ManaGate
Sign in Start free
Legal

Privacy Policy

Last updated: May 11, 2026 Compliant with LGPD (Brazil) and GDPR (EU)

1. Controller and contact information

ManaGate ("we", "us", "our") is the controller responsible for the processing of personal data described in this Privacy Policy. The platform is operated by an independent developer based in Brazil and is subject to the Lei Geral de Proteção de Dados Pessoais (LGPD) — Federal Law No. 13,709 of August 14, 2018 — as well as, where applicable, the General Data Protection Regulation (GDPR) of the European Union.

Contact: hello@managate.app
For data protection inquiries, use the subject line "Privacy Request".

We aim to respond to all privacy requests within 15 calendar days in accordance with LGPD Art. 18, §5 and GDPR Art. 12(3).

2. Data we collect

2.1 Account data

When you create an account we collect: your email address, a username or display name you choose, and a hashed password. If you sign in via a third-party provider (e.g. Google), we receive your name and email from that provider under their privacy terms.

2.2 Collection and deck data

Card lists, deck configurations, folder structures, and notes you create are stored on our servers so you can access them across devices. This data belongs to you and is not used for advertising or sold to third parties.

2.3 Usage data

We collect anonymized, aggregated usage events (e.g. “AI deck generation requested”) to improve the platform. These events do not include card lists, deck contents, or any data that identifies you individually.

2.4 Payment data

Pro subscriptions are processed by a third-party payment provider. We receive only a confirmation token and your subscription status — we do not store full card numbers, CVV codes, or bank details.

2.5 Technical data

Standard server logs may include your IP address, browser type, operating system, and request timestamps. Logs are retained for a maximum of 30 days for security and debugging purposes, then deleted.

2.6 Data you do not provide

We do not collect biometric data, sensitive personal data (as defined by LGPD Art. 11 and GDPR Art. 9), or data from users under 13 years of age. See Section 9 on children.

We process personal data only when we have a valid legal basis under both LGPD and GDPR:

  • Account creation and authentication — Contract performance (LGPD Art. 7 V; GDPR Art. 6(1)(b)).
  • Storing your collection and decks — Contract performance (LGPD Art. 7 V; GDPR Art. 6(1)(b)).
  • Processing Pro subscription payments — Contract performance (LGPD Art. 7 V; GDPR Art. 6(1)(b)).
  • Sending transactional emails (e.g. password reset) — Contract performance (LGPD Art. 7 V; GDPR Art. 6(1)(b)).
  • Aggregated analytics to improve the platform — Legitimate interest (LGPD Art. 7 IX; GDPR Art. 6(1)(f)).
  • Security monitoring and fraud prevention — Legitimate interest (LGPD Art. 7 IX; GDPR Art. 6(1)(f)).
  • Optional marketing emails — Consent (LGPD Art. 7 I; GDPR Art. 6(1)(a)).
  • Legal compliance and regulatory obligations — Legal obligation (LGPD Art. 7 II; GDPR Art. 6(1)(c)).

Where we rely on legitimate interests, we balance those interests against your rights and freedoms. You may object to processing on this basis at any time (see Section 7).

4. Data sharing and third parties

We do not sell personal data. We may share data with trusted service providers who act as data processors under written agreements binding them to LGPD/GDPR-equivalent obligations:

  • Cloud infrastructure: Servers and storage hosted with providers in Brazil and/or the EU/EEA.
  • Payment processing: Subscription billing handled by a PCI-DSS-compliant processor. Only your subscription status is shared back to us.
  • Email delivery: Transactional emails sent via a third-party email service provider.
  • AI processing: Deck prompts and rules queries may be processed by an AI model provider under a data processing agreement that prohibits training on your inputs.

Card price data is fetched from public APIs (TCGplayer, Cardmarket, Liga Magic). Your identity is never transmitted to these services.

We may disclose data to law enforcement or regulators where required by applicable Brazilian law (e.g. LGPD Art. 7, II) or EU law, and only to the extent strictly necessary.

5. International data transfers

If any personal data is transferred outside Brazil or the EU/EEA, we ensure adequate protection through one or more of the following mechanisms:

  • ANPD-recognized adequacy decisions or standard contractual clauses (LGPD Art. 33)
  • EU Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR Art. 46)
  • Binding Corporate Rules or other approved transfer mechanisms

You may request a copy of the relevant safeguards by contacting us at hello@managate.app.

6. Data retention

  • Active accounts: Data is retained for as long as your account is active.
  • Deleted accounts: Personal data is deleted within 30 days of account deletion, except where retention is required by law (e.g. tax records).
  • Server logs: Retained for up to 30 days, then automatically deleted.
  • Backup copies: Encrypted backups may retain data for up to 90 days before being overwritten.

You can delete your account and all associated data at any time from your account settings, or by contacting us.

7. Your rights

Under the LGPD (Art. 18) and GDPR (Arts. 15–22) you have the following rights regarding your personal data:

Access

Obtain confirmation of whether we process your data and receive a copy of it.

Correction

Request correction of inaccurate or incomplete personal data.

Deletion

Request erasure of your personal data, subject to legal retention obligations.

Portability

Receive your data in a structured, machine-readable format (JSON or CSV).

Objection

Object to processing based on legitimate interests or for direct marketing purposes.

Revoke consent

Withdraw any consent you gave at any time, without affecting prior processing.

Restriction

Request that we restrict processing of your data in certain circumstances.

Lodge a complaint

File a complaint with the ANPD (Brazil) or your local data protection authority (EU/EEA).

To exercise any of these rights, email hello@managate.app with the subject line "Privacy Request" and describe what you are requesting. We will respond within 15 calendar days. We may need to verify your identity before acting on a request.

For EU residents: you may also lodge a complaint with the supervisory authority in your country of residence. A list of EU supervisory authorities is available at edpb.europa.eu.

8. Security

We implement technical and organizational measures appropriate to the risk, including:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Bcrypt password hashing — plaintext passwords are never stored
  • Access controls and least-privilege principles for internal systems
  • Regular dependency and vulnerability audits
  • Automated backup with 90-day retention and encrypted storage

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent authority (ANPD and/or relevant EU supervisory authority) and affected users within the legally required timeframes (LGPD Art. 48; GDPR Art. 33–34).

9. Children

ManaGate is not directed to individuals under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal data, we will delete it promptly. If you believe a child under 13 has created an account, please contact us at hello@managate.app.

Users between 13 and 18 should have parental consent before using the platform in accordance with applicable local laws.

10. Third-party links and services

The platform may contain links to external sites (e.g. TCGplayer, Cardmarket, Scryfall). We are not responsible for the privacy practices of those sites and recommend reading their respective privacy policies.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where required by law, notify you by email or prominent notice in the app at least 30 days before the changes take effect.

Your continued use of ManaGate after any changes constitutes acceptance of the updated policy.

12. Contact and Data Protection Officer

For all privacy-related questions, access requests, or complaints:

ManaGate — Privacy
Email: hello@managate.app
Subject line: Privacy Request
Response time: up to 15 calendar days

As a small independent operator we do not have a formal DPO appointment requirement under LGPD (only applicable to public bodies or private entities of significant scale). However, our designated privacy contact handles all data protection matters and can be reached at the address above.