Privacy Policy
Milkman Combo Trainer ("we", "us", "the site") is run by Ravenous Raven Design as an independent fan-made tool for Magic: The Gathering Commander players. This page explains exactly what data we collect, why, who processes it on our behalf, and how to remove it.
Plain-English summary: We collect your email and a few profile fields when you sign in with Google. If you go Premium, Stripe handles the payment and we never see your card. We use Supabase to store your account, saved decks, and training stats. We use Google Analytics to count visits. We don't sell your data, share it with advertisers, or do anything weird with it.
1. What we collect
Account data (when you sign in)
- Email address — supplied by Google when you sign in with Google.
- Display name and avatar URL — supplied by Google as part of your basic profile. Optional; we use these to label your saved decks and stats.
- Supabase user ID — an internal UUID we use to associate your account with your saved data.
Usage data (when you use the tools)
- Saved decks — Premium users can save up to 50 Moxfield/Archidekt deck URLs. We store the URL, the deck name, the commander, and the parsed combo set.
- Training stats — sessions, accuracy per combo, streaks. Only used to show your stats back to you and prioritize weak-spot drills.
- Coach asks — when you use the Play Coach (Premium feature), we store the deck URL, the timestamp, the model used, and token counts so we can enforce daily/monthly rate limits and monitor cost. We do NOT store the contents of your hand, board, or game-state inputs after the response is returned.
Payment data
If you upgrade to Premium, payment is processed entirely by Stripe. We never see, touch, or store your credit card number. We store only the Stripe customer ID Stripe gives us so we can manage your subscription.
Analytics
We use Google Analytics to count page visits and understand which features people use. Google Analytics may set cookies in your browser. We do not link your analytics activity to your account email — it's anonymous traffic data only.
What we DO NOT collect
- Your Google password (Google handles authentication; we never see passwords).
- Your credit card details (Stripe handles payments).
- Your IP address as a stored value (it appears in server logs at our hosting provider for the standard 30-day operational window, then is deleted).
- Location data, contacts, photos, microphone, or anything else from your device.
2. Who processes your data
We're a small team and we use the following third parties to run the site. Each is bound by their own privacy policy and the relevant data-processing agreements.
| Processor | What they do | Their privacy policy |
|---|---|---|
| Google (OAuth) | Authentication. Returns your email + name to us when you sign in. | Link |
| Supabase | Database + auth. Stores your account, saved decks, training stats, and Coach quota counters. | Link |
| Stripe | Payment processing for Premium subscriptions. | Link |
| Vercel | Hosting and edge functions. | Link |
| OpenRouter | Routes Play Coach requests to Anthropic's Claude model. Receives only the prompt we build (game state + deck context) and returns a recommendation. | Link |
| Google Analytics | Anonymous traffic counts. | Link |
| Scryfall | Card data lookups (no user data sent — only card names). | Link |
| Commander Spellbook | Combo lookups (no user data sent — only deck card names). | Link |
| Moxfield / Archidekt | Public deck list fetches when you paste a deck URL (no user data sent to them). | — |
3. Why we collect it
- To run your account. Sign-in, saved decks, stats syncing across devices.
- To process payments. Premium subscription billing through Stripe.
- To rate-limit AI calls. Play Coach has a 15-asks-per-day cap so one user can't drain our AI budget; we count asks against your account ID.
- To improve the product. Anonymous analytics to see which tools get used.
- To respond to support requests. If you email us, we keep the conversation history.
We do not use your data to train AI models, sell it to third parties, or share it with advertisers. We have no advertisers.
4. Cookies and similar tracking
The site uses the following cookies and local storage entries:
- Supabase auth cookies (essential) — keep you signed in across pages and visits. Cleared when you sign out.
- Google Analytics cookies (analytics) — anonymous visit counting.
- Local-storage UI cache (essential) — remembers whether you're signed in and on Premium so the navigation menu renders instantly.
- Promo dismiss flag (functional) — remembers if you closed the grand-opening promo.
You can clear these at any time through your browser's site-data settings. Doing so will sign you out and reset the UI to default.
5. Your rights
You have the right to:
- Access the data we hold about you. Most of it is visible in My Stats and My Decks.
- Export your data. Email us and we'll send you a JSON dump of everything tied to your account.
- Delete your account and all associated data. Email us at ravenousravendesign@gmail.com and we'll delete it within 7 days. This is permanent and cannot be undone.
- Withdraw consent for analytics by using your browser's "Do Not Track" or by blocking the relevant cookies.
If you're in the EU/UK, you also have rights under GDPR including the right to lodge a complaint with your local data protection authority. We'll honor any GDPR request like any other deletion request.
6. Children
Milkman Combo Trainer is intended for users 13 years of age or older (or 16+ in jurisdictions where that is the local minimum age for online services). We do not knowingly collect personal information from anyone under 13. If you believe a child has signed up, contact us and we'll delete their account.
7. Data retention
- Account data — kept while your account is active, plus 30 days after deletion to satisfy backup retention windows.
- Saved decks & stats — kept while your account is active. Deleted on account deletion.
- Coach asks (rate-limit log) — token counts and timestamps kept for 90 days for billing reconciliation, then deleted.
- Stripe records — Stripe retains transaction records for 7 years per US tax law. We retain only the Stripe customer ID.
- Server logs — Vercel keeps standard hosting logs for ~30 days.
8. Security
We use industry-standard practices:
- All connections are over HTTPS (TLS).
- Database access uses row-level security so users can only read their own data.
- Service-role keys are stored in encrypted environment variables on Vercel and never exposed to the browser.
- Stripe handles payment data using their own PCI-DSS-compliant infrastructure.
That said, no online service is 100% secure. If we ever experience a breach affecting your data, we'll notify you within 72 hours per GDPR requirements.
9. International transfers
Our infrastructure is hosted primarily in the US (Vercel, Supabase, Stripe). If you're outside the US, your data may be transferred to and stored in the US under standard contractual clauses with each processor.
10. Changes to this policy
If we change anything material in this policy, we'll update the "Last updated" date at the top and notify active accounts via email. Minor formatting changes don't trigger a notification.
11. Contact
Questions, deletion requests, or concerns: ravenousravendesign@gmail.com
Milkman Combo Trainer is an independent fan-made tool. Magic: The Gathering and related marks are property of Wizards of the Coast. This site is not affiliated with, endorsed by, sponsored by, or approved by Wizards of the Coast, Scryfall, Commander Spellbook, or the Commander Rules Committee.