PocaFinder Privacy Policy

Last Updated: April 13, 2025

Introduction

Your privacy is important to us. This Privacy Policy explains how PocaFinder (a global search engine for K-pop photocard trades, based in Spain) collects, uses, and protects your personal information. It also outlines your rights under relevant privacy laws like the EU General Data Protection Regulation (GDPR) and the US Children's Online Privacy Protection Act (COPPA). By using PocaFinder, you agree to the practices described in this policy. If you do not agree, please do not use our service.

Information We Collect

We only collect the minimum information necessary to provide and improve our service. This includes:

• Account Information: When you register or log in via Google OAuth, we receive your name and email address from Google. We use these to create and identify your account.
• Payment Information: If you choose to subscribe to our paid tier, payments are processed securely by Stripe. We do not collect or store your full credit card details. Stripe may collect your payment details (such as card number, billing address) to process transactions. We may receive limited information from Stripe (like the last four digits of your card, card type, or payment status) for record-keeping.
• Usage Data: When you use PocaFinder, we automatically receive some data about your device and how you use the service. This may include your IP address, browser type, device type, pages viewed, and the time spent on pages. We collect this via Cloudflare Pages (our hosting platform) and Cloudflare Web Analytics. This data helps us analyze usage trends, administer and secure the site, and improve the user experience. Cloudflare Web Analytics is a privacy-focused analytics service that does not use tracking cookies, but it may collect aggregate data like page views and referral source.
• Cookies and Similar Technologies: PocaFinder itself uses minimal cookies. The service may set a cookie to keep you logged in or remember preferences. Our third-party providers (Google for OAuth, Cloudflare for analytics) might use cookies or similar technologies as part of their services. For example, Google might set cookies as part of the OAuth login process. You can control cookies through your browser settings, but note that disabling cookies may affect site functionality (e.g. staying logged in).
• Communications: If you contact us (for example, via email at [email protected] or through any support channels), we will collect the information you provide (such as your email address and the content of your message) in order to respond to you and resolve any issues.

We do not collect any sensitive personal information such as government ID numbers, racial or ethnic origin, health information, or biometric data. Please refrain from providing such information on our platform.

How We Use Your Information

We use the collected information for the following purposes:

• To Provide the Service: Your name and email are used to create and maintain your account, allow you to log in via Google OAuth, and personalize your experience (for example, greeting you by name or associating your search settings with your account).
• Subscription Management and Payments: If you subscribe to the premium tier, we use your information to manage your subscription. This includes processing your payment through Stripe and tracking your subscription status (active, canceled, etc.). Your email may be used to send you receipts, subscription notices, or alerts related to billing (e.g. payment failures or renewal reminders).
• Service Improvement and Analytics: We analyze usage data (aggregated metrics like total visits, popular search queries, etc.) to understand how our service is used. This helps us troubleshoot performance issues, plan new features, and improve the user experience. For example, knowing which regions our users come from can help us optimize our network for speed. Analytics are conducted in a privacy-friendly manner via Cloudflare Web Analytics, which does not track individual users across different sites.
• Communication: We may use your email to send important notices, such as significant changes to this Privacy Policy or Terms of Service, security alerts, or support responses. We do not send marketing or promotional emails unrelated to PocaFinder's service without your consent. (We currently do not run a marketing newsletter, but if we ever do, it will be opt-in.)
• Security and Fraud Prevention: Information like IP addresses and logs may be used to protect the security of our platform, our users, and others. For instance, we might use IP information to detect and block malicious activity (such as a denial-of-service attack or repeated scraping attempts). We also use Google OAuth primarily for authentication because it's a secure way for you to log in without us storing a separate password; this helps prevent unauthorized account access.
• Legal Compliance: Where necessary, we will use your information to comply with legal obligations. For example, keeping transaction records for accounting/tax purposes, or using data to comply with a lawful request by authorities.

We will only use your personal information for the purposes above and will not process it in a manner that is incompatible with these purposes. If we need to use your information for a new purpose, we will update this Privacy Policy and notify you when required by law.

Legal Bases for Processing (GDPR)

If you are in the European Economic Area (EEA) or the UK, we must have a valid legal basis to process your personal data under GDPR. PocaFinder relies on the following legal bases:

• Performance of a Contract: When you create an account and use PocaFinder, you are entering into a user agreement (our Terms of Service) with us. We process your personal data as necessary to fulfill our contract with you – for example, using your email to log you in and deliver the search service you requested, or to provide paid features if you subscribe.
• Legitimate Interests: We process certain data for our legitimate business interests in a manner that doesn't outweigh your privacy rights. For instance, we have a legitimate interest in understanding usage of our site (analytics) to improve functionality, and in ensuring security by monitoring for suspicious activities. We rely on legitimate interests to use and analyze usage data and to carry out limited marketing of our own service (such as sending an email about a new feature to our users). When we process on this basis, we consider and balance any potential impact on your rights.
• Consent: In specific situations, we may rely on your consent. For example, if we ever integrate optional features that require extra data, we would ask your consent. Also, when you use Google OAuth, you consent to share your Google profile information (email, name) with us. You have the right to withdraw consent at any time, but note that this will not affect processing already done. For instance, if you withdraw consent for Google OAuth sharing, you may not be able to log in via Google anymore.
• Legal Obligation: If we are required by law to process or disclose your information (for example, a court order or compliance with tax laws), this processing is based on legal obligation.

Children's Privacy

Protecting children's privacy is especially important to us. PocaFinder is not directed to children under 13 years of age. In compliance with COPPA (Children's Online Privacy Protection Act) in the United States, we do not knowingly collect personal information from children under 13.

If you are under 13, please do not create an account or use this service. If we learn that we have inadvertently collected personal data from a child under 13 without verifiable parental consent, we will take steps to delete that information promptly. If you believe a child under 13 may have provided us personal data, please contact us at [email protected] so we can investigate and delete any such data.

For users located in the European Union or other regions with laws governing data collection for minors: if you are under the age at which you can provide consent for data processing in your country (for example, under 16 under the GDPR, or under 14 in Spain), you should only use PocaFinder with involvement of a parent or legal guardian. We will take steps to obtain parental consent if we ever intentionally collect personal information from users under the applicable age threshold. Generally, we do not aim to collect any additional data from users known to be minors beyond the minimal information (name, email) needed for account creation through Google OAuth.

Parents and guardians are encouraged to monitor their children's online activities and help enforce this Privacy Policy by instructing their children never to provide personal information without permission.

How We Share and Disclose Information

We value your privacy. We do not sell your personal information to third parties. We only share your information in a few specific circumstances:

• Service Providers (Processors): We use trusted third-party companies to help us operate PocaFinder. These include:
  • Google (Google OAuth): for authentication. When you use Google Sign-In, Google shares your name and email with us. Google's use of your information is governed by Google's Privacy Policy. We do not share your data with Google beyond what is necessary for the OAuth process (e.g. confirming your login and identity token).
  • Cloudflare: for hosting our site (Cloudflare Pages) and providing Web Analytics. Cloudflare may process data like IP addresses and user agent info as a part of delivering content and security services (e.g. protecting the site from attacks) and providing us with aggregated analytics. Cloudflare acts as a data processor on our behalf and is GDPR-compliant in its handling of European data transfers.
  • Stripe: for payment processing. If you subscribe, your payment details are handled by Stripe. Stripe will process your payment information securely and may store your card data for billing. Stripe only shares with us what we need to know (like whether payment was successful). Stripe is a certified PCI-DSS compliant payment provider and operates under strict data protection and security standards, including GDPR compliance for European transactions.
  These service providers are bound by contracts that require them to only use your data for the specified services we have hired them for, and to protect your data in line with this Privacy Policy and applicable laws.
• Legal Requirements: We may disclose your information if required to do so by law or in response to valid legal requests (such as a subpoena, court order, or government demand). We will only disclose what is necessary and will inform you of such requests when permissible. Additionally, we may disclose information if we believe in good faith that it is necessary to investigate or protect against harmful activities to PocaFinder, our users, or others (for example, investigating fraud or security issues).
• Business Transfers: If PocaFinder (or the company operating it) is involved in a merger, acquisition, asset sale, bankruptcy, or other transaction, your information may be transferred to the successor or acquiring entity. If that happens, we will ensure that your data remains subject to confidentiality commitments and will notify you (for example, by email or a prominent notice on our site) of the change in ownership or use of your personal information, as well as any choices you may have regarding your information.
• With Your Consent: Apart from the cases above, we will ask for your consent before sharing your personal data with third parties, if such a situation ever arises. For instance, if we partner with another service for an optional feature where data sharing is needed, we would only do so if you opt-in.

Importantly, we do not share your personal information with any advertisers or social media companies. We have no advertising on our site and we do not monetize your data. Any information that is shared with our service providers is solely to enable core functionalities (login, hosting, analytics, payments) as described.

Data Retention

We keep your personal information only as long as necessary for the purposes described in this Policy or as required by law:

• Account Data: If you have an account, we retain your name and email for as long as your account is active so that you can log in and use PocaFinder. If you choose to delete your account or if it's inactive for an extended period, we will remove or anonymize your personal data associated with the account, unless we are required to retain it for legal reasons. Account deletion can be requested by contacting us at our support email. Once deleted, your credentials and any personal info will be removed from our main databases within a reasonable time frame. (Backups and archives may retain residual copies for a short period, but we have processes to eventually purge those as well.)
• Payment Information: We do not store credit card numbers or billing addresses on our systems; Stripe handles that. We may retain transaction records (e.g. invoices, payment history tied to your account) for accounting, tax, and legal compliance purposes. These records typically include your name, email, the subscription plan, and payment dates, but not sensitive card details. Such financial records may be kept for a number of years as required by Spanish accounting and tax laws (often 4-6 years).
• Analytics Data: Cloudflare Web Analytics provides us aggregate reports. We do not keep personal analytics logs ourselves. Raw access logs on our servers or Cloudflare's systems (which could include IP addresses) are typically retained for a short duration (e.g. a few days to weeks) for security analysis and then automatically deleted or anonymized. We use only aggregated statistics for long-term analysis, which do not identify individual users.
• Communications: If you contacted us via email or support, we may retain those communications as long as necessary to address your issue and for training or quality assurance. We may keep a record of support inquiries (which include your email and the issue) to help in any future related issues or to improve our support processes. These communications are generally kept for a period of time after resolution in case follow-up is needed, and then archived or deleted periodically.
• Legal Hold: If any information is needed to comply with legal obligations or resolve disputes, we will retain that specific data as long as necessary for that purpose. For example, if we receive a legal order to preserve data, or if a dispute or claim is ongoing, we will retain the relevant data until the matter is resolved.

Once the retention period expires or the purpose of processing is fulfilled, we will securely delete or anonymize your personal data. When anonymized, data will no longer be associated with you and may be used for analytical purposes indefinitely without further notice.

Your Rights and Choices

You have rights regarding your personal data, especially if you are located in the EU or a region with similar laws. We are committed to honoring these rights. Your principal rights include:

• Access and Portability: You have the right to request a copy of the personal data we hold about you. We can provide you with a copy in a common electronic format. For example, you can request that we send you the information we have (such as your account details and any associated data). In many cases, this will just be your name, email, and subscription info.
• Rectification: If any of your information is incorrect or outdated, you have the right to ask us to correct it. For instance, if you realize the name we have from Google OAuth is an old nickname and you want to update it, you can update it via your Google profile or contact us to refresh the data. We want to ensure your data is accurate.
• Erasure (Right to be Forgotten): You can request that we delete your personal data. This is not an absolute right, but we will honor it unless we have a specific legal reason to keep your data. If you no longer wish to use PocaFinder, you can ask us to delete your account and personal info. As noted in Data Retention, we'll erase what we can and let you know if any data must be kept (e.g. transaction records for lawful obligations).
• Restriction of Processing: You have the right to ask us to limit how we use your data in certain circumstances – for example, if you contest the accuracy of your data, you can request we restrict processing until the accuracy is verified. This could also apply if you object to our use of your data and we are evaluating that request. During such restrictions, we can store the data but not use it for anything not agreed to.
• Objection to Processing: You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis. For example, you can object to us using your data for analytics. If you object, we will re-evaluate whether we have compelling legitimate grounds to continue processing or if we need to stop. Generally, we will comply with objections to analytics or marketing uses. For essential uses (like providing the service), if you object, we will likely have to close your account since we cannot provide the service without that data.
• Withdraw Consent: If we are processing any data based on your consent, you have the right to withdraw that consent at any time. For example, if you consented to a future feature that sends marketing emails, you can later opt out. Withdrawing consent will not affect the lawfulness of processing before the withdrawal. Note that using Google OAuth is voluntary – if you no longer want Google to share your info with us, you can disconnect your Google account from PocaFinder (though you will lose access since it's our login method).
• Data Portability: Where applicable, you can ask to receive your personal data in a structured, commonly used, machine-readable format, and you have the right to transmit that data to another service. For PocaFinder, since we store minimal data, this might simply be an export of your basic account information and perhaps any saved preferences (if applicable).
• Lodge a Complaint: If you believe we have infringed your data protection rights, you have the right to lodge a complaint with a supervisory authority. Since PocaFinder is based in Spain, you can contact the Spanish Data Protection Agency (AEPD). Or you may reach out to your local data protection authority in the EU. We would, however, appreciate the chance to address your concerns directly first – please feel free to contact us and we will do our best to resolve any issue.

To exercise any of these rights, please contact us at [email protected]. We may need to verify your identity (to ensure we don't give your data to someone else), and we will respond to your request within the timeframes required by law (under GDPR, typically within one month). Exercising your rights is free of charge in most cases. If your requests are unfounded or excessive (for example, repetitive requests), we may charge a reasonable fee or refuse to act – but we will explain our reasoning in such cases.

International Data Transfers

PocaFinder is a global service, and the personal data we collect may be transferred to and stored on servers in countries outside of your own. Specifically, note that:

• We are based in Spain (within the European Union). If you are using our service from outside the EU, your information will be transmitted to and processed in Spain.
• We use third-party providers (Google, Cloudflare, Stripe) that are based in the United States and other countries. This means your personal information (e.g., your email from Google OAuth, or your IP address in analytics logs, or payment data) might be transferred to or processed on servers located in the United States or other jurisdictions outside the EU/EEA.

Whenever we transfer personal data out of the EU/EEA, we ensure a similar degree of protection is afforded to it by implementing at least one of these safeguards:

• Standard Contractual Clauses: We rely on contracts that contain standard data protection clauses (approved by the European Commission) which obligate the recipient to protect your data to EU standards. For example, our contracts with Cloudflare and Stripe include such clauses to cover EU–US data transfers.
• Adequacy Decisions: In some cases, we may transfer data to countries that the European Commission has deemed to have an adequate level of data protection.
• Privacy Frameworks or Certifications: We ensure that our providers like Google and Stripe adhere to frameworks or certifications that are recognized for lawful data transfer (for instance, in the past, frameworks like EU-US Privacy Shield were used; currently, providers may use updated mechanisms or binding corporate rules). Stripe and Google have robust privacy and security programs and are GDPR-compliant as processors.
• Your Consent: In rare situations where none of the above safeguards are available, we would transfer data with your explicit consent. However, in practice, our transfers are covered by the aforementioned legal safeguards.

We understand that international data transfers can carry certain privacy risks due to different laws in other countries. Rest assured, we take steps to ensure any third-party we work with treats your data securely and in accordance with this Privacy Policy and applicable law. If you would like more information about our transfer mechanisms or have specific questions, feel free to contact us.

Data Security

• Firewalls and Monitoring: Our hosting provider (Cloudflare) provides an additional layer of security against threats such as DDoS attacks and malicious bots. We also keep our systems updated and monitor for any signs of intrusion or vulnerabilities.
• Data Minimization: We deliberately collect and retain only what we need. By limiting the amount and sensitivity of data we hold, we reduce the risk to you in the unlikely event of a breach. For instance, since we offload payment data to Stripe, our databases do not hold credit card numbers that could be targeted.
• Regular Backups: We perform regular backups of critical data to ensure we can recover from any server issues or disasters. These backups are encrypted and stored securely.
• Testing and Auditing: We periodically review our security practices and may run tests (or use third-party audits) to identify and fix potential weaknesses in our infrastructure.

Despite all our efforts, it's important to note that no method of transmission over the internet or method of electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee its absolute security. In the event of a data breach that affects your personal information, we will notify you and the relevant authorities as required by law, and we will take all necessary steps to mitigate the impact and prevent future occurrences.

You also play a role in keeping your data secure. Please maintain the security of your Google account (used for PocaFinder login) by using a strong password and not sharing your login credentials. If you suspect any unauthorized access to your PocaFinder account or personal data, notify us immediately.

Links to Other Websites

PocaFinder is a search engine for K-pop photocard trades, which means our service may provide links or search results that lead to third-party websites or platforms (for example, forums, marketplaces, or social media posts where photo cards are traded). If you follow a link to any third-party site, please be aware that those websites have their own privacy policies and practices, which are beyond our control.

This Privacy Policy applies only to data processed by PocaFinder. We are not responsible for the content, privacy, or security practices of external sites. We encourage you to review the privacy policies of any third-party websites you visit after using our search results. Those sites might collect your personal information separately (for example, if you initiate a trade or purchase on another platform, that platform will have its own data collection).

Nonetheless, if you find a third-party link on PocaFinder that you believe is malicious or inappropriate, feel free to report it to us so we can consider removing or blocking it to protect our users.

Changes to This Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will:

• Post the updated policy on this page with a new “Last Updated” date at the top.
• If the changes are significant, we may provide a more prominent notice (such as an email notification to registered users or a banner on our website) to inform you of the update.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting the personal information we collect. Your continued use of PocaFinder after any changes to this Policy will be deemed acceptance of those changes, provided that if the changes materially affect how your personal data is handled, we will seek your consent where required by law.

If you do not agree with any updates to the Policy, you should stop using the service and you may request that we delete your personal data as outlined in the Your Rights section.

15. Contact Information

We will do our best to address your inquiry promptly and thoroughly. If you reach out regarding a privacy concern, you may be asked to provide additional information to verify your identity for security reasons, especially when it comes to exercising your data rights.

Thank you for trusting PocaFinder. We are committed to protecting your privacy and ensuring a safe and enjoyable experience on our platform.