SpellControl Privacy Policy

Last updated: 2026-05-23.

SpellControl is a tool for organizing physical Magic: The Gathering collections, building decks, and tracking multiplayer games. This page describes what data the app collects, where it's stored, and who it's shared with. We don't sell your data and we don't share it with advertisers.

What we store

• If you use the app without an account: your collection, binders, decks, and game history stay on your device (browser localStorage and IndexedDB, or the on-device equivalent in the mobile app). Nothing leaves your device.
• If you create a password account: we store your username, a hashed password (we never see the plaintext), and the collection / deck / binder / game data you choose to sync. This is so you can sign in on another device and see the same data. Data is held on our server at api.spellcontrol.com (hosted on Fly.io, with a managed Postgres database on Neon).
• If you sign in with Google: in addition to the collection / deck / binder / game data above, we store your Google account's email address, a flag indicating whether Google has verified it, and the stable Google-issued account identifier ("sub") that we use to recognize the same Google account on your next sign-in. We do not receive your Google password and we do not access any other Google service on your behalf — only the basic profile (email + identifier) that Google returns at sign-in. You can unlink Google from your account in Settings.
• Shared content: if you generate a share link for a binder or deck, the contents of that share live on our server and are accessible to anyone with the link until you delete the share.
• Multiplayer game sessions: when you start an online game, the game state (life totals, board snapshot, turn) lives on our server so other players can join. Sessions are removed when the game ends.

What we don't do

• We don't sell your data.
• We don't share it with advertisers or third-party trackers.
• We don't run analytics, ad networks, or behavioral tracking SDKs.
• We don't access your phone's photo library or contacts. The camera permission is used only for the in-app card scanner, and the recognized text never leaves your device during scanning (OCR runs on-device via Google ML Kit on Android).

Third-party services we read from

To work, the app reads public data from third-party Magic: The Gathering sources. These services don't receive any of your collection data, only generic card-lookup requests:

• Scryfall — card catalog and oracle data.
• EDHRec — Commander deck recommendations.
• Commander Spellbook — combo dataset.
• Tagger — card role/archetype tags.

Sign-in providers

Signing in with Google sends you to Google's OAuth consent screen and returns a verified email and account identifier to api.spellcontrol.com. Google receives the standard information about that sign-in (which app, when); it does not receive your collection data or any other app activity. Google's own handling of that data is governed by their privacy policy.

Cookies and local storage

We use one cookie: a session cookie set when you sign in, used to keep you signed in. We don't use cookies for tracking. Most of the app's state lives in browser localStorage and IndexedDB on your device.

Data deletion

You can delete your account from the in-app settings, which removes your username, hashed password, and all synced data from our server. Local data can be cleared by signing out and clearing site data in your browser settings (or uninstalling the mobile app).

Children

SpellControl is intended for users aged 13 and older. We don't knowingly collect personal information from children under 13. If you believe a child has created an account, please email us at the address below and we'll remove the account.

Security

All traffic to api.spellcontrol.com uses HTTPS. Passwords are stored using a one-way salted hash (bcrypt) — we cannot recover or read your password. We make a reasonable effort to keep the server up to date, but no online service can promise perfect security; please use a unique password.

Changes to this policy

If we materially change what we collect or how we use it, we'll update this page and the "last updated" date at the top.

Contact

Questions or data-deletion requests: spellcontrolapp@gmail.com.