Privacy Policy
Last updated: July 2026
Overview
Zwipe is a Magic: The Gathering deck builder for mobile. This policy describes what data we collect, how we use it, and your rights.
Data We Collect
- Account data: email address, username, and a hashed password (never stored in plaintext).
- Deck data: the decks and card selections you create within the app, including cards you skip or remove per deck so they stop being suggested for that deck (you can clear this anytime from the deck's More menu).
- Session data: authentication tokens stored securely on your device.
- Usage activity: how you interact with the app, including swiping, searches, and card decisions (adds, skips, maybes, removals). This is kept both in aggregate and per account, so the app can improve overall and personalize your experience.
We do not collect location data or device identifiers, or any data beyond what is required to operate and improve the app.
How We Use Your Data
- To authenticate your account and maintain sessions.
- To store and sync your decks across devices.
- To send transactional emails (email verification, password reset).
- To remember which cards you've skipped or removed for a deck so we stop suggesting them there.
- To analyze swiping and usage patterns, in aggregate and per account, so we can improve the app and personalize card suggestions.
We do not sell, share, or use your data for advertising.
Third-Party Services
- Scryfall: card data (names, images, oracle text) is sourced from the Scryfall API and stored on our servers. Your account data is never shared with Scryfall.
- Resend: transactional email delivery (verification and password reset emails). Your email address is passed to Resend solely to deliver these messages.
- Archidekt: when you import a deck from Archidekt, we request that deck's public card data from the Archidekt API. This only happens when you use the import feature, and no account data is shared with Archidekt.
Data Retention
Your data is retained as long as your account exists. You can delete your account at any time from within the app, which permanently removes all associated data.
Security
Passwords are hashed with argon2. Refresh tokens are SHA-256 hashed before storage. All traffic is encrypted in transit via HTTPS. We do not have access to your plaintext password.
Children
Zwipe is not directed at children under 13. We do not knowingly collect data from children under 13.
Fan Content
Zwipe is unofficial Fan Content permitted under the Fan Content Policy. Not approved/endorsed by Wizards. Portions of the materials used are property of Wizards of the Coast. ©Wizards of the Coast LLC.