Privacy Policy

Effective Date: December 7, 2025

This Privacy Policy describes how Galaxy Card Shop LLC, doing business as GalaxyGrails.io (“GalaxyGrails.io,” “we,” “our,” or “us”), collects, uses, and safeguards your personal information when you use GalaxyGrails.io and any related services, features, or communications (collectively, the “Services”).

By using the Services, you agree to this Privacy Policy. If you do not agree, please stop using GalaxyGrails.io.

Note: GalaxyGrails.io is operated by Galaxy Card Shop LLC and partners with Stripe for payments and wallet management, and with PSA Vault for physical card storage and shipment.
GalaxyGrails.io is not affiliated with, sponsored by, or endorsed by Professional Sports Authenticator (PSA), Certified Guaranty Company (CGC), or Beckett Grading Services (BGS).

1. Scope

This Privacy Policy applies to all personal information collected through GalaxyGrails.io, including account registration, pack purchases, wallet deposits or withdrawals, buyback transactions, live event participation, and customer support.
The Services are currently available only to residents of the United States.

Residents of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia: Please see state-specific disclosures in Section 10, "U.S. State Privacy Rights," below.

2. Information We Collect

2.1 Information You Provide

We collect the following types of information directly from you when you use GalaxyGrails.io:

Account Information: Name, email address, username, and password.
Payment & Billing Details: Billing address, payment method details, and transaction identifiers (processed by Stripe).
Shipping Information: GalaxyGrails.io securely stores your shipping address in order to (1) facilitate shipping of vault withdrawals via PSA Vault, (2) provide required details to Stripe for payment and fraud verification, and (3) comply with tax and shipping regulations.
Transaction & Wallet Data: Deposits, withdrawals, buybacks, and pack purchases.
Communications: Emails, chat messages, and customer support interactions.
Verification Information: Stripe may request identity verification data (e.g., date of birth, last four digits of SSN, or ID image) for compliance with U.S. financial regulations.

2.2 Information Collected Automatically

Device & Usage Data: IP address, browser type, operating system, device identifiers, session times, and interaction logs.
Usage Information: How you interact with the Services, such as pages visited, features used, time spent on pages, and other activity within GalaxyGrails.io.
Analytics & Cookies: Cookies and similar technologies help authenticate users, monitor security, and improve performance. For more detail, see Section 9 ("Your Rights and Choices") below.

2.3 Third-Party Service Relationships

Stripe: Provides payment processing, identity verification, and transaction confirmations. We may receive transaction status, verification results, and fraud signals from Stripe.
PSA Vault: Receives only the data necessary to ship your cards (name, shipping address, and order ID). PSA Vault does not access or store analytics, payment, or communication data.
Analytics & Infrastructure Providers: Offer anonymized and aggregated metrics to improve site reliability and performance.

GalaxyGrails.io does not buy, sell, rent, or trade personal information with third parties.

3. How We Use Your Information

GalaxyGrails.io uses collected information to:

Operate and maintain the Services, including live pack events, wallet features, and vault storage.
Process payments and payouts, managed by Stripe using your stored billing and shipping details.
Fulfill shipments of cards through PSA Vault.
Verify identity and prevent fraud, including a standard 7-day withdrawal hold for new deposits.
Communicate with you about transactions, account updates, and support issues.
Comply with legal requirements, including tax, AML, and recordkeeping laws.
Improve the user experience, through analytics and feature development.
Provide public event history, replays, and fairness tools, including pack-event pages, event replays, and fairness reports that may display your username and pull history to other users and visitors on GalaxyGrails.io.

GalaxyGrails.io never uses your data for third-party marketing or profiling.

4. Legal Basis for Processing

GalaxyGrails.io processes personal information under the following bases:

Performance of a contract: To provide and fulfill your purchases, payments, and shipments.
Legal obligations: To comply with financial, anti-fraud, and tax laws.
Legitimate interests: To maintain platform security and improve services.
Consent: For optional communications and analytics tracking.

5.1 Service Providers

GalaxyGrails.io shares limited information with:

Stripe, Inc. — for payment processing, wallet payouts, and fraud prevention. Stripe requires billing and shipping addresses for regulatory compliance.
PSA Vault (Collectors Universe, Inc.) — for physical card storage and shipment only. PSA Vault does not receive any financial or communication data.
Hosting & Infrastructure Providers — for secure site operation and performance monitoring.
Randomness & Fairness Providers (e.g., Chainlink VRF and related blockchain infrastructure) — for generating verifiable randomness and supporting provably fair pack events. These providers may process technical metadata such as event identifiers or VRF request IDs but do not receive your billing details, email address, or shipping address from GalaxyGrails.io.

All third parties are under contractual obligations to process data only for the specified purposes and to maintain industry-standard security measures.

5.2 Legal and Regulatory Disclosures

GalaxyGrails.io may disclose data:

To comply with applicable laws, subpoenas, or government requests;
To enforce our Terms of Service and prevent fraud or abuse;
To protect the rights, property, or safety of GalaxyGrails.io or its users.

5.3 Business Transfers

In case of a merger, acquisition, or asset sale, user data may transfer as part of the transaction. Any successor entity will remain bound by this Privacy Policy.

GalaxyGrails.io does not sell or share personal data for targeted advertising.

6. Data Security

GalaxyGrails.io employs robust technical, administrative, and physical safeguards, including:

Encryption of data in transit and at rest;
Tokenization of payment information by Stripe (GalaxyGrails.io never stores full card data);
Encrypted storage of shipping and billing addresses;
Role-based access control and security monitoring;
Periodic audits and vulnerability assessments.

While no online system is completely secure, GalaxyGrails.io follows industry best practices to minimize risk.

7. Data Retention

GalaxyGrails.io retains personal information only as long as necessary to:

Provide and maintain your account and Services;
Satisfy legal and financial recordkeeping obligations;
Prevent fraud or abuse;
Resolve disputes and enforce agreements.

After retention periods expire, data is securely deleted or anonymized.

8. Data Breach Notification

If a data breach compromises your personal information, GalaxyGrails.io will promptly notify affected users and authorities as required by law, describing the nature of the breach, the affected data, and corrective actions taken.

9. Your Rights and Choices

9.1 Email Preferences

You can opt out of marketing or promotional emails at any time by clicking the "Unsubscribe" link in any such email or by contacting [email protected]. Even if you opt out, we may still send transactional communications regarding your account, purchases, shipments, or support requests.

GalaxyGrails.io uses the following categories of cookies:

Essential / Strictly Necessary: Required for the Services to function and cannot be disabled.
Functional: Enable features like saved preferences. Disabling these may impact some functionality.
Analytics / Performance: Collect usage data to improve the Services. These can be disabled in your browser settings.
Marketing / Advertising: GalaxyGrails.io does not use marketing or targeted advertising cookies.

9.3 Do Not Track

As of the Effective Date, there is no commonly accepted standard response to Do Not Track (DNT) signals. GalaxyGrails.io does not currently respond to DNT signals.

9.4 Global Privacy Control (GPC)

Where required by applicable law, GalaxyGrails.io will honor opt-out preference signals from Global Privacy Control (GPC). For more information, visit globalprivacycontrol.org.

9.5 State-Specific Rights

Depending on your state of residence, you may also have the right to:

Access and receive a copy of your data;
Correct inaccurate or incomplete data;
Request deletion of your data;
Appeal a denied privacy request.

Requests can be made to [email protected]. GalaxyGrails.io may verify your identity before fulfilling your request. For more details on how to close your account (including withdrawing wallet balances and managing cards in storage), please review our Account Management guide or contact [email protected].

10. U.S. State Privacy Rights

The following disclosures apply to residents of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia.

10.1 Categories of Personal Information Collected

See Section 2 ("Information We Collect") for a full description. Categories include: identifiers (name, email, address, account credentials); commercial information (transaction and purchase history); device and internet activity information; and financial information (processed by Stripe).

10.2 Purposes for Collection

See Section 3 ("How We Use Your Information") for the business and operational purposes for which we collect personal information.

10.3 Retention

GalaxyGrails.io retains personal information for the period necessary to fulfill the purposes described in this Policy, unless a longer period is required by law. We may be required to retain certain data after our relationship with you ends to satisfy legal or regulatory obligations.

10.4 Sale and Targeted Advertising

GalaxyGrails.io does not sell personal information and does not share personal information for targeted advertising purposes.

10.5 Your State Law Rights

You may have the right to:

Access / Know: Confirm whether we process your personal information and request access to specific pieces we hold about you.
Correct: Request correction of inaccurate personal information.
Delete: Request deletion of personal information we have collected from you. Note that exercising this right may affect our ability to provide certain Services.
Opt-Out of Sale / Targeted Advertising: GalaxyGrails.io does not sell data or engage in targeted advertising. No opt-out is required, but you may still submit a request to confirm.
Appeal: If your request is denied, you may appeal by contacting [email protected] and including "Privacy Request Appeal" in the subject line.

We will not discriminate against you for exercising any of the above rights.

10.6 How to Exercise Your Rights

Submit a request by emailing [email protected] with the subject line "Privacy Rights Request." We may require you to provide your name, contact information, and other details to verify your identity before fulfilling a request.

11. International Transfers

GalaxyGrails.io primarily stores and processes data in the United States.
If data is transferred internationally (e.g., via Stripe’s infrastructure), such transfers are protected using encryption and legally recognized safeguards like Standard Contractual Clauses (SCCs).

12. Children’s Privacy

GalaxyGrails.io is intended solely for users 18 years of age or older. If you are under 18, you may not use the Services. We do not knowingly collect personal information from individuals under 18. If you believe a minor has submitted personal information to us, please contact [email protected] and we will promptly delete it.

13. Notice of Monitoring

GalaxyGrails.io and its service providers may monitor activity on the Services for security, fraud prevention, and operational purposes. This may include logging pages visited, features used, items clicked, session duration, and other interactions. Cookies and similar technologies described in this Policy may also capture this information. By using the Services, you acknowledge and consent to this monitoring. If you do not consent, please discontinue use of the Services.

14. SMS Communications

If you provide your mobile phone number, GalaxyGrails.io may use it to send account-related SMS messages such as authentication codes, withdrawal confirmations, or support notifications. Message frequency may vary. Standard message and data rates may apply.

Opt-out: Reply STOP to any SMS from us to unsubscribe. You will receive a confirmation and no further messages will be sent.
Help: Reply HELP or contact [email protected].
Your mobile number will not be shared with third parties for marketing or promotional purposes. Text messaging opt-in data and consent will not be shared with any third party for their own purposes.

15. Links to Third-Party Sites

GalaxyGrails.io may link to third-party services such as Stripe or PSA Vault. These websites operate independently and are subject to their own privacy policies, which we encourage you to review. We are not responsible for the privacy practices of any third-party site.

16. Updates to This Policy

GalaxyGrails.io may update this Privacy Policy from time to time and will post any revisions on this page. The Effective Date at the top of this Policy reflects the most recent update. If material changes occur, GalaxyGrails.io will notify users via email or a notice on the website. Continued use of the Services after an update constitutes your acceptance of the revised Policy.

17. Contact Us

Email: [email protected]
Mail: Galaxy Card Shop LLC
2 Benton Road, Unit G-124
Travelers Rest, SC 29690, USA

18. Affiliation Disclaimer

GalaxyGrails.io is operated by Galaxy Card Shop LLC and is not affiliated with, sponsored by, or endorsed by Professional Sports Authenticator (PSA), Certified Guaranty Company (CGC), or Beckett Grading Services (BGS).
PSA Vault provides only physical storage and shipment of cards, under the direction of GalaxyGrails.io.

1. Scope​

2. Information We Collect​

2.1 Information You Provide​

2.2 Information Collected Automatically​

2.3 Third-Party Service Relationships​

3. How We Use Your Information​

4. Legal Basis for Processing​

5. How We Share Information​

5.1 Service Providers​

5.2 Legal and Regulatory Disclosures​

5.3 Business Transfers​

6. Data Security​

7. Data Retention​

8. Data Breach Notification​

9. Your Rights and Choices​

9.1 Email Preferences​

9.2 Cookie Preferences​

9.3 Do Not Track​

9.4 Global Privacy Control (GPC)​

9.5 State-Specific Rights​

10. U.S. State Privacy Rights​

10.1 Categories of Personal Information Collected​

10.2 Purposes for Collection​

10.3 Retention​

10.4 Sale and Targeted Advertising​

10.5 Your State Law Rights​

10.6 How to Exercise Your Rights​

11. International Transfers​

12. Children’s Privacy​

13. Notice of Monitoring​

14. SMS Communications​

15. Links to Third-Party Sites​

16. Updates to This Policy​

17. Contact Us​

18. Affiliation Disclaimer​