Skip to content

Your data

Privacy Policy

CastHaven is operated by Tinker Citadel LLC (“we,” “us”). We collect as little as possible and never sell your personal information. This page lists everything we hold, why, who processes it, and the rights you have over it.

Last updated July 1, 2026

What we collect and why

Newsletter signups. If you subscribe, we store your email address, the lists you chose, and the timestamps of when you consented, confirmed, and (if you do) unsubscribed. Nothing is emailed until you confirm — double opt-in.

Community suggestions. When you use a “Suggest a fix” form to propose an archetype correction, we store your suggestion and a one-way hashed form of your IP address. The hash lets us rate-limit abuse without keeping your raw IP.

Security and delivery logs. Our hosting and content providers log IP addresses, request metadata, browser version, and referring page for security, fraud prevention, and reliability. We do not use these to build a profile of you.

Usage analytics.We use a privacy-respecting product-analytics provider, PostHog, to see which pages and features people use so we can improve the site. It records page views, clicks and interactions, page performance, your browser and operating system, and an approximate region — never your name or other personal information. It honors your browser’s Do-Not-Track setting and runs cookie-light, so it sets no tracking cookies and keeps no profile of you across visits.

Your preferences. Your theme choice (light, dark, rainbow, or system) is saved in your own browser and never sent to us.

Accounts. CastHaven offers free sign-in through our authentication provider, Clerk, for two optional member tools: the match tracker and the deck builder. Creating an account stores your email address and, if you set one, a public username shown as attribution if you choose to share a tracker event or a deck. Clerk also processes standard login metadata (session and authentication records) to operate sign-in securely.

Match tracker and deck builder. If you use these tools, we store what you enter: tracker events, rounds, game results, mulligan notes, and decklists you add, plus decks you save in the deck builder. This data is private to your account by default. It is never used to build our public rankings, articles, or metagame statistics. You control it fully — edit or delete any event or deck at any time from the tool itself, and you may separately choose to make an individual tracker event or deck public via its own share link.

Cookies and analytics

We use essential first-party storage to remember your preferences. To understand how the site is used and improve it, we use a privacy-respecting product-analytics provider, PostHog. It records page views, clicks and interactions, page performance, your browser and operating system, and an approximate region — but never your name or personal information. PostHog honors your browser’s Do-Not-Track setting, and we run it cookie-light: it sets no tracking cookies and keeps no profile of you across sessions, so no consent banner is needed. We run no ad trackers today. If we ever run paid ad campaigns, an ad-network cookie may be set to measure their effectiveness — and a future paid subscription will remove display ads entirely.

Affiliate links

Some “Rent” and “Buy” buttons are affiliate links (for example, ManaTraders and eBay). If you follow one and complete a purchase or rental, we may earn a commission, and the partner site records that the visit came from CastHaven. Those partners have their own privacy policies governing what happens once you leave our site.

Card and tournament data

Card names, text, and images come from Scryfall, with artist and copyright credits shown wherever card art appears. Tournament results come from public sources, credited on each page. This is public competitive data about decks and events — not personal information about you.

Providers that process data

We use the following third-party providers, each handling only the data needed for its job. We keep this list current as the stack changes; a fuller subprocessor list is available on request.

ProviderPurposeData
VercelApplication hostingRequest and log data, IP
NeonDatabase hostingNewsletter and suggestion records; member tracker/builder data
ResendEmail deliveryEmail addresses, message content
CloudflareCDN and asset storageRequest data, IP
PostHogProduct analyticsPage views, interactions, device/browser, approximate region
ClerkMember authenticationEmail, optional username, login metadata
InngestBackground jobsJob metadata and identifiers

Editorial articles are drafted with help from third-party AI models, which process public tournament data — not your personal information.

What we never do

We don’t sell your personal information. We don’t share your email address for anyone else’s marketing. We don’t buy data about you to combine with what you’ve given us.

Access and disclosure

No one at Tinker Citadel LLC reads your data except in limited cases — to help with a support request you raised, to fix a failed automated process, to protect the service while investigating abuse, or when required by a valid U.S. legal order. Where we are legally able, we will notify you before disclosing your data. If Tinker Citadel LLC is ever acquired or merges, we will notify you before your personal information becomes subject to a different privacy policy.

Your rights

We apply the same core rights to everyone, wherever you live: to know what we hold, to access a copy, to correct it, to ask us to delete it, to object to or restrict certain processing, to opt out of any sale (we don’t sell), and to not be treated differently for exercising these rights. To make a request, email privacy@tinkercitadel.com. We may need to confirm your identity first, and an authorized agent must provide written permission.

Deleting your account. If you have a match-tracker or deck-builder account, deleting it (from your account settings, or by emailing privacy@tinkercitadel.com if you can’t access the setting) permanently erases your local account record and every tracker event, round, game, and saved deck tied to it. This happens automatically and promptly once the deletion is confirmed with our authentication provider — you do not need to separately ask us to remove your tracker or builder data.

Security, retention, and location

Data is encrypted in transit (SSL/TLS) between your browser and our servers, and backups are encrypted by our providers. We keep information only as long as needed for the purposes above or to meet legal obligations; if you unsubscribe or ask us to delete your record, we remove it from active systems and backups within 60 days. Our infrastructure is based in the United States. If you are in the EU, UK, or elsewhere, your information is transferred to and stored in the U.S.; for EU transfers we rely on Standard Contractual Clauses.

Ages 18 and older

This site is intended for adults aged 18 and older. We do not direct CastHaven to minors under 18, and we do not knowingly collect personal information from anyone under 18.

California residents

California residents have additional rights and disclosures under the CCPA. See our California Notice at Collection for the details.

Changes and contact

We may update this policy to reflect new practices or legal requirements; the “last updated” date above always reflects the current version. Questions or concerns? Email privacy@tinkercitadel.com.