Last updated: July 2026

Controller

The controller responsible for data processing under the EU General Data Protection Regulation (GDPR) is Lars Waldow. The full postal address and contact details are provided in the Legal Notice / Impressum.

Overview

Kura ("the App") is developed by Lars Waldow. Kura is built local-first: there is no Kura account, no Kura server, and no sign-in. Your collection data lives on your device and is synced only to your own iCloud account if you choose to use iCloud.

This policy has two parts: Part A covers the App (Kura on your device); Part B covers this website (kura.cards). They involve different processing, so they are described separately.

Part A — The Kura App

No Data Collection by the Developer

The App does not collect personal information for the developer's own use and does not use analytics or advertising SDKs of any kind. Specifically:

  • No account creation or sign-in is required or offered.
  • No personal data (name, email, location, etc.) is collected by the App or by Lars Waldow.
  • No analytics, tracking, or advertising tools are used.

The App does not send your data to the developer. The limited processing that does occur happens through Apple's services (iCloud/CloudKit, StoreKit, TestFlight), which act as processors under Apple's own terms, or locally on your device.

Camera & Card Recognition

Kura uses your device's camera to scan physical cards. Recognition (image capture, text extraction, and matching against the local card database) happens entirely on your device. No photo or video is uploaded anywhere or seen by Lars Waldow.

Local Storage

Your collection, boxes, decks, notes, and settings are stored locally on your device. This data is never transmitted to Lars Waldow.

iCloud Sync & Backup

If enabled on your device, Kura uses Apple's CloudKit to sync your collection, boxes, and decks across your own devices, and to store rotating backup snapshots in your iCloud Drive. This uses your personal iCloud storage and is governed by Apple's Privacy Policy. The data is stored in your private CloudKit database, encrypted in transit and at rest by Apple; Lars Waldow has no access to it.

Scryfall Card Database

Kura downloads a bulk card database from Scryfall on first launch and periodically thereafter to keep card data and prices current. These are anonymous downloads of public card data — no personal or collection data is sent to Scryfall.

Subscriptions & Payment

Kura Pro is offered as an auto-renewing subscription through Apple's StoreKit. All payment information is handled entirely by Apple as part of your App Store account; Lars Waldow never receives your payment details.

Beta Testing via TestFlight

While Kura is distributed as a beta through Apple's TestFlight, Apple collects and provides to the developer diagnostic information such as crash logs, device and performance data, and any feedback you choose to submit. This is used solely to improve the App and is governed by Apple's TestFlight & Privacy terms. You can leave the beta at any time by removing the app in TestFlight.

Part B — This Website (kura.cards)

Hosting & Connection Data

kura.cards sets no cookies and uses no analytics or tracking. All assets (including fonts) are loaded from its own domain — no third-party requests are made from the page itself.

However, like any website, kura.cards is served over the internet: when you open a page, your browser sends technically necessary connection data — in particular your IP address — to our hosting/CDN provider, Cloudflare, Inc. Cloudflare processes this data to deliver the site and to protect it against attacks (e.g. DDoS). Under the GDPR, an IP address is considered personal data. We do not use it to identify you and do not combine it with other data.

Common Provisions

Processors & International Transfers

We use the following processors: Apple (iCloud/CloudKit, StoreKit, TestFlight) and Cloudflare (website hosting). These providers may process data on servers outside the EU/EEA (e.g. in the USA). Where this occurs, it is based on appropriate safeguards such as the EU Standard Contractual Clauses and/or applicable adequacy mechanisms.

Your Rights

Under the GDPR you have the right to access, rectification, erasure, restriction of processing, data portability, and to object to processing of your personal data. You also have the right to lodge a complaint with a data protection supervisory authority. To exercise these rights, contact us using the details on the Legal Notice / Impressum.

For the website connection data described in Part B, we cannot identify you from an IP address and keep no logs that we can search by person. Under Art. 11 GDPR, the rights of access and erasure therefore do not apply to that data unless you provide information that makes it identifiable — which, for an ordinary page visit, is generally not possible. This connection data is in any case only held briefly by Cloudflare for security purposes.

Children's Privacy

The App does not knowingly collect personal data from children. TestFlight is not intended for children under 13 (or the equivalent minimum age in your jurisdiction).

Changes to This Policy

This privacy policy may be updated to reflect changes in the App's functionality or legal requirements. The "Last updated" date above will be revised accordingly.

Contact

For questions about this privacy policy, contact us at the details provided on the Legal Notice / Impressum.