TCGHub

Legal

Privacy Policy

Last updated: April 2026

This Privacy Policy describes how TCGHub (“we”, “us”) collects, uses, and shares information about you when you use our online trading card pack opening platform. We comply with the Malaysian Personal Data Protection Act 2010 (PDPA) and apply the same standards to users outside Malaysia.

1. What we collect

  • Account information: email address, display name, and a password hash (managed by our authentication provider).
  • Identity and age: date of birth for age verification; in some cases, KYC documents for high-value accounts.
  • Transaction history: top-ups, pack purchases, credit conversions, and shipping fees, stored as immutable ledger entries in Malaysian Ringgit (sen).
  • Pull history: every pack you open, the cards received, and the cryptographic seeds used for provably fair verification.
  • Shipping details: recipient name, address, and phone number when you request a physical shipment.
  • Technical data: IP address, device fingerprint, browser, and session logs used for fraud prevention and security.

2. How we use your data

  • To operate the service — process pulls, ship cards, manage your wallet.
  • To detect and prevent fraud, chargeback abuse, and bot activity.
  • To comply with Malaysian tax, anti-money-laundering, and consumer protection laws.
  • To enforce responsible gaming controls (daily/weekly limits and self-exclusion).
  • To communicate service updates, order status, and security alerts.

We never sell your data to third parties. We share data only with service providers who help us run the platform (payment processors, shipping carriers, cloud hosting) and only the minimum fields they need.

3. Data retention

  • Financial records: kept for 7 years as required by the Inland Revenue Board of Malaysia (LHDN) and related regulations.
  • Pull seeds and outcomes: kept indefinitely so that provably fair audits remain possible.
  • Technical logs: purged after 90 days.
  • Account data: kept while your account is active, and for a reasonable period after closure for fraud prevention and legal obligations.

4. Your rights under PDPA

As a data subject under the Malaysian PDPA 2010, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate or incomplete data.
  • Request deletion of data that is no longer needed for its original purpose, subject to our legal retention obligations.
  • Withdraw consent for optional processing, such as analytics.
  • Lodge a complaint with the Department of Personal Data Protection (JPDP).

To exercise any of these rights, email privacy@gacha-oripa.com. We respond within 21 days.

5. Cookies

We use two categories of cookies:

  • Essential: session cookies that keep you logged in. These cannot be disabled without breaking the site.
  • Analytics (optional): privacy-preserving analytics to improve the service. You can opt out at any time in your browser settings.

6. International transfers

Some of our infrastructure providers (payment processors, hosting) operate servers outside Malaysia. When data is transferred abroad, we require contractual safeguards so that your data is protected to at least PDPA-equivalent standards.

7. Children

This service is 18+ only. We do not knowingly collect data from minors. If we become aware that a minor has registered, we will terminate the account and delete the data.

8. Contact

For privacy questions, data access requests, or complaints, contact our Data Protection Officer at privacy@gacha-oripa.com.

Terms of ServiceResponsible Gaming