Privacy Policy
1. Data controller
The controller of personal data is:
Mateis Bourlet — operator of the CapyDex website
Email: contact@capydex.com
2. Data collected
We collect the following data:
When creating an account
- Display name — to personalise your experience
- Email address — for authentication and communications
- Password — stored hashed (never in clear text)
- Username (optional) — for referrals and sharing
On each login
- IP address — for account security (detecting suspicious logins)
- User-Agent — to identify the device type
While using the service
- Collection data — owned cards, purchase prices, notes, receipt photos
- Wishlist — wanted items and target prices
- Preferences — notification preferences
In case of a subscription
- Stripe customer ID — for subscription management
- Payment data (card number) is processed exclusively by Stripe and never passes through our servers
In case of a Discord link (optional)
- Discord ID — unique identifier to assign Capy+ roles
- Discord username — for display in your account area
- Discord email address — only for account matching
The Discord link is entirely optional. You can break it at any time from your account area — all Discord data is then deleted immediately.
3. Purposes of processing
- Providing the service (collection, prices, wishlist)
- Authentication and account security
- Subscription management and billing
- Sending notifications (price alerts, transactional emails)
- Improving the service
4. Legal basis
- Performance of the contract (Art. 6.1.b GDPR) — to provide the service you subscribed to
- Consent (Art. 6.1.a GDPR) — for optional notifications (Discord, price alerts)
- Legal obligation (Art. 6.1.c GDPR) — for retaining billing data
5. Retention period
| Data | Duration | Justification |
|---|---|---|
| Account and profile | As long as the account is active | Performance of the contract |
| Collection, wishlist, binders | As long as the account is active | Performance of the contract |
| Notifications | 90 days | User convenience |
| Login sessions | 7 days of inactivity | Security |
| Login logs (IP, User-Agent) | 12 months | CNIL recommendation |
| Portfolio snapshots | As long as the account is active | Performance of the contract |
| Billing data (Stripe) | 10 years after last transaction | Legal obligation (French Commercial Code Art. L123-22) |
| Receipt photos | As long as the account is active | Performance of the contract |
| Newsletter signup (email) | Until unsubscription | Consent (double opt-in) |
If the account is deleted, all data is erased immediately, except billing data which is anonymised and kept for the legal period.
6. Processors
Your data may be shared with the following processors:
- Stripe (USA) — payment processing. Stripe policy
- Resend (USA) — sending transactional emails and the newsletter. Resend policy
- PostHog (EU, Frankfurt) — audience measurement and error tracking, in anonymous mode (cookieless). PostHog policy
- Cloudflare (USA) — DNS, CDN and secure tunnel. Cloudflare policy
- Discord Inc. (USA) — OAuth2 authentication and role assignment on the CapyDex Discord server. Only if the user voluntarily enables the Discord link. Discord policy
These providers comply with the GDPR and/or are certified under the EU-US Data Privacy Framework.
7. Transfers outside the EU
Some processors (Stripe, Resend, Cloudflare, Discord) are located in the United States. Transfers are governed by the EU-US Data Privacy Framework or the European Commission's standard contractual clauses.
8. Cookies
CapyDex uses only technical cookies that are strictly necessary:
- Session cookie — keeps you signed in. Expires when the browser closes or after 7 days.
No advertising, analytics or third-party tracking cookie is used. No audience measurement tool (Google Analytics, etc.) is installed.
9. Your rights (GDPR)
In accordance with the GDPR, you have the following rights:
- Right of access (Art. 15) — to know what data we hold about you
- Right to rectification (Art. 16) — to correct your data
- Right to erasure (Art. 17) — to delete your account and your data via account settings
- Right to portability (Art. 20) — to export all your data in JSON format or your collection in CSV format, from account settings
- Right to object (Art. 21) — to object to the processing of your data
- Right to withdraw consent — to disable notifications at any time
To exercise your rights, contact us at contact@capydex.com. We will reply within 30 days.
10. Security
- Hashed passwords (bcrypt algorithm)
- Encrypted connections (HTTPS/TLS)
- Hosting on personal infrastructure with restricted access
- No storage of banking data (handled by Stripe)
11. Complaint
If you believe the processing of your data does not comply, you may lodge a complaint with the CNIL (French Data Protection Authority):
www.cnil.fr/fr/plaintes
12. Contact
For any question regarding your personal data:
contact@capydex.com
Last updated: 8 May 2026