Privacy and Security

The Scryfall team believes that privacy is a fundamental human right. We seek to minimize the amount of personal information that we collect and store.

We are not interested in advertising or building predatory “profiles” of our visitors. Any information we do collect is only used to operate Scryfall, provide paid services, and make informed decisions about how to improve our products. We also don’t sell or trade visitor information with other companies.

This document provides details about what kind of data Scryfall gathers and how we manage and protect it.

Secure Browsing

Scryfall forces HTTPS for all services, including our public website and API. Information you submit to Scryfall is private and cannot be seen by your internet service provider or anyone else on your network.

Scryfall embraces modern web security practices and we deploy a suite of security features, including HSTS and CSP.

We regularly audit our server configuration. You can inspect our grading yourself on multiple sites below:

Cookies and Browser Data

Scryfall has features that require us to remember your preferences and identify who is logged in to our sites. We use a combination of browser cookies and your browser’s local storage to track this information.

Account identifiers in cookies are encrypted, and settings in local storage are anonymized. We only set these items when you specifically log in to the site or change your preferences.

Clear website data: If you no longer want this information your device, you can clear your history and cookies:

Analytics Data

When you use Scryfall, we collect statistical data about the device and network you used to access the site, including:

  • Your browser version (Safari, Firefox, Chrome, etc)
  • Your operating system (macOS, Windows, iPhone, etc)
  • The size of your screen
  • Your system language
  • Your network provider (Verizon, O2, Rogers, etc)
  • Your country

We also collect behavior data. For example, we keep track of which buttons and links people click to get around on the site and how often they come back.

This information is stored with Google Analytics and is anonymized and aggregated. When possible, we disable any Google Analytics data sharing settings to limit the amount of additional analysis Google can perform with this data. Scryfall also does not use the User-ID system.

Only Scryfall administrators have access our analytics data. We collect this information so that we can make better decisions about how to improve Scryfall. We never sell or trade this information to any other company.

Opt-out: You have the option to opt-out of Google Analytics using their browser extension or any of the available content blocking plugins for your platform.

Clear website data: If you want to remove identifiers Google Analytics may have left on your device, you can clear your history and cookies:

Scryfall Accounts

You can register for an Scryfall account in order to use personalized or exclusive features. If you do, the information in this section applies to you.

Personal information: In order to open an account, you will need to provide us with some required information, including a username and email address. You may also provide other optional information such as a display name, your Twitter handle, and an account avatar. None of this information needs to contain your legal name.

Scryfall uses this information to provide you with account services and communicate changes made to your account. Creating an account is optional and you do not need to provide any personal information to Scryfall otherwise.

Data privacy: Your email address is private; we will never share your account email with anyone. Your username, display name, avatar, and Twitter handle will be public. They may be visible to other people who use Scryfall.

Email policy: Scryfall will only send you critical account-related emails. For example, you may receive a message when you sign up, change account settings, or log in to the site. If you no longer wish to receive account-related emails, you may delete your account. Scryfall does not have a “newsletter” or other marketing email lists.

Change your account email

Password policy: Scryfall accounts do not use passwords. Instead, when you log in or perform sensitive account tasks, we send you a confirmation email containing a one-use link.

Two-factor authentication: Scryfall supports two-factor authentication, which improves the security of your Scryfall account by requiring that you enter a secondary passcode from an app each time you sign in.

Set up two-factor authentication

Data storage: Scryfall is built on Heroku and we store account and system data in the United States, using Heroku Postgres. You can read more about Heroku’s security practices.

In order to investigate and troubleshoot account issues, Scryfall administrators have access to the database and account data. When team members no longer need this level of access, we revoke it, even if that person otherwise remains a part of the Scryfall team.

Log out: You can log out of the Scryfall website by visiting the link below.

Sign-out of Scryfall

Export your data: You can download an archive of your account data at any time in your Scryfall settings.

Download your archive

Account deletion: You can delete your Scryfall account at any time. If you do, Scryfall will remove all information we have about you, including your account details, your settings, your comments, and your decks. Please note that once you delete an account, all of that information will be unrecoverable, even by Scryfall administrators. You can delete your Scryfall account by visiting the link below:

Delete your account

Payment Processing

You can sign up for optional paid Scryfall services. If you do, the information in this section applies to you.

Data storage: Scryfall adheres to PCI security standards for payments by using Stripe to capture card information and process transactions. You can read more about Stripe’s security.

Personal information: To sign up for paid Scryfall services, you will need to provide some required source information, such as debit or credit card details. The payment information that you provide is securely captured by Stripe. Scryfall team members can never see your full card number or card security code.

Donations: If you make a donation to Scryfall, we capture your payment information or charge your PayPal account only for the purposes of your one-time donation. No futher data is stored and no more communications will be sent afterward.

Scryfall Bots

Scryfall operates free chatbots that you can install on some chat services like Slack and Discord.

If you install Scryfall’s chat bots on your server, the bots will listen to your channels to determine if they need to respond to a message. Messages are sent to Scryfall’s server over an encrypted connection for automated inspection.

In order to troubleshoot bot issues, Scryfall administrators are able to see messages sent to our bots for a period of less than 24 hours. After this time, Scryfall discards this data and does not permanently store bot messages.

For your safety, please do not install our chatbots on servers where vitally secret, confidential, tactical, or life-threatening information is discussed.

Limit Slack bot access: On Slack, you can limit the amount of information that our bot receives by inviting it only to a channels you approve. You can also completely remove the bot by removing the integration in your server settings.

Limit Discord bot access: On Discord, the bot listens to all public text channels. If you no longer wish to use the bot you can kick it from your server.

Scryfall is bound by the law of the United States. We may be required to disclose personal information we have in order to comply with the legal process, protect or defend our rights or property, or protect the rights of others.

When we disclose information, will will do so only after reviewing the legal request carefully. We will seek to reject overly broad or unclear requests. And if we confirm that the request is valid and legal, we will disclose the narrowest amount of information required to comply.

If we must disclose your personal information in order to comply with the law, we will notify you as soon as we are able to.

Questions?

If you have questions or concerns about this privacy information, please don’t hesitate to contact us.

Send Scryfall a question