Privacy Policy

1. Information We Collect

1.1 Personal Information You Provide

We collect information that you voluntarily provide when you:

• Register for an account on Cardinal
• Contact us for support or with inquiries
• Subscribe to our Premium service
• Use features of the Service

This personal information may include:

• Name and email address
• Account credentials (username and encrypted password)
• Profile information and preferences
• Payment information (processed by third-party payment processors; we do not store full credit card numbers)

1.2 Gift Card Information

When you add gift cards to Cardinal, we collect and store:

• Gift card retailer/brand name
• Gift card number (encrypted)
• Gift card PIN (encrypted, if provided)
• Card balance (if provided)
• Expiration date (if applicable)
• Barcode or QR code images
• Photos you upload for OCR processing (temporarily processed and then deleted)

1.3 Usage Data (Automatically Collected)

We automatically collect certain information when you access and use the Service:

• Device information (device type, operating system, device ID)
• IP address
• Browser type and version
• Pages or screens visited within the app
• Time and date of visits
• Time spent on pages or screens
• Crash reports and diagnostic data
• App performance metrics

1.4 Communications

If you contact us directly (via email or in-app support), we may receive additional information such as your name, email address, the contents of your message, any attachments you send, and any other information you choose to provide.

2. How We Use Your Information

We use the information we collect for the following purposes:

• To provide and maintain the Service: Creating and managing your account, storing your gift cards, displaying barcodes
• To send notifications: Expiration reminders for your gift cards
• To process transactions: Managing your Premium subscription payments
• To improve our Service: Understanding how users interact with Cardinal to enhance features and fix bugs
• To provide customer support: Responding to your inquiries and troubleshooting issues
• To communicate with you: Sending important updates about the Service, policy changes, or new features
• To ensure security: Detecting and preventing fraud, abuse, and security incidents
• To comply with legal obligations: Meeting regulatory requirements and responding to legal requests
• To analyze usage patterns: Using aggregated, anonymized data to understand trends and improve the user experience

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

• Contract: Processing is necessary to provide the Service you've signed up for
• Consent: You have given explicit consent for specific processing activities
• Legitimate interests: Processing is necessary for our legitimate business interests (e.g., improving our Service, fraud prevention) that do not override your rights
• Legal obligation: Processing is necessary to comply with legal requirements

4. How We Share Your Information

We may share your information only in the following limited circumstances:

4.1 Third-Party Service Providers

We work with trusted third-party companies that help us operate and improve our Service. These service providers have access to your personal information only to perform specific tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Our current third-party service providers include:

• Google Analytics: Provides website and app analytics to help us understand user behavior and improve our Service. You can opt out at: policies.google.com/privacy
• Cloudflare: Provides content delivery network (CDN) and security services. Learn more at: cloudflare.com/privacypolicy
• Supabase: Provides database hosting, authentication, and backend services. All data is encrypted. Learn more at: supabase.com/privacy
• Payment Processors: We use third-party payment processors (such as Stripe or Apple/Google in-app purchases) to handle Premium subscription payments. We do not store your full credit card information.
• OCR Service Providers: We use third-party OCR services to extract text from images of gift cards. Images are processed temporarily and deleted immediately after extraction.

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal processes (subpoenas, court orders, search warrants)
• Requests from law enforcement or government agencies
• Situations involving potential threats to the safety of any person
• Protection of our rights, property, or safety, or that of our users

4.3 Business Transfers

If Cardinal is involved in a merger, acquisition, bankruptcy, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

4.4 With Your Consent

We may share your information for any other purpose with your explicit consent.

4.5 Aggregated or Anonymized Data

We may share aggregated or anonymized data that cannot identify you personally (e.g., the total number of gift cards stored by all users, popular gift card brands) for research, marketing, or other purposes.

5. Data Security

We take the security of your personal information seriously and implement appropriate technical and organizational measures to protect it:

• Encryption: All data transmitted between your device and our servers is encrypted using SSL/TLS protocols. Gift card numbers and PINs are encrypted in our database.
• Access controls: We restrict access to personal information to employees and service providers who need it to perform their duties.
• Secure authentication: Passwords are hashed using industry-standard algorithms and never stored in plain text.
• Regular security assessments: We periodically review our security practices and update them as needed.
• Secure infrastructure: Our servers are hosted by reputable providers with robust security measures.

6. Data Retention

We retain your personal information only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Specific Retention Periods:

When we no longer need your data, we securely delete or anonymize it in accordance with our data retention policies and applicable laws.

7. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

• Notify affected users within 72 hours of discovering the breach (as required by GDPR and many state laws)
• Notify relevant regulatory authorities as required by law
• Provide clear information about what happened, what data was affected, and what steps we're taking to address the issue
• Offer guidance on what you can do to protect yourself

8. Your Privacy Rights

Depending on where you live, you may have certain rights regarding your personal information. We respect these rights and provide mechanisms for you to exercise them.

8.1 Rights for All Users

All Cardinal users, regardless of location, have the following rights:

• Access your data: Request a copy of the personal information we hold about you
• Correct your data: Update or correct inaccurate information
• Delete your data: Request deletion of your account and associated data
• Withdraw consent: Opt out of marketing communications at any time
• Export your data: Receive a machine-readable copy of your gift card data

8.2 Additional Rights for EEA, UK, and Swiss Residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under GDPR:

• Right to access: Request copies of your personal data
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure (right to be forgotten): Request deletion of your data under certain conditions
• Right to restrict processing: Request limitation of how we use your data
• Right to data portability: Receive your data in a structured, machine-readable format and transfer it to another service
• Right to object: Object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent: Withdraw consent for specific processing activities at any time
• Right to lodge a complaint: File a complaint with your local data protection authority

To exercise these rights: Contact us at support@usecardinal.app. We will respond within 30 days.

Supervisory Authority: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. Find your authority at: edpb.europa.eu

8.3 Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to delete: Request deletion of your personal information (subject to certain exceptions)
• Right to correct: Request correction of inaccurate personal information
• Right to opt-out: We do not sell or share your personal information for cross-context behavioral advertising, so there is no need to opt out
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights

To exercise these rights: Submit a request to support@usecardinal.app. We will verify your identity and respond within 45 days.

8.4 Rights for Canadian Residents (PIPEDA)

If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):

• Right to know: Understand what personal information we collect about you and why
• Right to access: Request access to your personal information
• Right to correct: Challenge the accuracy and completeness of your information and have it amended
• Right to withdraw consent: Withdraw your consent to data collection, use, or disclosure (subject to legal/contractual restrictions)
• Right to complain: File a complaint with the Privacy Commissioner of Canada

Contact: support@usecardinal.app | Authority: Office of the Privacy Commissioner of Canada - priv.gc.ca

9. How to Exercise Your Rights

9.1 Submit a Request by Email

• Email: support@usecardinal.app
• Subject line: "Privacy Rights Request" or "Data Request"
• Include: Your full name, email address associated with your account, and a description of your request

9.2 Delete Your Account In-App

You can delete your account directly from the Cardinal app by going to Settings → Account → Delete Account. This will permanently delete your account and all associated data within 30 days.

9.3 Identity Verification

To protect your privacy, we may ask you to verify your identity before processing your request.

9.4 Response Time

• We will respond within 30 days for most jurisdictions
• Within 45 days for California residents under CCPA

9.5 No Fees

We do not charge fees for exercising your privacy rights, except in cases of manifestly unfounded or excessive requests.

10. Cookies and Tracking Technologies

Cardinal uses limited cookies and tracking technologies to provide and improve our Service.

10.1 Types of Cookies We Use

• Essential cookies: Required for authentication and basic app functionality
• Analytics cookies: Help us understand how users interact with Cardinal (Google Analytics)
• We do NOT use: Advertising cookies, social media cookies, or third-party tracking cookies

10.2 Local Storage

Our mobile app uses local device storage (not browser cookies) to save your preferences and app settings. This data is stored only on your device and is not transmitted to our servers unless you create an account.

10.3 Do Not Track (DNT)

Currently, we do not respond to Do Not Track (DNT) browser signals because there is no universal standard for how to interpret them. However, you can control cookies through your browser settings.

10.4 Opt-Out of Analytics

You can opt out of Google Analytics by:

• Installing the Google Analytics Opt-out Browser Add-on: tools.google.com/dlpage/gaoptout
• Adjusting your device's advertising settings (iOS: Settings → Privacy → Tracking; Android: Settings → Google → Ads)

11. International Data Transfers

Cardinal is based in the United States. If you access our Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

These countries may have data protection laws that differ from your country of residence. However, we take steps to ensure that your data receives an adequate level of protection:

• We use Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA/UK to the US
• We work with service providers who are committed to data protection principles similar to those in the GDPR
• We maintain appropriate technical and organizational security measures as described in this policy

12. Children's Privacy

We do not knowingly collect personal information from children under these ages. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at support@usecardinal.app, and we will:

• Verify the situation
• Delete the child's information from our systems as soon as possible
• Take steps to prevent the child from accessing the Service

13. Third-Party Links

Our Service may contain links to third-party websites, services, or retailers. We are not responsible for the privacy practices or content of these third parties. We encourage you to read the privacy policies of any third-party sites you visit.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make changes:

• We will update the "Last Updated" date at the top of this policy
• For material changes, we will notify you by email or through a prominent notice in the app
• We will give you at least 30 days' notice before any material changes take effect

Your continued use of the Service after the updated Privacy Policy takes effect means you accept the changes. If you do not agree with the changes, please stop using the Service and delete your account.

15. Additional Information

15.1 Data Controller

For the purposes of GDPR and other data protection laws, Cardinal App LLC is the data controller responsible for your personal information.

15.2 Data Protection Officer

For questions about data protection or to exercise your GDPR rights, you can contact our Data Protection contact at: support@usecardinal.app

15.3 Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

15.4 California Shine the Light Law

California Civil Code Section 1798.83 permits California residents to request information about our disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.