ENTRY №001 · MEMBERS’ CATALOG · TAKING ORDERS EDITION 2026

What I collect, why, and who else sees it.

This is a one-operator shop. The data I keep is what I need to fulfill orders, send the emails you signed up for, run the membership math, and not get defrauded. Nothing’s sold, brokered, or syndicated.

Who’s doing the processing

500 PLUS, LLC (Delaware), operating Moon Stone TCG at moonstonetcg.com. 131 Continental Dr, Suite 305, Newark, DE 19713. Privacy questions: max@moonstonetcg.com. There’s no separate data-protection officer because there’s no separate anything . one operator.

What I collect from you

Account info: name, email, password hash. Created when you join the membership or place an order.
Order info: the items you ordered, the prices and landed-cost breakdown at the time of the order, your shipping address, your billing ZIP for tax. I don’t see or store full card numbers . that runs through Shopify Payments.
Communication: emails you send me, support history, any notes I make on your account (e.g., “sent replacement on order #1234”).
Site usage: page views, IP, device, referring page, basic event-level interaction. Used for fraud prevention, debugging, and figuring out what to fix next. Not used to build a profile to sell.
Marketing preferences: whether you’re subscribed to drop alerts, renewal reminders, and operator updates. You set these; you can change them anytime.

What I don’t collect

I don’t buy or enrich third-party data about you. No data brokers, no “identity resolution,” no cross-site cookie graphs.
I don’t serve ads on this site, so there’s no ad-network pixel set on you here.
I don’t collect information from children under 13. If you’re under 18, you shouldn’t be creating a membership account.

Why I have it

Fulfilling the order. Address goes to the 3PL so they can ship the box. Payment data is processed by Shopify Payments / Shop Pay. That’s the bulk of it.
Running the membership. I need to know who’s a member, when you joined, what your cap usage is, and when your renewal is. That data lives in Shopify and is mirrored to the dashboard you see when you log in.
Sending emails you opted into. Welcome, drop alerts, renewal reminders, cancellation acknowledgments, and operator updates. You control which of these you receive from your dashboard or via the unsubscribe link on any email.
Fraud prevention & abuse. Patterns that look like card testing, account farming, or chargeback abuse. Three chargebacks in 30 days from one member triggers automatic action (this is also in the terms).
Improving the shop. Aggregate analytics: which products people click, where the calculator gets stuck, what pages lead to memberships. Always in aggregate, not in a way that targets any individual member.

Who else sees it

Shopify (e-commerce platform, payment processing, hosting). Handles checkout, stores order data, processes cards. Their privacy policy governs the platform layer: shopify.com/legal/privacy.
Klaviyo (transactional + marketing email). Knows your email, name, what you’ve ordered, whether you’ve opened or clicked emails. klaviyo.com/legal/privacy-policy.
Third-party logistics partner (the 3PL that picks, packs, and ships). Sees your name, shipping address, and the items on the order. Doesn’t see payment info.
Shipping carriers (UPS, USPS, FedEx). See your shipping address and parcel weight; that’s how parcels get to you.
Tax / accounting. Aggregate sales and tax data for filings. No individual transaction-level detail leaves the operation except as required by law.
Law enforcement, but only with a valid legal demand. I’ll tell you about it unless legally prohibited from doing so.

I don’t sell your personal information. I don’t “share” it for cross-context behavioral advertising. Under California’s privacy law (CCPA/CPRA), I haven’t sold or shared personal information in the past 12 months.

Cookies & site tech

The site uses a small set of cookies and local-storage entries:

Shopify session . keeps you logged in and your cart populated.
Klaviyo . identifies returning subscribers so the emails you get reflect your actual activity.
Operator analytics . first-party page-view counts (no ad network).
UTM & referral parameters . if you arrive via a link with tracking parameters, I keep the parameters with the order so I know which channels drive memberships.

You can clear cookies anytime in your browser. Clearing them logs you out and resets your local preferences but doesn’t delete your account.

Your rights

If you’re in California, Virginia, Colorado, Connecticut, Utah, or any other state with a privacy-rights law that applies to a shop this size, you have rights including:

Access: ask what data I have about you and get a copy.
Correction: fix something that’s wrong (you can also do this from your dashboard for most fields).
Deletion: close your account and have your personal data removed. I’ll keep a minimal record of completed transactions where I’m legally required to (tax, fraud, chargeback dispute history).
Opt out of marketing: use the unsubscribe link on any email or the toggle on your dashboard. Transactional emails (order confirmations, shipping notifications, replacement-policy responses) still go through.
Authorized agent: you can have someone make a request on your behalf. I’ll need to confirm with you before acting.

To exercise any of these, email max@moonstonetcg.com with the request. I’ll confirm your identity (usually a reply from the email on file is enough) and respond within 45 days, faster in practice. I don’t charge for these requests and I won’t retaliate.

How long I keep it

Account & order data: for as long as you have an account, plus a 4-year tail after closure for tax and chargeback-window purposes (US tax authorities can audit back 3 years; chargeback windows close around 540 days).
Marketing engagement (opens, clicks): 24 months rolling, then aggregated.
Site analytics: 14 months at the event level, then aggregated.
Email correspondence: kept as long as the account is open, then purged on the same 4-year tail as order data.

Security

Payment processing is PCI-DSS handled by Shopify Payments. Operational data sits inside Shopify’s and Klaviyo’s production infrastructure (both SOC 2 / commercial-grade). I use TLS for everything in transit, MFA on all operator accounts, and least-privilege access for the 3PL. No system is unhackable; if something material happens, I’ll tell affected members by email within the legally required window (and faster if I can).

Children

Membership is for adults (18+). I don’t knowingly collect data from anyone under 13. If you believe I have information about a child, email me and I’ll delete it.

International

Memberships and shipping are US-only right now. If that changes, this policy will be updated to cover the relevant jurisdictions before any non-US data is processed.

Changes

If I change this policy in any material way (new processors, new data categories, changed retention), I’ll email active members ahead of the change and the updated date below will reflect when it took effect.