Privacy Policy | Adria MTG

What We Collect

Adria MTG collects only what is necessary to provide the service:

Email address: Used for login. Not shared with third parties.
Display name (optional): Shown in the app header.
Password: Stored as an Argon2id hash. We never store or see your plaintext password.
LLM API key (optional): Encrypted at rest with AES-256-GCM. Never sent to the client after storage. Used server-side only for AI coaching calls.
Draft data: Your draft sessions, picks, decks, and analytics.

What We Don't Collect

No tracking cookies or analytics scripts
No IP addresses stored in our database
No third-party advertising or data sharing
No browser fingerprinting

Cookies

Adria uses only essential cookies that are strictly necessary for the site to function. These cookies are exempt from consent requirements under GDPR ePrivacy Directive.

Session cookie: Keeps you logged in between pages. Expires when you log out or after 30 days.
CSRF token: Prevents cross-site request forgery attacks. Session-only.

We do NOT use tracking, analytics, advertising, or third-party cookies. You cannot use Adria without essential cookies, as they are required for authentication and security.

Third-Party Services

Adria MTG connects to the following external services:

Scryfall API: Card data and images. Subject to Scryfall's privacy policy.
OpenRouter / Anthropic: AI coaching calls are sent to your configured LLM provider. Your draft context (card names, pick history) is included in coaching prompts. Subject to your provider's data policies.
17Lands.com: Card performance statistics. No user data is sent to 17Lands.

Data Security

Passwords are hashed with Argon2id (industry standard)
API keys are encrypted with AES-256-GCM
Session cookies use HttpOnly, SameSite=Lax, and Secure flags (when behind HTTPS)
Login attempts are rate-limited per email and per IP

Data Retention

Account data: Retained until you delete your account
Draft history: Retained until you delete your account or individual drafts
Deleted data: Permanently removed within 30 days
Session data: Expires after 30 days of inactivity or when you log out

Your Rights

Export your data: Download all your data as JSON from your profile page.
Delete your account: Permanently delete your account and all associated data from your profile page. This is immediate and irreversible.
No account required: You can use Adria MTG without creating an account. Anonymous usage generates a random local ID that is not linked to any personal information.

For Users in the European Union (GDPR)

Under the General Data Protection Regulation (GDPR), you have additional rights regarding your personal data:

Legal Basis for Processing

Account creation: Contract performance (to provide the service you requested)
Draft data storage: Legitimate interest (to save your progress and provide analytics)
Essential cookies: Strictly necessary for the service to function (exempt from consent)

Your GDPR Rights

Right to access: Download all your data via Profile page
Right to rectification: Update your email or display name in Profile settings
Right to erasure: Delete your account and all data permanently via Profile page
Right to data portability: Export your data in JSON format
Right to object: You can stop using the service and delete your account at any time
Right to lodge a complaint: Contact your national data protection authority if you have concerns

We do not engage in automated decision-making or profiling. We do not transfer your data outside the EU/EEA without appropriate safeguards.

Contact

For privacy questions, data deletion requests, or to exercise your GDPR rights, email [email protected]. We respond to all requests within 30 days.

Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated 'Last updated' date. Continued use of Adria after changes constitutes acceptance of the updated policy.

Legal Information

Adria is not affiliated with, endorsed by, or sponsored by Wizards of the Coast. Magic: The Gathering and all related trademarks are property of Wizards of the Coast LLC. Card data provided by Scryfall under the Wizards of the Coast Fan Content Policy.

What We Collect

Adria MTG collects only what is necessary to provide the service:

Email address: Used for login. Not shared with third parties.

Display name (optional): Shown in the app header.

Password: Stored as an Argon2id hash. We never store or see your plaintext password.

LLM API key (optional): Encrypted at rest with AES-256-GCM. Never sent to the client after storage. Used server-side only for AI coaching calls.

Draft data: Your draft sessions, picks, decks, and analytics.

Adria uses only essential cookies that are strictly necessary for the site to function. These cookies are exempt from consent requirements under GDPR ePrivacy Directive.

Session cookie: Keeps you logged in between pages. Expires when you log out or after 30 days.

CSRF token: Prevents cross-site request forgery attacks. Session-only.

We do NOT use tracking, analytics, advertising, or third-party cookies. You cannot use Adria without essential cookies, as they are required for authentication and security.

Third-Party Services

Adria MTG connects to the following external services:

Scryfall API: Card data and images. Subject to Scryfall's privacy policy.

OpenRouter / Anthropic: AI coaching calls are sent to your configured LLM provider. Your draft context (card names, pick history) is included in coaching prompts. Subject to your provider's data policies.

17Lands.com: Card performance statistics. No user data is sent to 17Lands.

Your Rights

Export your data: Download all your data as JSON from your profile page.

Delete your account: Permanently delete your account and all associated data from your profile page. This is immediate and irreversible.

No account required: You can use Adria MTG without creating an account. Anonymous usage generates a random local ID that is not linked to any personal information.

For Users in the European Union (GDPR)

Under the General Data Protection Regulation (GDPR), you have additional rights regarding your personal data:

Legal Basis for Processing

Account creation: Contract performance (to provide the service you requested)

Draft data storage: Legitimate interest (to save your progress and provide analytics)

Essential cookies: Strictly necessary for the service to function (exempt from consent)

Your GDPR Rights

Right to access: Download all your data via Profile page

Right to rectification: Update your email or display name in Profile settings

Right to erasure: Delete your account and all data permanently via Profile page

Right to data portability: Export your data in JSON format

Right to object: You can stop using the service and delete your account at any time

Right to lodge a complaint: Contact your national data protection authority if you have concerns

We do not engage in automated decision-making or profiling. We do not transfer your data outside the EU/EEA without appropriate safeguards.