Your data
Privacy Policy
CastHaven is operated by Tinker Citadel LLC (“we,” “us”). We collect as little as possible and never sell your personal information. This page lists everything we hold, why, who processes it, and the rights you have over it.
Last updated July 1, 2026
What we collect and why
Newsletter signups. If you subscribe, we store your email address, the lists you chose, and the timestamps of when you consented, confirmed, and (if you do) unsubscribed. Nothing is emailed until you confirm — double opt-in.
Community suggestions. When you use a “Suggest a fix” form to propose an archetype correction, we store your suggestion and a one-way hashed form of your IP address. The hash lets us rate-limit abuse without keeping your raw IP.
Security and delivery logs. Our hosting and content providers log IP addresses, request metadata, browser version, and referring page for security, fraud prevention, and reliability. We do not use these to build a profile of you.
Usage analytics.We use a privacy-respecting product-analytics provider, PostHog, to see which pages and features people use so we can improve the site. It records page views, clicks and interactions, page performance, your browser and operating system, and an approximate region — never your name or other personal information. It honors your browser’s Do-Not-Track setting and runs cookie-light, so it sets no tracking cookies and keeps no profile of you across visits.
Your preferences. Your theme choice (light, dark, rainbow, or system) is saved in your own browser and never sent to us.
Accounts. CastHaven offers free sign-in through our authentication provider, Clerk, for two optional member tools: the match tracker and the deck builder. Creating an account stores your email address and, if you set one, a public username shown as attribution if you choose to share a tracker event or a deck. Clerk also processes standard login metadata (session and authentication records) to operate sign-in securely.
Match tracker and deck builder. If you use these tools, we store what you enter: tracker events, rounds, game results, mulligan notes, and decklists you add, plus decks you save in the deck builder. This data is private to your account by default. It is never used to build our public rankings, articles, or metagame statistics. You control it fully — edit or delete any event or deck at any time from the tool itself, and you may separately choose to make an individual tracker event or deck public via its own share link.
Cookies and analytics
We use essential first-party storage to remember your preferences. To understand how the site is used and improve it, we use a privacy-respecting product-analytics provider, PostHog. It records page views, clicks and interactions, page performance, your browser and operating system, and an approximate region — but never your name or personal information. PostHog honors your browser’s Do-Not-Track setting, and we run it cookie-light: it sets no tracking cookies and keeps no profile of you across sessions, so no consent banner is needed. We run no ad trackers today. If we ever run paid ad campaigns, an ad-network cookie may be set to measure their effectiveness — and a future paid subscription will remove display ads entirely.
Affiliate links
Some “Rent” and “Buy” buttons are affiliate links (for example, ManaTraders and eBay). If you follow one and complete a purchase or rental, we may earn a commission, and the partner site records that the visit came from CastHaven. Those partners have their own privacy policies governing what happens once you leave our site.
Card and tournament data
Card names, text, and images come from Scryfall, with artist and copyright credits shown wherever card art appears. Tournament results come from public sources, credited on each page. This is public competitive data about decks and events — not personal information about you.
Providers that process data
We use the following third-party providers, each handling only the data needed for its job. We keep this list current as the stack changes; a fuller subprocessor list is available on request.
| Provider | Purpose | Data |
|---|---|---|
| Vercel | Application hosting | Request and log data, IP |
| Neon | Database hosting | Newsletter and suggestion records; member tracker/builder data |
| Resend | Email delivery | Email addresses, message content |
| Cloudflare | CDN and asset storage | Request data, IP |
| PostHog | Product analytics | Page views, interactions, device/browser, approximate region |
| Clerk | Member authentication | Email, optional username, login metadata |
| Inngest | Background jobs | Job metadata and identifiers |
Editorial articles are drafted with help from third-party AI models, which process public tournament data — not your personal information.
What we never do
We don’t sell your personal information. We don’t share your email address for anyone else’s marketing. We don’t buy data about you to combine with what you’ve given us.
Access and disclosure
No one at Tinker Citadel LLC reads your data except in limited cases — to help with a support request you raised, to fix a failed automated process, to protect the service while investigating abuse, or when required by a valid U.S. legal order. Where we are legally able, we will notify you before disclosing your data. If Tinker Citadel LLC is ever acquired or merges, we will notify you before your personal information becomes subject to a different privacy policy.
Your rights
We apply the same core rights to everyone, wherever you live: to know what we hold, to access a copy, to correct it, to ask us to delete it, to object to or restrict certain processing, to opt out of any sale (we don’t sell), and to not be treated differently for exercising these rights. To make a request, email privacy@tinkercitadel.com. We may need to confirm your identity first, and an authorized agent must provide written permission.
Deleting your account. If you have a match-tracker or deck-builder account, deleting it (from your account settings, or by emailing privacy@tinkercitadel.com if you can’t access the setting) permanently erases your local account record and every tracker event, round, game, and saved deck tied to it. This happens automatically and promptly once the deletion is confirmed with our authentication provider — you do not need to separately ask us to remove your tracker or builder data.
Security, retention, and location
Data is encrypted in transit (SSL/TLS) between your browser and our servers, and backups are encrypted by our providers. We keep information only as long as needed for the purposes above or to meet legal obligations; if you unsubscribe or ask us to delete your record, we remove it from active systems and backups within 60 days. Our infrastructure is based in the United States. If you are in the EU, UK, or elsewhere, your information is transferred to and stored in the U.S.; for EU transfers we rely on Standard Contractual Clauses.
Ages 18 and older
This site is intended for adults aged 18 and older. We do not direct CastHaven to minors under 18, and we do not knowingly collect personal information from anyone under 18.
California residents
California residents have additional rights and disclosures under the CCPA. See our California Notice at Collection for the details.
Changes and contact
We may update this policy to reflect new practices or legal requirements; the “last updated” date above always reflects the current version. Questions or concerns? Email privacy@tinkercitadel.com.