MTGF

Privacy Policy

Last updated April 14, 2026

1. Overview

MTGF is a hobby project run from the Netherlands by Wessel van der Vlugt and Julian van der Pol in our spare time. Even so, we take your data seriously. This page tells you, in plain language, what personal data we collect through mtgf.net and the MTGF API, why and on what legal basis we process it, how long we keep it, who we share it with, and the rights you have under the General Data Protection Regulation ("GDPR") and the Dutch Uitvoeringswet AVG.

2. Who is the controller

"We" in this policy means Wessel van der Vlugt and Julian van der Pol acting jointly as the data controllers for personal data collected through the service. Because MTGF is not operated by a legal entity, there is no formal office address or commercial register entry; you can reach the controllers at info@mtgf.net. MTGF is too small to require the appointment of a data protection officer under Art. 37 GDPR.

3. Data we collect

  • Account data: email address, display name, handle, hashed password, and OAuth identifiers (Google sub and email if you sign in with Google).
  • Profile data: avatar image, short bio, deck covers, and any other content you voluntarily upload.
  • Deck data: decks, deck versions, card positions, and deck metadata you create.
  • Usage data: card events used to personalize the Discover feed (cards viewed, scrolled past, dwell time), deck forks, publish actions, and API key usage timestamps.
  • Technical data: IP address, user agent, preference cookies (theme, currency), session tokens, and CSRF tokens.
  • Support correspondence: the content of emails you send us and any diagnostic information (request IDs, paths) you include.

We do not knowingly collect health data, political opinions, religious beliefs, sexual orientation, or other special categories of personal data under Art. 9 GDPR.

4. Why we process it and the legal basis

  • Running your account and the service (Art. 6(1)(b) GDPR — performance of a contract): creating and authenticating your account, storing your decks, serving API requests, sending transactional emails (verification, password reset).
  • Personalizing Discover and improving the service (Art. 6(1)(f) — legitimate interests): tailoring the feed to your interests, diagnosing bugs, and keeping the service usable. Our interest is providing a useful product; we have balanced this against your rights and believe the impact on you is low because the personalization happens with minimal data and has no legal or similarly significant effect on you.
  • Preventing abuse and enforcing rate limits (Art. 6(1)(f) — legitimate interests): logging request metadata, IP addresses, and API key usage to detect scraping, brute-force attempts, and API misuse.
  • Consent (Art. 6(1)(a)): where required, for optional features such as AI-assisted search (which sends your query to Google Gemini) or any future analytics beacons. You can withdraw consent at any time; withdrawal does not affect processing done before the withdrawal.
  • Legal obligation (Art. 6(1)(c)): responding to lawful requests from authorities and retaining data where the law requires.

5. Automated decisions and profiling

The Discover feed ranks cards using your own activity. This is personalization, not automated decision-making that has legal or similarly significant effects on you within the meaning of Art. 22 GDPR. We do not make automated decisions about credit, employment, access to services, or similarly important outcomes.

6. Subprocessors and third parties

We share data only with services required to run MTGF. These act as processors under Art. 28 GDPR:

  • Hosting and infrastructure: the server provider hosting our ClickHouse, PostgreSQL, and MinIO instances (located in the EU where available).
  • Authentication: Google LLC, if you sign in with Google OAuth.
  • Email: an SMTP provider used for transactional emails.
  • AI search: Google (Gemini API), which receives only the search query you type when AI mode is active.
  • Card data source: Scryfall, the upstream of our card dataset. Scryfall does not receive your personal data from us.

We do not sell personal data, and we do not share it for third-party advertising. We keep the list of subprocessors small by design and update this page when it changes.

7. International transfers

Where a subprocessor is based outside the European Economic Area (notably Google for OAuth, email, and Gemini), transfers rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, on an adequacy decision. We perform a transfer impact assessment at the level appropriate to a hobby project and prefer EU-hosted alternatives where possible. You can ask for a copy of the transfer safeguards by emailing info@mtgf.net.

8. Retention

  • Account and profile: kept while your account exists. Deleted immediately on account deletion; residual rows are hard-deleted on the next ClickHouse merge cycle.
  • Decks and deck versions: kept while your account exists; versions older than your selected history depth are pruned.
  • Card events (Discover): kept for up to 180 days, or until you delete your account, whichever is shorter.
  • API access logs: kept up to 90 days for abuse prevention and troubleshooting.
  • Session and CSRF tokens: kept for the lifetime of the session.
  • Support emails: kept for up to 24 months so we can follow up on related issues.
  • Backups: may retain residual copies of deleted data for a short rolling window before being overwritten.

9. Your rights

Under the GDPR you have the right to:

  • Access (Art. 15): ask for a copy of the personal data we hold about you.
  • Rectification (Art. 16): correct inaccurate data, directly in Settings or via support.
  • Erasure (Art. 17): delete your account and associated personal data.
  • Portability (Art. 20): export your data — Settings includes a one-click GDPR export covering decks and profile content.
  • Restriction (Art. 18): ask us to restrict processing while a dispute is resolved.
  • Objection (Art. 21): object to processing based on legitimate interests, including the Discover personalization.
  • Withdraw consent (Art. 7): where processing relies on consent, withdraw it at any time without affecting prior processing.
  • Lodge a complaint: with your local data protection authority. In the Netherlands this is the Autoriteit Persoonsgegevens.

Requests can be made from Settings or by emailing info@mtgf.net. We respond within one month as required by Art. 12(3) GDPR and extend that period by up to two months only where strictly necessary, telling you why. To protect your data we may need to verify your identity first, typically by asking you to send the request from the email address registered on the account.

10. Cookies and similar technologies

We use strictly necessary cookies for authentication, CSRF protection, and storing your theme and currency preferences. These do not require consent under Art. 11.7a of the Dutch Telecommunications Act because they are essential to the service you request. We do not set advertising, analytics, or cross-site tracking cookies, and we do not use browser fingerprinting.

11. Children

The service is not aimed at children under 16. If we learn that we hold personal data of someone under that age without verified parental consent, we will delete it. Parents or guardians who believe their child has created an account can email us at info@mtgf.net.

12. Security

We apply appropriate technical and organizational measures as required by Art. 32 GDPR, including: passwords hashed with a modern algorithm and never stored in plaintext, API keys stored as hashes with only a short prefix displayed, HTTPS enforced for site and API traffic, CSRF protection on state-changing requests, rate limiting, principle-of-least-privilege credentials for subprocessors, and regular dependency updates. No system is perfectly secure; if we discover a personal data breach affecting you we will notify the Autoriteit Persoonsgegevens within 72 hours where required by Art. 33 GDPR and inform affected users without undue delay where there is a high risk to their rights under Art. 34.

13. Changes to this policy

We may update this policy as the service evolves. Material changes will be reflected in the "Last updated" date above and, where practical, announced in-app. Continuing to use the service after a change means you have read the updated policy.

14. Contact

Privacy questions, GDPR requests, and breach reports: info@mtgf.net.