Privacy Policy
Last updated · 5 May 2026
CodexMox is a free, privacy-friendly Magic: The Gathering card browser. We don't run ads, sell data, or build user profiles.
Card data is fetched from Scryfall on demand. Analytics are completely optional and only run if you accept them. Even if you accept, we never identify you personally.
01Who we are
CodexMox is operated by linkedin.com/in/exceltior, based in Portugal. Questions or requests can be sent to privacy@codexmox.com.
02What we collect, and why
Analytics — only if you consent
If you click Accept in the cookie banner, we record anonymous usage events through PostHog, hosted in the European Union (Frankfurt, Germany). The events we capture describe what you did with the site:
- Searches you ran (the query text and which filters were active)
- Filters and sort options you applied
- Cards you clicked through to Scryfall
- Whether you used the price-refresh button
- Pagination ("Load more") interactions
These events are not tied to your identity. We do not assign you a user ID, do not collect your name, email, or any account data (there are no accounts), and do not track you across other websites. The events are used in aggregate to understand which features are useful and which aren't.
Lawful basis: your consent under GDPR Article 6(1)(a). You can withdraw consent at any time using the "Cookie settings" link in the footer of any page.
Scryfall — always, but not by us
When you search or browse cards, your browser fetches data and images directly from scryfall.com. Scryfall therefore sees your IP address and the card data you request. CodexMox does not see, log, or store this. Scryfall's privacy policy applies: scryfall.com/docs/privacy-policy.
Google Fonts
The site loads typography from Google Fonts (fonts.googleapis.com, fonts.gstatic.com). Your IP address is briefly visible to Google during this fetch. Google's policy: policies.google.com/privacy. We may self-host the fonts in a future update to remove this dependency.
What we do not collect
- No names, emails, addresses, or account information — there are no accounts.
- No advertising trackers or pixels.
- No data sold or shared with anyone for marketing purposes.
- No session recordings, no keystroke logging, no screenshots.
- No cross-site or cross-session tracking.
03Local storage
CodexMox stores a single value in your browser's local storage: your cookie consent decision (accepted or declined), so we can remember your choice and not prompt you on every visit.
This is a strictly necessary functional storage entry under the GDPR/ePrivacy framework — it is the consent record itself, and is therefore exempt from consent requirements.
We do not use cookies for anything else.
04How long we keep data
- Analytics events (only if consented): retained per PostHog's standard retention settings, currently up to 7 years for our project. We may shorten this in the future.
- Local storage consent flag: until you clear your browser data or change your decision.
- Server logs: Vercel, our static hosting provider, retains standard access logs for short periods per their policy: vercel.com/legal/privacy-policy.
05Third parties (sub-processors)
| Service | Purpose | Region |
|---|---|---|
| PostHog | Anonymous product analytics (consent-gated) | EU — Frankfurt |
| Scryfall | MTG card data and images | United States |
| Vercel | Static site hosting and edge network | Global edge |
| Google Fonts | Web typography | United States |
We have a Data Processing Agreement with PostHog. Scryfall, Vercel, and Google Fonts are accessed by your browser directly when you load or interact with the site.
06International transfers
Card data and font assets are served from US-based providers (Scryfall, Google). Where personal data is transferred outside the EEA, the receiving party relies on Standard Contractual Clauses (SCCs) or equivalent safeguards under GDPR Article 46. Analytics, where consented, stay entirely within the EU.
07Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict processing
- Object to processing
- Withdraw consent at any time
- Lodge a complaint with your supervisory authority — in Portugal, the CNPD: cnpd.pt
Practical note: because CodexMox does not identify you, our ability to act on access or erasure requests is structurally limited — there is no user record on our side to retrieve. The most effective ways to exercise your rights are:
- Withdraw consent via the "Cookie settings" link in the footer; we'll stop sending events immediately.
- Clear your browser's local storage for codexmox.com to remove the consent record.
- Email us at
privacy@codexmox.comif you have a specific concern.
08Children
CodexMox is suitable for all ages but is not directed at children under 13, and we do not knowingly collect data from children. If you are a parent or guardian and have concerns, please reach out.
09Security
The site is served exclusively over HTTPS. Analytics requests, when made, are TLS-encrypted in transit and stored within PostHog's EU infrastructure. We do not operate a database or backend of our own.
10Changes to this policy
If we change this policy materially, we'll update the "Last updated" date above and, where appropriate, prompt you to review the changes on your next visit.
11Contact
Questions, requests, or complaints:
Email: privacy@codexmox.com
If you don't receive a response within a reasonable time, you may contact the Portuguese supervisory authority directly: cnpd.pt.