Privacy
First Edition is a non-commercial fan project. We collect as little about you as possible. If you never create an account, nothing about you leaves your own device. This page explains what changes when you do sign in, what we hold, why, and how to control it.
Who we are
First Edition is operated by a private individual in the Netherlands as a non-commercial fan project. For the purposes of the GDPR, that operator is the data controller for any personal data described here. For any privacy question, or to exercise the rights described below, email [email protected].
What we collect and why
You can use the whole simulator — opening packs, building binders, decks, and banlists — without an account. If you choose to create one, we collect only what the account itself needs:
- Your email address — the only thing that identifies your account. We use it to sign you in (we send a one-time link — there are no passwords) and to send you essential account emails.
- Your account record — a small database row marking that your account exists, whether your email is confirmed, and when it was created and last updated.
- Sign-in session data — while you are signed in we keep a session so you don't have to log in on every page. This includes a session identifier and technical details your browser sends with the request (your IP address and browser user-agent), used only to keep the session secure and to let you sign out.
- Sign-in link tokens — when you request a sign-in link we store a short-lived, single-use token. It is kept hashed, never in plain form, and only proves that you control the email address.
- Anti-abuse counters — to stop the sign-in system being abused to send mail to people, we store a one-way hash of your email address (SHA-256 — never the address itself) alongside a request counter.
- Email delivery data — our email provider processes your address and the delivery status in order to actually send your sign-in and account emails.
Our lawful bases (GDPR Art. 6) are simple: most of this is necessary to provide the account service you asked for (Art. 6(1)(b)), and the security and anti-abuse pieces rest on our legitimate interest in keeping the service safe (Art. 6(1)(f)).
What we deliberately don't collect: no name, no username, no date of birth, no address, no phone number, no payment details, and no passwords at all — sign-in is passwordless. We run no advertising, no cross-site tracking, and build no profiles about you.
Your collection stays on your device
Everything you build in the simulator — packs opened, binders, decks, and custom banlists — is saved in your browser's localStorage. Today this data stays on your device only; we never receive it, even when you are signed in. You can clear it any time from the reset controls in the app or through your browser's settings. In a future version you will be able to opt in to saving your collection to your account so it syncs across devices — when that ships, this page will be updated to describe exactly what is stored and how.
Cookies
If you are not signed in, we set no cookies at all.
When you sign in, we set a single strictly-necessary session cookie (__Secure-better-auth.session_token) so you stay logged in. It is HttpOnly, Secure, and SameSite=Lax. We use no tracking or advertising cookies. Because the session cookie is essential to a feature you asked for, no consent banner is required for it.
Analytics
We use Cloudflare Web Analytics to understand roughly how many people visit and which pages are popular. It is cookieless, measures only aggregate statistics, does no cross-site tracking, and does not build a profile that could identify you. See Cloudflare's privacy policy for details.
Who we share data with
We don't sell your data and we don't share it for advertising. We rely on two service providers (“processors”) to run the site:
- Cloudflare — hosts the site, runs the account backend and its database (located in the EU), stores card images (
img.bxxwlvnd.org), provides the cookieless analytics above, and provides the anti-abuse challenge (“Turnstile”) shown on the sign-in form, which receives your IP address to check that you are a real person. See Cloudflare's privacy policy. - Brevo — an EU email provider that delivers your sign-in links and account notifications. See Brevo's privacy policy.
How long we keep it
We keep your account and its email address for as long as your account exists. Everything else is short-lived by design:
- Sign-in links expire soon after they are sent and can be used only once.
- A signed-in session ends automatically after a period, and immediately when you sign out.
- If you request an account but never confirm your email, that unconfirmed account is removed automatically after a short time.
- The anti-abuse email hashes are discarded automatically after a short window.
When you delete your account we erase it immediately; any residual copies held in routine database backups age out shortly afterwards.
Your rights
Under the GDPR you have the right to access your data, to correct it, to erase it, to port it, and to restrict or object to how we use it. Because we hold so little, most of these are quick to honour.
The fastest way to erase everything is the Delete account button on your account page — it deletes your account and all associated data straight away. For anything else, email [email protected] and we will respond within one month.
If you think we have handled your data improperly, you have the right to complain to your data protection authority. In the Netherlands that is the Autoriteit Persoonsgegevens.
Where your data is processed
Your account data is stored in the European Union, and our email provider is EU-based. Cloudflare, however, is a US-headquartered company, so some processing may involve a transfer outside the EEA. Where that happens it is covered by Cloudflare's standard data-protection safeguards — the EU Standard Contractual Clauses and its certification under the EU–US Data Privacy Framework.
Security
We keep the amount of personal data we hold deliberately small, which is our strongest protection. Sign-in tokens and anti-abuse identifiers are stored hashed rather than in the clear, traffic is encrypted in transit, and access to the account database is restricted. No online service can promise perfect security, but a breach here is limited by design: there is little to lose beyond an email address.
Changes to this policy
If what we collect or how we use it changes — for example when cross-device sync ships — we will update this page to reflect exactly what is collected, why, and how to manage it. The git history of this page is public.
Last updated: July 2026 (v2).
