Privacy
Policy.
Last updated: July 1, 2026
Your trust matters to us. This policy explains, in plain language, exactly what CCA Universe collects when you grade cards with us or use ccacard.com, how it is used, who it is shared with, what is public by design, and the choices and rights you have.
1. Who We Are
This Privacy Policy explains how CCA Universe (“CCA,” “CCA Card,” “we,” “us,” or “our”), the professional trading card grading company operating ccacard.com, collects, uses, shares, and protects your personal information when you use our website and services: card grading and authentication, the public certification database and population reports, your collection registry, our community (forum, news, help center, support tickets), and our online shop.
Mailing address: CCA Universe, P.O. Box 1654, Huntington Beach, CA 92647, USA. Privacy questions: [email protected].
2. Information We Collect
Information you provide to us:
- Account information, your name, email address, password (stored hashed, never in plain text), and optional phone number.
- Addresses, shipping/return and billing addresses you save for submissions and shop orders.
- Payment information, payments are processed by Stripe. Your full card number never touches our servers; we store only a reference token plus the card brand, last four digits, and expiry so you can manage saved cards and we can charge approved invoices.
- Submission and card data, the cards you submit, their declared values, grading results, certification numbers, and high-resolution scans of your cards.
- Order and billing history, grading submissions, itemized invoices and their changes/approvals, shop orders, and refunds.
- Communications, support tickets and messages, contact-form inquiries, and emails you exchange with our team.
- Community content, forum topics, posts, votes, comments on news articles and help guides, product reviews, and your collection registry entries.
Information collected automatically: when you use the site we collect standard technical data such as IP address, browser and device information, pages viewed, and referring URLs, via cookies and similar technologies (see Sections 5–6). Our email provider also records delivery events (delivered, opened, clicked, bounced) for messages we send you.
3. How We Use Your Information
- To provide the Services, process submissions, grade and encapsulate cards, publish certifications, generate labels and packing slips, ship your cards back, and operate your dashboard (including Grade Reveal).
- To process payments, create itemized invoices, obtain your approval for invoice changes, charge your saved card when grading is complete, handle 3-D Secure authentication, and process refunds.
- To communicate with you, transactional emails about your account, submission status, invoices, and support tickets; and, if you have opted in, marketing emails about news and offers.
- To verify email deliverability, we check the validity of account email addresses (see Section 7) so critical notifications actually reach you.
- To operate community features, display your posts, comments, reviews, and registry activity, and moderate reported content.
- To improve and secure the Services, debug issues, analyze usage, prevent fraud and abuse, and enforce our Terms of Service.
- To measure advertising, see Section 5 (Meta Pixel and Conversions API).
- To comply with legal obligations, tax, accounting, and lawful requests from authorities.
4. What Is Public
Public certification is a core part of our grading service. When a card you submitted is graded and your order reaches its final stages, its certification page, including the card’s identity, grade, designations, and front/back slab scans, is publicly viewable by anyone with the cert number, and the card is counted in our public population reports. Cert pages do not display your name, email, or address.
Content you post in community areas (forum posts and topics, comments on news and help articles, and product reviews) is public and is displayed with your first name and last name as set on your account. Your collection registry is used for set-completion features; support tickets are private between you and our staff.
5. Advertising & Analytics (Meta Pixel + Conversions API)
We use Meta (Facebook) advertising tools to measure the effectiveness of our ads. This works over two channels: the Meta Pixel in your browser and Meta’s server-side Conversions API. Events such as page views, sign-ups, starting a submission, and purchases may be sent through both channels with a shared event ID so Meta can de-duplicate them.
Data sent to Meta may include the event details, your IP address and browser information, Meta cookie identifiers (such as _fbp/_fbc), and, for the Conversions API, certain identifiers (like your email address) in HASHED form to improve match quality. Meta’s use of this data is described in Meta’s own privacy policy. You can control ad personalization through your browser settings (blocking third-party cookies), ad blockers, and your Meta account’s ad preferences.
Under California law, the transmission of identifiers to an advertising platform may be considered “sharing” for cross-context behavioral advertising. You may opt out as described in Section 11.
6. Cookies & Local Storage
- Authentication cookies, keep you signed in to your account (essential; the site’s dashboards cannot work without them).
- Preference storage, your light/dark theme choice and similar settings are kept in your browser’s local storage.
- Shopping cart, your shop cart is stored in your browser’s local storage so it survives page reloads; it is only associated with your account when you check out.
- Advertising cookies: Meta Pixel cookies (see Section 5).
- Security, our contact form uses Google reCAPTCHA to prevent spam; Google may set cookies and collect device data as described in Google’s privacy policy.
7. Service Providers We Share Data With
We do not sell your personal information. We share it only with service providers who process it on our behalf under contract, with the parties below, or when required by law:
- Stripe, payment processing, saved payment methods, invoices, refunds, and fraud prevention. Stripe acts as its own data controller for payment data; see Stripe’s privacy policy.
- Resend, sending and receiving our email (transactional, support, and marketing) and tracking delivery events such as bounces, opens, and clicks.
- Emailable, verifying that account email addresses are valid and deliverable. We send them the email address only.
- Meta Platforms, advertising measurement as described in Section 5.
- Google reCAPTCHA, spam protection on our contact form.
- Shipping carriers, your name, address, and package details when we ship your cards or merchandise back to you.
- Infrastructure providers, our servers, database, and self-hosted image storage (card scans and site images are served from our own asset domain, assets.ccacard.com, behind a content delivery network).
8. Email Choices
Transactional email (account, submission status, invoices, support replies, security notices) is part of the service and is sent regardless of marketing preferences.
Marketing email is optional. You choose at signup (the marketing checkbox), and you can change your mind at any time via the “Marketing & News” toggle in your dashboard settings, the unsubscribe link in the footer of every marketing email, or the one-click unsubscribe supported by most inboxes. If a message to you hard-bounces or you mark our mail as spam, we automatically suppress future sends to protect your inbox.
9. Data Retention
We retain account, submission, invoice, and certification records for as long as your account is active and as needed for the purposes above. Certification records (cert number, card identity, grade, and scans) are retained indefinitely, a permanent, verifiable record is the point of certification, and population reports depend on it. Financial records are kept as required by tax and accounting law. Community content remains until removed by you (where the feature allows), by moderation, or with account deletion assistance from support. Email logs and delivery events are kept for operational and compliance purposes.
10. Security
We protect your information with industry-standard measures: encryption in transit (HTTPS), hashed passwords, role-based access controls for our staff back-office, signed URLs for private image storage, webhook signature verification for our payment and email providers, and payment handling delegated to a PCI-DSS-compliant processor (Stripe). No system is perfectly secure; if we learn of a breach affecting your personal information we will notify you as required by law.
11. Your Rights & Choices
Depending on where you live, including under the California Consumer Privacy Act (CCPA/CPRA), you may have the right to: know what personal information we have about you and request a copy; correct inaccurate information; delete your personal information (subject to exceptions, such as records we must keep for legal, billing, or certification-integrity reasons); and opt out of the “sharing” of personal information for cross-context behavioral advertising (Section 5).
You can exercise most choices directly: edit your profile and addresses in your dashboard, manage saved payment cards on your billing page, and control marketing email as described in Section 8. For access, deletion, ad-sharing opt-out, or any other privacy request, email [email protected] from the address on your account, we will verify the request and respond within the time required by applicable law. We will never discriminate against you for exercising your privacy rights.
Note that deleting your account does not remove public certification records for cards we have graded, which remain part of the permanent cert database (without your name attached).
12. Children
The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, contact [email protected] and we will delete it.
13. International Users
We are based in the United States and process data on U.S. servers. If you use the Services from outside the U.S., you understand that your information will be transferred to and processed in the United States, where privacy laws may differ from those in your jurisdiction.
14. Changes to This Policy
We may update this Privacy Policy as our services evolve. Material changes will be posted on this page with an updated “Last updated” date, and where required we will provide additional notice (for example, by email). Your continued use of the Services after changes take effect constitutes acceptance of the revised policy.
15. Contact Us
CCA Universe · P.O. Box 1654, Huntington Beach, CA 92647, USA. Privacy requests and questions: [email protected]. General support: [email protected] or ccacard.com/contact.
See also our Terms of Service and Guarantee.