Overview
Cardstock is a browser extension that monitors product availability at retail websites and sends you notifications when items come back in stock.
The short version: We collect only what's necessary to make the extension work. We don't sell your data, we don't track your browsing, and we don't use third-party analytics.
Information We Collect
| Data | Purpose | Storage |
|---|---|---|
| Email address | Account authentication | Stored only as a salted SHA-256 hash (plaintext not retained) |
| API key | Authenticating your connection to our server | Stored securely on our server; prefix stored locally in extension |
| User preferences | Filtering alerts by retailer, brand, etc. | Chrome sync storage (syncs across your devices) |
| Phone number (only if you opt in to SMS alerts) | Sending SMS notifications when Pokemon Center activates a queue | Encrypted at rest on our server. A salted hash is also stored for duplicate-detection without decryption. See "SMS Alerts" below. |
Information We Don't Collect
- Browsing history - We don't track what websites you visit
- Personal information - No name, address, or payment info
- Phone number, unless you explicitly opt in to SMS alerts - SMS is optional; see "SMS Alerts" below
- Analytics or tracking - No Google Analytics, no third-party trackers, no ads
- Retailer account credentials - We never ask for your Target, Best Buy, or Amazon login
SMS Alerts (Opt-In Only)
SMS notifications are an optional feature. If you do not opt in, we never have your phone number.
When you opt in via the Cardstock extension settings, you provide a phone number, tick a checkbox consenting to receive automated SMS alerts, tick a separate checkbox agreeing to these terms, and verify the number with a one-time code we text you. Only after both checkboxes are confirmed and the code is verified do we activate SMS for your account.
What we store for SMS subscribers:
- Your phone number in E.164 format (e.g. +13035551234), encrypted at rest with a key we hold separately from the database.
- A salted hash of your phone number, used to detect duplicate sign-ups without decrypting any stored number.
- Timestamps recording when you ticked each consent checkbox, which version of these policies was in effect, and a hashed copy of your IP address and user-agent string for fraud investigation. These hashed values cannot be reversed to your IP or device.
- Which event types you've subscribed to (queue detected, captcha gate, security change).
What we never store: your phone number in plaintext form, your name, your carrier, your location, your messaging history with us, or anything else carriers may attach to your number.
Message content: SMS messages contain the event type (e.g. "Pokemon Center queue DETECTED"), a link to pokemoncenter.com, and an instruction to reply STOP to opt out. Message and data rates may apply. Message frequency varies based on drop activity.
Opt-out: You can disable SMS at any time from the extension settings or by replying STOP, HELP, UNSUBSCRIBE, CANCEL, END, or QUIT to any message we send. When you opt out, we delete your encrypted phone number and the salted hash. We retain a record showing only that an opt-out occurred, with timestamps, for legal compliance (see "Data Retention" below).
SMS delivery vendor: SMS messages are delivered through a third-party carrier-services provider (currently AWS End User Messaging). To deliver a message we provide only your phone number, the message text, and a sender identifier. We do not share any other information with the carrier.
How We Use Your Information
- Email hash - Used solely to verify your identity when you authenticate. We cannot recover your email from the hash.
- API key - Validates your connection to receive real-time stock alerts via WebSocket.
- Preferences - Applied locally in the extension to filter which alerts you see and how they're displayed.
Extension Permissions
The extension requests the following Chrome permissions:
- tabs - To open product pages when alerts arrive, prevent duplicate tabs, and clean up stale tabs
- notifications - To show desktop notifications when products restock
- storage - To save your preferences and sync them across devices
- Host permission (cardstock.cc) - To connect to our server for real-time alerts and fetch the product catalog
Data Security
We take reasonable measures to protect your information:
- Email addresses are hashed with SHA-256 before storage - we cannot see or recover your plaintext email
- API keys are generated with cryptographically secure random values
- All connections use HTTPS/WSS encryption
- We don't store any data we don't need
Third-Party Services
The extension connects only to our own server (cardstock.cc). We do not share your data with any third parties.
When you click on product links, you'll be directed to retailer websites (Target, Best Buy, Amazon). These retailers have their own privacy policies that apply when you visit their sites.
Affiliate Links
Product links in the extension may include affiliate codes. If you make a purchase after clicking one of these links, we may receive a commission from the retailer.
When you use an affiliate link, the retailer (e.g., Amazon) tracks purchases made through that link and provides us with aggregate sales data such as products purchased and commission earned. This data cannot be tied back to individual users or your extension activity - we have no way of knowing who made a purchase, only that a purchase was made.
Currently, Amazon links include affiliate codes. We may add affiliate relationships with other retailers in the future.
Data Retention
- Account data - Retained while your account is active. You can request deletion at any time.
- Local preferences - Stored in Chrome until you uninstall the extension or clear the data.
- SMS phone numbers - Retained only while you remain opted in. Deleted within minutes of opt-out.
- SMS consent records - The fact that you opted in or out, along with timestamps and which terms version was in effect, is retained for up to four years after opt-out for compliance with US telecom regulations (TCPA/CTIA). These records do not contain your phone number, name, IP address, or any other plaintext personal information — only your internal account identifier and timestamps.
Your Rights
You can:
- Request a copy of any data we have associated with your account
- Request deletion of your account and associated data
- Uninstall the extension at any time to remove all locally stored data
To make a request, contact us at the email below.
Changes to This Policy
If we make significant changes to this privacy policy, we'll update the "Last updated" date at the top and may notify users through the extension.