Privacy and Security

The Scryfall team believes that privacy is a fundamental human right.
We seek to minimize the amount of personal information that we collect and store.

We are not interested in advertising or building predatory “profiles” of our visitors.
Any information we do collect is only used to operate Scryfall, provide paid services,
and make informed decisions about how to improve our products.
We also don’t sell or trade visitor information with other companies.

This document provides details about what kind of data
Scryfall gathers and how we manage and protect it.

Secure Browsing

Scryfall forces HTTPS for all services,
including our public website and API.
Information you submit to Scryfall is private and cannot be seen
by your internet service provider or anyone else on your network.

Scryfall embraces modern web security practices and we deploy
a suite of security features, including HSTS
and CSP.

We regularly audit our server configuration.
You can inspect our grading yourself on multiple sites below:

Cookies and Browser Data

Scryfall has features that require us to remember your preferences and
identify who is logged in to our sites.
We use a combination of browser cookies
and your browser’s local storage
to track this information.

Account identifiers in cookies are encrypted,
and settings in local storage are anonymized.
We only set these items when you specifically
log in to the site or change your preferences.

Take control:
If you no longer want this information your device,
you can clear your history and cookies:

Analytics Data

When you use Scryfall, we collect statistical data about the device
and network you used to access the site, including:

  • Your browser version (Safari, Firefox, Chrome, etc)
  • Your operating system (macOS, Windows, iPhone, etc)
  • The size of your screen
  • Your system language
  • Your network provider (Verizon, O2, Rogers, etc)
  • Your country

We also collect behavior data.
For example, we keep track of which buttons and links people click
to get around on the site and how often they come back.

This information is stored with Google Analytics
and is anonymized and aggregated.
When possible, we disable any Google Analytics data sharing settings
to limit the amount of additional analysis Google can perform with this data.
Scryfall also does not use the User-ID

Only Scryfall administrators have access our analytics data.
We collect this information so that we can make better decisions
about how to improve Scryfall.
We never sell or trade this information to any other company.

You have the option to opt-out of Google Analytics
using their browser extension
or any of the available content blocking plugins for your platform.

You can set a Do Not Track setting in your browser,
which Google Analytics will honor.

Take control:
If you want to remove identifiers Google Analytics may have left
on your device, you can clear your history and cookies:

Scryfall Accounts

You can register for an Scryfall account in order
to use personalized or exclusive features.
If you do, the information in this section applies to you.

Personal information:
In order to open an account, you will need to provide us with some required information,
including a username and email address.
You may also provide other optional information such as
a display name, your Twitter handle,
and an account avatar.
None of this information needs to contain your legal name.

Scryfall uses this information to provide you with account services
and communicate changes made to your account.
Creating an account is optional and you do not need
to provide any personal information to Scryfall otherwise.

Data privacy:
Your email address is private;
we will never share your account email with anyone.
Your username, display name, avatar, and Twitter handle will be public.
They may be visible to other people who use Scryfall.

Email policy:
Scryfall will only send you critical account-related emails.
For example, you may receive a message when you sign up,
change account settings, or log in to the site.
If you no longer wish to receive account-related emails,
you may delete your account.
Scryfall does not have a “newsletter” or other marketing email lists.

Password policy:
Scryfall accounts do not use passwords. Instead, when you log in or
perform sensitive account tasks, we send you a confirmation email
containing a one-use link.

Scryfall also supports two-factor authentication.
Two-factor authentication improves the security of your Scryfall
account by requiring that you enter a secondary passcode
from an app each time you sign in.

Manage your security settings

Data storage:
Scryfall is built on Heroku
and we store account and system data in the United States,
using Heroku Postgres.
You can read more about Heroku’s security practices.

In order to investigate and troubleshoot account issues,
Scryfall administrators have access to the database and account data.
When team members no longer need this level of access, we revoke it,
even if that person otherwise remains a part of the Scryfall team.

Take control:
You can log out of the Scryfall website by visiting
the link below.

Sign-out of Scryfall

Take control:
You can delete your Scryfall account at any time.
If you do, Scryfall will remove all information we have about you,
including your account details, your settings, your comments, and your decks.
Please note that once you delete an account, all of that information will be unrecoverable,
even by Scryfall administrators.
You can delete your Scryfall account by visiting
the link below:

Delete Your Account

Payment Processing

You can sign up for optional paid Scryfall services.
If you do, the information in this section applies to you.

Data storage:
Scryfall adheres to PCI security standards
for payments by using Stripe
to capture card information and process transactions.
You can read more about Stripe’s security.

Personal information:
To sign up for paid Scryfall services, you will need to provide
some required source information, such as debit or credit card details.
The payment information that you provide is securely captured by Stripe.
Scryfall team members can never see your full card number or card security code.

Take control:
You can update your payment information on file at any time
in your account settings:

Manage your payment information

Scryfall Bots

Scryfall operates free chatbots that you can install
on some chat services like Slack and Discord.

If you install Scryfall’s chat bots on your server,
the bots will listen to your channels to determine if they need to respond to a message.
Messages are sent to Scryfall’s server over an encrypted connection
for automated inspection.

In order to troubleshoot bot issues,
Scryfall administrators are able to see messages
sent to our bots for a period of less than 24 hours.
After this time, Scryfall discards this data
and does not permanently store bot messages.

For your safety, please do not install our chatbots on servers where
vitally secret, confidential, tactical, or life-threatening information is discussed.

Take control:
On Slack, you can limit the amount of information that our bot
receives by inviting it only
to a channels you approve.
You can also completely remove the bot by
removing the integration in your server settings.

Take control:
On Discord, the bot listens to all public text channels.
If you no longer wish to use the bot you can kick it from your server.

Scryfall is bound by the law of the United States.
We may be required to disclose personal information we have in order to
comply with the legal process, protect or defend our rights or property,
or protect the rights of others.

When we disclose information, will will do so only after
reviewing the legal request carefully. We will seek to reject overly broad
or unclear requests. And if we confirm that the request is
valid and legal, we will disclose the narrowest amount of information
required to comply.

If we must disclose your personal information in order to comply with the
law, we will notify you as soon as we are able to.


If you have questions or concerns about this privacy information,
please don’t hesitate to contact us.