Privacy Policy

DuplexLabs ("we," "us," or "our") operates LastraPro, including the web application at app.lastrapro.com and the LastraPro mobile application for iOS and Android (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Service.

By using LastraPro, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Information You Provide

• Account Information: Email address, password (stored as a cryptographic hash), and display name when you register.
• Collection Data: Pokemon TCG card entries, quantities, conditions, and notes you add to your collections.
• Trade Session Data: Trade proposals, session history, and counterparty interactions created through peer-to-peer trade sessions.
• Transaction Records: Purchase and sale records when using vendor buy/sell features.
• Payment Information: Subscription billing is processed by Stripe. We do not store your full credit card number, expiration date, or CVV on our servers. We receive a tokenized reference and basic billing details (last four digits, card brand, billing address) from Stripe.
• Support Communications: Messages and information you provide when contacting us for support.

1.2 Information Collected Automatically

• Device and Usage Data: Device type, operating system, app version, and general usage patterns (features accessed, session duration).
• Authentication Tokens: JSON Web Tokens (JWT) stored in secure device storage on mobile to maintain your session.
• Push Notification Tokens: Device tokens used to deliver push notifications you have opted into, via the Expo push notification service.
• IP Address: Collected with server requests for security, rate limiting, and abuse prevention.

1.3 Camera and Image Data

The LastraPro mobile app requests camera access solely for the AI card scanning feature. When you scan a card, the image is transmitted to our servers for identification, then immediately discarded after processing. We do not store, retain, or use scanned images for any purpose beyond real-time card identification.

1.4 Information from Third Parties

We use pricing data sourced from TCGplayer (via tcgcsv.com) to display card market values. This is publicly available market data and does not involve sharing your personal information with TCGplayer.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service, including collection tracking, trade sessions, and portfolio analytics.
• Process your subscription payments through Stripe.
• Send push notifications you have opted into, such as price alerts and trade session updates.
• Display market pricing data and portfolio value calculations using TCGplayer pricing.
• Authenticate your identity and protect account security.
• Detect, prevent, and address fraud, abuse, and technical issues.
• Respond to support requests and communicate service-related updates.
• Improve and develop new features for the Service.

3. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

• Service Providers: We share information with third-party vendors who perform services on our behalf:
  • Stripe — payment processing
  • Expo (Expo Application Services) — push notification delivery
  • Cloud infrastructure provider — hosting and data storage
• Trade Session Participants: When you participate in a trade session, your display name, proposed cards, and trade activity are visible to other participants in that session. QR invite codes and share links allow others to join your trade sessions.
• Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of DuplexLabs, our users, or others.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

4. Data Storage and Security

Your data is stored in PostgreSQL databases with Redis caching on cloud infrastructure. We implement industry-standard security measures including:

• Passwords stored using cryptographic hashing (never in plain text).
• JWT authentication tokens with expiration and secure storage on mobile devices.
• Encrypted data transmission via TLS/HTTPS.
• Access controls and monitoring on our infrastructure.

No method of electronic storage or transmission is 100% secure. While we strive to use commercially reasonable means to protect your information, we cannot guarantee absolute security.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. When you request account deletion, your account is deactivated immediately and your data is permanently deleted after a 30-day retention period. During this window, you may contact us to restore your account.

We may retain certain information as required by law (such as transaction records for tax or accounting purposes) or to resolve disputes and enforce agreements.

6. Children's Privacy

LastraPro is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at support@lastrapro.com and we will promptly delete that information.

For users between 13 and 18, we recommend that a parent or guardian review this Privacy Policy and supervise their use of the Service.

7. Your Privacy Rights

7.1 All Users

Regardless of your location, you may:

• Access and update your account information through your profile settings.
• Delete your account at any time from within the app or by contacting us.
• Opt out of push notifications through your device settings.
• Request a copy of the personal data we hold about you.

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You may request the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request that we delete your personal information, subject to certain legal exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. There is no need to opt out, as this activity does not occur.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise your California privacy rights, email us at support@lastrapro.com with the subject line "California Privacy Request." We will verify your identity and respond within 45 days.

8. Third-Party Services

The Service integrates with third-party services as described in Section 3. Each third-party service provider operates under its own privacy policy. We encourage you to review:

• Stripe Privacy Policy
• Expo Privacy Policy

We do not currently use third-party analytics SDKs. If this changes, we will update this policy accordingly.

9. Cookies and Local Storage

The LastraPro web application uses essential cookies and local storage for authentication and session management. We do not use tracking cookies or third-party advertising cookies. The mobile application uses secure device storage for authentication tokens and user preferences.

10. International Users

LastraPro is operated from the United States. If you are accessing the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer. We support multi-currency display (USD, EUR, GBP, CAD, AUD, JPY) for pricing convenience, but this does not change where your data is stored or processed.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Effective Date" at the top of this page and, where appropriate, through in-app notifications or email. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us: