Privacy Policy

1. Who We Are

This Privacy Policy explains how bujusjujus LLC, an Arizona limited liability company ("bujusjujus," "we," "our," or "us"), collects, uses, shares, and protects information about you when you use our website, account, subscription, and notification services (the "Service"). By using the Service, you agree to this Privacy Policy.

2. What We Collect

We collect only the information needed to provide the Service:

3. How We Use Your Information

• Provide, maintain, and improve the Service.
• Authenticate accounts and protect against fraud, abuse, and unauthorized access.
• Send push notifications about Pokemon TCG product availability via ntfy.
• Process payments through our payment processor (Square).
• Send transactional emails (account confirmation, billing receipts, password resets, service announcements such as outages or material changes to these terms).
• Comply with legal obligations and enforce our Terms of Service.

We do not sell or rent your personal information, and we do not use it to deliver third-party advertising or to "share" it for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws.

4. Cookies & Similar Technologies

We use a small number of cookies and similar technologies for essential and analytics purposes:

• Essential / session cookies — required for login, account access, and CSRF protection.
• Analytics cookies — Google Analytics sets cookies (e.g., _ga) to measure aggregated traffic, pages viewed, and referral source. We have IP-anonymization features enabled where supported. We do not use Google Analytics for advertising or remarketing.
• Cloudflare — Cloudflare may set cookies (e.g., __cf_bm, cf_clearance) for bot protection and security.

You can control cookies through your browser settings. Blocking essential cookies will prevent the Service from functioning correctly. We do not use cookies for advertising or to sell or share data with advertisers.

5. Third-Party Services (Sub-Processors)

We rely on the following third parties to provide the Service. Each handles data under its own privacy policy:

• Square — payment processing. Square handles all card data under their privacy policy.
• ntfy — push notification delivery. Notifications are delivered to your assigned ntfy topic. Only the notification content (product name, retailer, link) is transmitted.
• Apple Push Notification service (APNs) — iOS-only push delivery. When you sign in on the iOS app we register an APNs device token with Apple so restock alerts reach your phone. Apple receives the notification payload (product name, retailer, link) and the device token; Apple does not see your account credentials. See Apple's privacy policy.
• Apple App Attest (DeviceCheck) — iOS-only device integrity verification. On first sign-in the iOS app asks Apple's servers to attest that the install is genuine and running on a real Apple device. We receive a device-bound public key + monotonic counter from Apple. No private key material leaves your device's Secure Enclave. See Apple's App Attest documentation.
• Cloudflare — DDoS protection, SSL, CDN, and Turnstile bot verification on the signup form. See the Cloudflare privacy policy.
• Google Analytics — aggregated, pseudonymous traffic measurement only. See the Google privacy policy.
• Hosting infrastructure — our virtual private server provider, used to host the application and database.

6. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information. We share information only:

• With sub-processors listed in Section 5, strictly to operate the Service;
• To comply with applicable law, valid legal process, or a government request;
• To enforce our Terms, protect the security of the Service, or prevent fraud or abuse; or
• In connection with a merger, acquisition, financing, or sale of all or substantially all of our assets, in which case we will provide notice before your information becomes subject to a different privacy policy.

7. Data Retention

• Account data is retained for as long as your account is active.
• If you cancel, account data is retained for 90 days in case you wish to resubscribe, then permanently deleted, except for billing and tax records we are legally required to keep.
• Server access and security logs are retained for up to 90 days.
• You may request immediate deletion at any time (see Section 9).

8. Security

• Passwords are stored as one-way hashes — never in plaintext.
• Card data is processed entirely by Square's PCI-compliant infrastructure; we never receive or store full card numbers.
• All connections to the Service are encrypted via HTTPS/TLS.
• Server access is restricted, authenticated, and monitored.
• No method of transmission or storage is 100% secure. We cannot guarantee absolute security but follow industry-standard practices.

9. Your Privacy Rights

Subject to applicable law, you have the right to:

• Access the personal information we hold about you;
• Correct inaccurate or outdated information;
• Delete your account and associated personal information;
• Receive a copy of your data in a portable format;
• Opt out of any "sale" or "sharing" of personal information (we do not sell or share your data for cross-context behavioral advertising); and
• Limit the use of any sensitive personal information (we do not collect sensitive personal information as defined under state law).

To exercise any of these rights, email [email protected] from the email address on file. We will verify your request and respond within 30 days (45 days where allowed by law). If you submit a request through an authorized agent, we may require proof of authorization. We will not discriminate against you for exercising these rights.

If you are a resident of California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, or another state with a comprehensive privacy law, you have the rights described above to the extent provided by your state's law. You may also have a right to appeal a decision; appeals can be sent to the same address with the subject "Privacy Appeal."

10. Do Not Track & Global Privacy Control

Because we do not engage in cross-site tracking for advertising and do not "sell" or "share" personal information for behavioral advertising, "Do Not Track" and Global Privacy Control signals do not change how we process your information. We will, however, treat such signals as a request to opt out of any future "sale" or "sharing" should our practices change.

11. Children's Privacy (COPPA)

The Service is not directed to children under 18 and is not intended for children under the age of 13. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information, please contact us at [email protected] and we will promptly delete it.

12. International Users

The Service is operated from the United States and is intended for U.S. users. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S., where data protection laws may differ from those in your jurisdiction.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice at least 14 days before they take effect. The "Last updated" date above reflects the most recent revision.

14. Contact

Privacy questions, data requests, or account cancellations? Email [email protected] or reach us on X (@bujusjujus). Mail: bujusjujus LLC, c/o registered agent on file with the Arizona Corporation Commission.