential cookies required for authentication and security. We do not use tracking or advertising cookies. For full details, see our Cookie Policy.

11. Children

Fablecard is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it promptly in accordance with GDPR Article 8.

12. Supervisory Authority

If you believe that our processing of your personal data violates the GDPR or Bulgarian data protection law, you have the right to lodge a complaint with the Commission for Personal Data Protection (Комисия за защита на личните данни / КЗЛД):

Address: 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria
Phone: +359 2 915 3518
Website: www.cpdp.bg
Email: [email protected]

If you reside in another EU/EEA member state, you may also contact your local data protection authority.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the platform or by email at least 30 days before they take effect. Your continued use of Fablecard after changes take effect constitutes acceptance of the revised policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please reach out through our Contact page or email us at [email protected].