-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Welcome to the ShapeshifterTCG-Privacy-and-Security wiki!
If you need further support, you may email me at barnelks@gmail.com
Last updated: June 4, 2026
Shapeshifter TCG does not operate its own developer backend, does not include third-party advertising, does not include analytics or tracking SDKs, does not sell personal data, and is not designed to build advertising profiles.
That does not mean the app can be described as collecting no personal data in every context. If you choose to enter profile details, friend contact details, notes, avatar images, deck names, trade data, or other freeform content, that information may be stored on your device, synced through Apple iCloud, exported into files, shared through QR codes or share sheets, or published to Apple CloudKit public records for friend-profile and live-trade features.
Payment information for Shapeshifter Plus is handled by Apple through StoreKit and the App Store. The developer does not receive your full payment card details.
Shapeshifter TCG is unofficial Fan Content permitted under the Wizards of the Coast Fan Content Policy. Not approved/endorsed by Wizards. Portions of the materials used are property of Wizards of the Coast. ©Wizards of the Coast LLC.
Shapeshifter TCG is a fan-made companion application for trading card game players. It is not affiliated with, endorsed by, sponsored by, or approved by Wizards of the Coast LLC, Scryfall LLC, The Pokemon Company, Konami, Ravensburger, Disney, Bandai, Fantasy Flight Games, Legend Story Studios, TCGplayer, Apple, or any other card data provider, publisher, trademark owner, platform provider, API provider, or platform service referenced by the app.
All trademarks, card names, set names, game names, mana symbols, artwork, logos, brand assets, card images, pricing data, rulings, rules text, Commander references, combo information, and other intellectual property remain the property of their respective owners.
Shapeshifter TCG helps players:
- Search card databases and view card details, images, rulings, prices, set data, and printings.
- Build decks, import deck lists, run deck simulation tools, view deck statistics, and use Commander-related reference features.
- Manage card collections, quantities, conditions, languages, collection names, prices, and notes.
- Track trades, loans, friends, looking-for lists, tradable lists, and live trade requests.
- Run life counters for supported games.
- Scan trading cards and friend QR codes using the camera when permission is granted.
- Maintain offline card databases, cached rulings, cached set data, and other provider data where supported.
- Import and export supported backup, collection, profile, trade-list, and deck-list files when you choose to do so.
- Use optional iCloud sync, optional Sign in with Apple, optional public friend profile publishing, optional live trade sharing, and optional Shapeshifter Plus subscription features.
The app currently supports Magic: The Gathering, Pokemon, Yu-Gi-Oh!, Disney Lorcana, Digimon, Star Wars: Unlimited, Flesh and Blood, and One Piece.
Shapeshifter TCG is not an official game client, marketplace, tournament tool, judging authority, financial product, investment product, professional appraisal tool, or official rules source.
The app does not provide financial, legal, tournament, judging, investment, or professional advice. Card prices, trade values, rules, format legality, deck statistics, Commander bracket estimates, combo information, and database results are informational reference material only.
The app is not designed to:
- Sell personal information.
- Run third-party advertising.
- Track users across unrelated apps or websites.
- Build advertising profiles from user activity.
- Collect unrelated sensitive personal information.
- Upload camera captures to a developer-operated server.
- Process subscription payments directly.
- Guarantee card data, pricing, legality, sync, imports, exports, scans, notifications, purchases, or third-party service availability.
Depending on the features you use, the app may store:
- Collection entries, including card identifiers, card names, set information, quantities, foil status, condition, language, binder or collection names, tags, notes, purchase prices, current prices, and date added.
- Deck data, including deck names, formats, commanders, companions, deck descriptions, tags, card lists, categories, quantities, prices, Commander bracket fields, known combo results, and related card image URLs.
- Trade and loan records, including card names, quantities, foil status, values, trade partners, loaned or borrowed status, expected return dates, and notes.
- Friend contact records, including display names, profile identifiers, phone numbers, email addresses, notes, avatar image data or icon names, shared deck summaries, shared deck snapshots, trade list data, incoming trade request data, unread counts, and related timestamps.
- App profile data, including display name, generated profile identifier, optional phone number, optional email address, optional notes, optional avatar image or icon, Sign in with Apple identifiers, and Apple-provided name or email when granted.
- Subscription access data, including StoreKit product identifiers and active entitlement status returned by Apple.
- App settings, including selected trading card game, display preferences, language preferences, pricing preferences, sync mode, cached set metadata, local database timestamps, life counter state, and import or sync status timestamps.
- Offline card database files, cached card metadata, cached rulings, cached set data, cached images or image references, and cached Commander reference data downloaded from supported card data providers.
- Imported and exported backup files, collection files, friend profile files, trade list files, and plain-text deck lists when you choose to import or export them.
This information is primarily stored on your device using Apple platform storage. Some lightweight settings and profile fields are stored in UserDefaults. A generated profile identifier may be stored in Keychain Services so it can persist more reliably. When the CloudKit-backed store is available, collection, deck, trade, friend, and loan records may sync through Apple iCloud using the iCloud account configured on the device. If the app cannot use the cloud-backed store, it may fall back to local-only storage or temporary in-memory storage.
The app uses CloudKit in two different ways:
- Private CloudKit storage may sync your app database across devices signed into the same iCloud account.
- Public CloudKit records may be used when you publish a friend profile or send live trade requests.
Published friend profiles can include your profile identifier, display name, optional phone number, optional email address, optional notes, optional avatar image, shared deck summaries or deck snapshots, and shared looking-for or tradable card lists. Live trade requests can include sender and recipient profile identifiers, names, the trade list payload, card details, prices, timestamps, read status, unread counts, and related metadata.
Do not publish profile fields, notes, avatar images, deck snapshots, or trade lists that you do not want other Shapeshifter TCG users with the relevant identifier or sharing path to access. Public CloudKit records are not the same as your private iCloud database.
Sign in with Apple is optional. If you use it, the app may store your Apple user identifier and, when Apple provides them and you allow access, your name and email address. The app uses this information to populate your local profile and show account connection status.
iCloud is used for cloud availability checks, private database sync, public profile publishing, live trade request records, and CloudKit notification subscriptions where available.
StoreKit is used to load subscription products, make purchases, restore purchases, and check active subscription entitlements. Subscription transactions, refunds, taxes, renewals, cancellations, family sharing eligibility, and payment processing are handled by Apple and the App Store.
Camera access is used only when you choose card scanning or QR scanning features. Captured card images are processed on device for recognition or QR payload handling. The app is not designed to save camera captures to your photo library as part of scanning.
Photo library access may be used when you choose an image for your profile artwork through the system photo picker. Selected image data may be stored in your app profile, backup files, friend profile exports, or published friend profile records if you choose to share or publish it.
Notifications may be requested so the app can receive and show CloudKit-related trade update notifications, including live trade request updates from friends. Notification delivery is handled by Apple services and device settings.
File import and export features read or write data only when you choose files through the system file picker, share sheet, or supported file-opening flows. Supported files may include Shapeshifter profile backups, collection exports, friend profiles, trade lists, and plain-text deck lists.
The app downloads, displays, searches, caches, or processes card and set information from third-party data sources. These may include:
- Scryfall
- Pokemon TCG API
- YGOPRODeck
- Lorcast
- SWU API
- goagain.dev
- Heroi bulk data sources
- TCGCSV and TCGplayer-derived feeds
- Commander Spellbook
- Wizards of the Coast web pages for Commander reference information
- Other public, licensed, or user-selected APIs, feeds, and metadata providers added in future versions
Requests to these services may reveal standard network information such as your IP address, device network details, request timing, and the specific endpoints, card names, deck contents, or search queries needed to provide the feature. Commander combo lookup may send decklist card names and quantities to Commander Spellbook. Third-party services are governed by their own terms, privacy notices, rate limits, and operational practices.
Third-party materials are provided for reference, search, collection tracking, deck building, life tracking, trade support, and other companion-app purposes only. Use of third-party data does not transfer ownership to Shapeshifter TCG or its developer.
For App Store privacy and plain-language disclosure purposes, the app should not claim an absolute “no personal data collected” posture while profile, friend, iCloud sync, Sign in with Apple, public sharing, import/export, or subscription features remain enabled.
The more accurate current statement is:
Shapeshifter TCG does not collect personal data through a developer-operated server, analytics SDK, advertising SDK, or tracking SDK. The app may store or process personal data that you provide or authorize, including profile details, contact details, notes, avatar images, Apple account fields, CloudKit records, exported files, and shared trade/profile data. Apple and third-party data providers may process data needed to provide iCloud, StoreKit, Sign in with Apple, notifications, card data, pricing, image, search, and combo lookup features.
The app relies on Apple platform protections, SwiftData storage, UserDefaults for lightweight settings and profile fields, Keychain Services for selected persistent identifiers, system permission prompts, StoreKit transaction verification, CloudKit transport and storage, security-scoped file access for selected imports, and system share sheets or file pickers for user-controlled sharing.
The app stores temporary export files and temporary CloudKit asset files when needed to complete export, sharing, or upload workflows. Temporary files may remain subject to normal system cleanup behavior.
No software, storage system, network service, or cloud provider can guarantee absolute security. You are responsible for deciding what to enter, publish, import, export, scan, or share, and with whom to share it.
Profile backups can contain a broad snapshot of your app data, including profile fields, settings, collections, decks, trades, friends, loans, notes, prices, and image data. Collection exports contain collection card data. Friend profile files and QR codes can contain profile identifiers and contact fields. Trade list files can contain sender, recipient, card, pricing, and contact details.
Anyone who receives a file, QR code, profile link, trade list, or backup may be able to read, store, modify, or redistribute the information it contains. Only share these materials with people and services you trust.
Imported files and scanned QR codes may contain user-supplied content. The developer is not responsible for inaccuracies, malicious content, misuse, or unauthorized redistribution of files or QR payloads shared by users.
The app includes local data management features such as exporting all data, importing data, clearing app-managed records, and deleting local account/app data. Where available, account deletion attempts to remove published friend profile records and live trade request records involving your profile identifier from public CloudKit.
Deletion may not immediately remove data already synced through iCloud, already exported to files, already imported by another user, already sent to another user, already copied from QR codes or share sheets, retained by Apple or third-party services under their own policies, or stored in backups outside the app’s control.
Users should maintain their own backups where appropriate. Sync, import, export, backup, restore, purchase, entitlement-check, and deletion operations can fail or produce incomplete results.
This app and its related documentation are provided on an "as is" and "as available" basis to the maximum extent permitted by applicable law. The developer makes no guarantee that:
- third-party data will always be accurate, complete, current, available, or legally usable in every context
- card prices, legality information, set data, images, Commander references, combo information, and metadata will be correct
- synchronization, public sharing, imports, exports, backups, purchases, notifications, deletions, or scans will never fail
- the app will be uninterrupted, error-free, or compatible with every device, service, file, or future API change
This document may be updated as the application evolves, subscription features change, new features are added, third-party integrations change, or legal and operational needs change.
If you are a rights holder, API provider, or user with a privacy, security, attribution, purchase, or data concern, please contact the developer to request review, correction, attribution updates, or removal where appropriate.
Last reviewed: June 4, 2026
This is a practical engineering review of current app integrations and disclosures. It is not legal advice and does not replace review by an attorney, App Store reviewer guidance, or written permission from rights holders and API providers.
- The app is a fan-made companion app for trading card game players.
- The app includes in-app Terms of Use, Privacy and Security, Attribution and Credits, subscription policy destinations, public-sharing disclosures, no-warranty language, and provider attribution.
- The app supports card search, card detail views, collection tracking, deck building, deck import, deck simulation, deck statistics, trades, loans, friends, life counters, card scanning, QR scanning, offline card data, import/export, optional iCloud sync, optional Sign in with Apple, optional public CloudKit friend profile publishing, optional live trade sharing, and optional Shapeshifter Plus subscriptions.
- The app does not include a developer-operated backend, third-party ads, analytics SDKs, tracking SDKs, AppTrackingTransparency usage, or AdSupport usage in the current code scan.
- The app should not claim that no personal data is collected in all cases. User-provided profile/contact fields, notes, avatar images, Apple account fields, CloudKit records, exports, QR payloads, and live trade data may be personal data when stored, synced, exported, published, or shared.
- The accurate current privacy posture is: no developer-operated server collection, no sale of personal data, no third-party advertising, no tracking SDKs, and no analytics SDKs; user-provided and Apple-managed data may still be processed to provide app features.
- Camera and photo-library purpose strings are present in
AppInfo.plist. - Provider-aware request pacing is implemented for Pokemon TCG API, Lorcast, SWU API, goagain.dev, and TCGCSV.
- Yu-Gi-Oh image URLs from YGOPRODeck are not used because YGOPRODeck asks developers not to continually hotlink images.
- TCGCSV / TCGplayer-derived catalog, pricing, and product-link data is enabled. Treat this as a higher-risk integration until written confirmation for public or commercial app distribution is obtained.
Apple privacy labels should not be completed as “Data Not Collected” while optional profile, friend, Sign in with Apple, CloudKit sync, public sharing, import/export, StoreKit entitlement, and live trade features are enabled.
Recommended current disclosure posture for App Store Connect review:
- Contact Info: optional display name, phone number, email address, and Apple-provided name or email when the user grants it.
- User Content: collection records, deck records, trade records, loan records, friend profiles, notes, avatar images, imported files, exported files, QR payloads, and shared trade lists.
- Identifiers: generated Shapeshifter profile identifier, Sign in with Apple user identifier, CloudKit record identifiers, StoreKit product identifiers, and third-party card identifiers.
- Purchases: StoreKit subscription product and entitlement status. Apple handles payment processing.
- Diagnostics: disclose only if Apple/Xcode diagnostics, crash reporting, telemetry, or another diagnostics SDK is enabled for distribution.
- Tracking: currently no third-party advertising/tracking SDK was found in the code scan.
Data may be linked to the user when it is tied to app profile fields, friend profile publishing, CloudKit-synced records, Sign in with Apple identifiers, public CloudKit trade/profile records, or exported/shared files containing user-entered information.
Reference: https://company.wizards.com/en/legal/fancontentpolicy
Status: Partially addressed. The required unofficial fan-content notice is present in app-facing legal text and markdown documents. The app should avoid using Wizards logos or claiming affiliation. Commercial release, monetization, subscription positioning, or expanded use of Wizards IP should be reviewed separately.
References:
- https://scryfall.com/docs/api
- https://scryfall.com/docs/api/bulk-data
- https://scryfall.com/docs/faqs/i-m-having-trouble-accessing-the-scryfall-api-or-i-m-blocked-17
Status: Addressed for current usage. The app uses a User-Agent and Accept header, rate-limits Scryfall API calls, uses bulk data for large offline Magic data, and provides Scryfall/Wizards non-endorsement language. Continue respecting rate limits, cache where appropriate, and do not imply Scryfall endorsement.
References:
- https://docs.pokemontcg.io/
- https://docs.pokemontcg.io/getting-started/authentication/
- https://docs.pokemontcg.io/getting-started/rate-limits
- https://dev.pokemontcg.io/terms
Status: Addressed for current unauthenticated use with conservative request pacing. If an API key is added later, keep the key out of source control and continue honoring current account limits and terms.
Reference: https://ygoprodeck.com/api-guide/
Status: Addressed by avoiding YGOPRODeck direct image URL usage in app data. The API guide asks developers not to continually hotlink images and to download/store data locally. The app still uses the card data endpoint and should continue avoiding image hotlinking unless a compliant image hosting/cache strategy is implemented.
Reference: https://lorcast.com/docs/api
Status: Addressed for current usage. Lorcast asks for 50-100 ms between API requests and encourages caching downloaded data. The app adds 100 ms request pacing and stores offline adapted data.
Reference: https://www.swuapi.com/
Status: Reasonable current posture. Public cards and sets endpoints require no API key according to current docs reviewed for this project. The app uses public endpoints only and adds request pacing. Recheck docs if private tournament, player, account, or decklist endpoints are added.
Reference: https://goagain.dev/
Status: Reasonable current posture. Current docs describe the REST API as free, open, no API key required, and rate-limited for fair use. The app adds request pacing and should keep attribution.
References:
- https://tcgcsv.com/docs
- https://tcgcsv.com/faq
- https://help.tcgplayer.com/hc/en-us/articles/360061115874-TCGplayer-API-Terms-Conditions
Status: Higher-risk and requires confirmation before public or commercial release. TCGCSV describes its data as collated from TCGplayer API endpoints, and TCGplayer API Terms require approved API use and prominent attribution. The app currently surfaces TCGCSV-backed One Piece data, TCGCSV price enrichment, and TCGplayer product-link/price fields from other providers. Keep attribution visible and get written confirmation that this distribution is allowed before App Store submission.
References:
Status: Conditional. Heroicc exposes API and bulk data documentation, but its site marks non-card site content as CC BY-NC-SA 4.0 and identifies Digimon card information/images/symbols as owned by Akiyoshi Hongo, Toei Animation, and BANDAI. Keep attribution, avoid implying endorsement, and verify commercial App Store distribution is acceptable before release.
Reference: https://spacecowmedia.github.io/commander-spellbook-backend/index.html
Status: Reasonable current posture for light API use. The app sends decklist card names and quantities to the backend to find combos and caches results per deck. Keep privacy disclosures because deck contents are sent to a third-party service.
References:
- https://developer.apple.com/app-store/app-privacy-details/
- https://developer.apple.com/help/app-store-connect/manage-app-information/manage-app-privacy
- https://developer.apple.com/in-app-purchase/
- Local checklist:
AppStorePrivacyChecklist.md
Status: App-side disclosures added. App Store Connect privacy labels must still be completed manually and kept aligned with current app behavior. StoreKit handles subscription purchase flow and payment processing. The app should keep privacy policy and terms links accessible in Settings and the subscription screen.
- Do not claim “Data Not Collected” in App Store privacy labels unless profile, friend, iCloud, Sign in with Apple, public sharing, import/export, subscription entitlement, and user-content storage behavior changes materially.
- Obtain written confirmation that TCGCSV / TCGplayer-derived data can be used in this app, or disable it again before public App Store submission.
- Confirm commercial/noncommercial limits for Heroicc/Digimon data if the app is distributed publicly.
- Recheck every provider's terms close to submission because API terms can change without code changes.
- Complete App Store Connect privacy labels using
AppStorePrivacyChecklist.md. - Confirm that in-app Privacy and Security, Terms of Use, and Attribution and Credits text matches the markdown documents before each release.
- Re-run a code scan before each release for analytics, advertising, tracking, location, contacts, diagnostics, or new network integrations.
- Update privacy labels whenever app behavior changes, even if the legal documents are already updated.
- Keep public sharing warnings close to the UI that publishes profiles or sends live trades.
- Keep subscription legal links working from the paywall and Settings.
Last updated: June 4, 2026
Shapeshifter TCG is unofficial Fan Content permitted under the Wizards of the Coast Fan Content Policy. Not approved/endorsed by Wizards. Portions of the materials used are property of Wizards of the Coast. ©Wizards of the Coast LLC.
Shapeshifter TCG is a fan-made companion app. It is not affiliated with, endorsed by, sponsored by, or approved by any referenced trading card game publisher, card data provider, pricing provider, API provider, marketplace, platform provider, or trademark owner.
Magic: The Gathering card names, set names, rules text, mana symbols, card images, artwork, characters, trademarks, logos, and related materials are property of Wizards of the Coast LLC and/or their respective rights holders.
Magic card data, rulings, set metadata, legality data, and image references may be provided by Scryfall. Scryfall is not produced by or endorsed by Wizards of the Coast, and Shapeshifter TCG is not produced by or endorsed by Scryfall.
The app may also reference Commander information, including Commander Game Changers, Commander bracket estimates, Commander deck statistics, and known combo information. Commander reference material remains the property of its respective owners and is provided for companion-app reference use only.
Scryfall API and imagery documentation:
- https://scryfall.com/docs/api
- https://scryfall.com/docs/api/images
- https://scryfall.com/docs/api/bulk-data
Wizards Fan Content Policy and Commander references:
- https://company.wizards.com/en/legal/fancontentpolicy
- https://magic.wizards.com/
- https://magic.wizards.com/en/news
Commander Spellbook documentation:
The app may download, display, cache, search, or process data from:
- Pokemon TCG API
- YGOPRODeck
- Lorcast
- SWU API
- goagain.dev
- Heroi bulk data sources
- TCGCSV and TCGplayer-derived card, product-link, or pricing feeds
Pokemon, Yu-Gi-Oh!, Disney Lorcana, Digimon, Star Wars: Unlimited, Flesh and Blood, One Piece, TCGplayer, and related names, trademarks, card images, logos, game text, set names, artwork, characters, and brand assets are property of their respective owners.
This product may use TCGplayer-derived data through TCGCSV or related feeds, but it is not endorsed or certified by TCGplayer.
Provider documentation and terms references:
- Pokemon TCG API: https://docs.pokemontcg.io/
- Pokemon TCG API Terms: https://dev.pokemontcg.io/terms
- YGOPRODeck API Guide: https://ygoprodeck.com/api-guide/
- Lorcast API: https://lorcast.com/docs/api
- SWU API: https://www.swuapi.com/
- goagain.dev: https://goagain.dev/
- TCGCSV: https://tcgcsv.com/docs
- TCGCSV FAQ: https://tcgcsv.com/faq
- TCGplayer API Terms: https://help.tcgplayer.com/hc/en-us/articles/360061115874-TCGplayer-API-Terms-Conditions
- Heroi API and bulk assets: https://heroi.cc/
The app may use Apple platform services including SwiftUI, SwiftData, CloudKit, Sign in with Apple, StoreKit, iCloud, Keychain Services, Photos picker, file import/export, notifications, and camera permissions. Apple is not affiliated with, sponsoring, or endorsing Shapeshifter TCG.
Apple documentation and policy references:
- https://developer.apple.com/icloud/cloudkit/
- https://developer.apple.com/storekit/
- https://developer.apple.com/sign-in-with-apple/
- https://developer.apple.com/app-store/app-privacy-details/
- https://www.apple.com/legal/internet-services/itunes/dev/stdeula/
Deck names, deck descriptions, collection names, notes, friend records, profile fields, avatar images, trade lists, exported files, imported files, QR payloads, and public CloudKit profile/trade records are user-provided or app-generated content. They are not third-party provider content unless they include referenced card data, images, symbols, prices, or other third-party materials.
Users are responsible for the content they enter, import, export, scan, publish, or share.
If attribution is incomplete, inaccurate, or if a rights holder wants content reviewed, corrected, attributed differently, or removed, contact the developer with the relevant details.