CardStoragePrivacy Policy
Effective date: May 4, 2026
CardStorage ("we", "us", or "our") operates the CardStorage mobile application and website (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. We act as the data controller for the personal data described in this policy. We collect only the data necessary to provide the Service and process it only for the purposes described below.
At a glance:
- We store the cards, folders, and photos you create — for loyalty, membership, and similar non-payment cards.
- We use Supabase (storage and auth), RevenueCat (subscriptions), and Apple / Google (sign-in and wallet).
- We never sell your personal data.
- You can delete your account and all your data at any time from Account Settings → Danger Zone.
- Website analytics and push notifications require your explicit consent.
- Family Sharing shows only limited card info (number, name, brand) to members you choose to invite.
- For questions or to exercise your rights, contact support@cardstorage.app.
Please read this policy carefully. If you disagree with its terms, please discontinue use of the Service.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address — used for account creation, authentication, and service communications.
- Name — collected when provided during registration or obtained from a third-party sign-in provider (Apple or Google).
- Profile photo — obtained from your Apple or Google account if you sign in with those providers and grant permission.
- Password — for email/password accounts only, stored as a hashed value and never in plain text. Apple and Google Sign-In users do not have a password stored by us.
1.2 Sign-In via Third-Party Providers
If you choose to sign in with Apple or Google, we receive information from those providers in accordance with your settings and their privacy policies:
- Sign in with Apple — we may receive your name and email address. Apple may give you the option to use a private relay email address to protect your identity.
- Sign in with Google — we receive your name, email address, and profile photo from your Google account.
We do not receive your passwords from these services.
1.3 Payment and Subscription Information
CardStorage offers premium features through in-app purchases and subscriptions processed by the Apple App Store and Google Play Store. We use RevenueCat to manage subscription state and entitlements.
We do not store your credit card numbers or full payment details. We receive:
- Subscription status (active, expired, trial, etc.)
- Purchase history and entitlements
- An anonymized subscriber identifier assigned by RevenueCat
1.4 Wallet Data
CardStorage integrates with Apple Wallet and Google Wallet to let you add cards to your digital wallet. When you use these features:
- We transmit the card data you choose to add to Apple or Google for provisioning.
- We do not store your wallet credentials or payment card numbers on our servers.
- Your use of Apple Wallet and Google Wallet is governed by Apple's and Google's respective privacy policies.
1.5 Usage Data
We automatically collect certain technical information when you use the Service, including:
- Device type, operating system, and version
- App version
- Log and crash data
- Feature interactions within the app
1.6 Card Data and User-Generated Content
CardStorage is designed for storing loyalty, membership, gift, store, and similar non-payment cards. We do not process payment card data and are not a payment service. When you manage cards and folders in the Service, we collect and store:
- Card details — card number, cardholder name, card brand, expiry date, and any other information you choose to enter.
- Folders — names and organisational structure you create.
- Card photos — if you upload a front or back side photo of a card, the image is stored securely in Supabase Storage and associated with your account.
This data is stored solely to provide the Service to you and is not used for any other purpose.
1.7 Family Sharing
If you subscribe to the Family plan and create or join a family group:
- Your name and profile photo may be visible to other members of your family group.
- If you enable the Share option on a specific card, the following limited information becomes visible to your family members: card number, cardholder name, and card brand. No other card details (such as photos, expiry date, or notes) are shared.
- Card sharing is opt-in and controlled by you on a per-card basis. You can disable it at any time.
- Family invite links are single-use and expire once accepted or after 30 days if not accepted.
- We do not store the recipient's identity before they accept an invitation.
- If the Family Organiser deletes their account, the family group is immediately dissolved and all shared card information becomes inaccessible to Family Members. Each member's personal data and their own cards remain unaffected.
1.8 Website Analytics
On our website we use Google Analytics (provided by Google LLC) to understand how visitors use the site. This may include:
- Pages visited, time spent, and navigation paths
- Browser type, screen resolution, and device information
- General geographic location (country or region)
- Referral source and search terms
- Events and interactions on the site
This data is collected in aggregate and used solely to improve the website. Analytics data is retained for no longer than 14 months. IP addresses are anonymised before storage. We do not sell this data. Google's privacy policy is available at policies.google.com/privacy.
1.9 Cookies and Tracking Technologies
Our website uses cookies and similar technologies. Cookies are small text files stored on your device. We use:
- Essential cookies — strictly necessary for the site to function (e.g., session management, security). These are always active.
- Analytics cookies — used to understand how visitors interact with the site. Set only with your consent.
- Preference cookies — used to remember your settings (e.g., theme preference). Set only with your consent.
On your first visit, we display a cookie consent banner where you can accept or decline non-essential cookies. You can update your preferences at any time through the cookie settings link in the website footer. Declining analytics and preference cookies does not affect your ability to use the site.
1.10 Push Notifications
If you grant permission, we may send push notifications to your device (mobile app) or browser (website) to inform you about account activity, shared cards, family invitations, and other relevant updates. We do not send marketing or promotional push notifications.
You can withdraw consent and disable push notifications at any time through your device or browser settings. Disabling notifications does not affect your ability to use the Service.
1.11 Support Tickets
When you submit a support request through the website or app, we collect:
- Your name and email address
- A description of your issue or enquiry
- Any attachments or screenshots you choose to include
This information is used solely to respond to your request and resolve your issue. Support tickets are retained for up to 2 years to track recurring issues and improve the Service.
1.12 Brand Requests
When you submit a brand request, we collect:
- A photo or image of the card associated with the brand
- Links to social media profiles or websites you provide
- Your account information (name and email) as the submitter
Brand request data is used to review and process your request. Submitted photos and links are retained for up to 1 year after the request is processed, or until you request deletion, whichever comes first.
2. How We Use Your Information
We use the information we collect to:
- Create and manage your account
- Provide, maintain, and improve the Service
- Process transactions and manage subscriptions
- Enable and manage Family Sharing features
- Send push notifications (where you have granted permission)
- Send transactional emails (e.g., password resets, account confirmations, account deletion confirmation)
- Respond to support requests and manage support tickets
- Review and process brand requests
- Monitor and analyse usage patterns to improve features
- Detect and prevent fraudulent or unauthorised activity
- Comply with legal obligations
We do not sell your personal data to third parties. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you (see Section 9).
3. Data Sharing and Disclosure
We may share your information with:
- Supabase — our backend infrastructure provider (database, authentication, and storage), acting as a data processor on our behalf under a Data Processing Agreement.
- RevenueCat — subscription management, acting as a data processor on our behalf. RevenueCat receives an anonymised subscriber ID and purchase metadata.
- Apple and Google — when you use Sign in with Apple/Google or Wallet features, data is shared as required to facilitate those services.
- Family members — if you enable the Share option on a card, members of your family group can view limited card information (card number, cardholder name, and card brand). This is controlled by you per card and can be revoked at any time.
- Google Analytics (Google LLC) — aggregated, anonymised website usage data only, collected with your consent. Google acts as a data processor under our instructions.
- Law enforcement or regulatory bodies — when required by applicable law, court order, or government regulation.
4. International Data Transfers
Your personal data may be transferred to and processed in countries outside your country of residence, including the United States, where our service providers are located:
- Supabase — infrastructure hosted in the US and/or EU depending on region configuration.
- RevenueCat — headquartered in the United States.
- Apple and Google — global operations with data centres worldwide.
Where we transfer personal data from the EEA or UK to countries not deemed to provide an adequate level of protection, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or the UK equivalent. You may request a copy of the applicable safeguards by contacting us at support@cardstorage.app.
5. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. Upon account deletion (see Section 6):
- Your profile data, cards, photos, and settings are immediately and permanently removed.
- If you are the Family Organiser, your family group is dissolved immediately and shared data becomes inaccessible to all Family Members.
- Anonymised usage statistics that cannot be linked back to you may be retained indefinitely.
- Purchase records may be retained as required by applicable financial or tax regulations and are not linked to an identifiable profile after deletion.
- Support ticket records are retained for up to 2 years from submission.
- Brand request data is retained for up to 1 year after processing.
6. Account Deletion
You may request deletion of your account at any time from the Danger Zone section in your account settings, available in both the mobile app and on the website.
How it works
- Go to Account Settings → Danger Zone and tap or click Delete Account.
- We send a confirmation email to your registered address.
- Click the confirmation link in the email to verify your intent.
- Your account is immediately and permanently deleted upon confirmation.
The confirmation link expires after 24 hours. If you do not confirm, your account remains active and no data is removed.
What is deleted
The following data is permanently removed immediately upon confirmation:
- Your profile information (name, email address, profile photo)
- All cards, folders, and photos you have stored in the Service
- Your app preferences and settings
- Your family group and all associated sharing permissions (if you are the Family Organiser)
What is retained
Certain data may be retained after deletion:
- Anonymised usage statistics that cannot be linked back to you — retained indefinitely to improve the Service.
- Purchase records — retained as required by applicable financial and tax regulations. This data is not linked to an identifiable profile after deletion.
Active subscriptions
Deleting your account does not automatically cancel an active App Store or Google Play subscription. To avoid future charges, cancel your subscription in your App Store or Google Play account settings before deleting your account.
7. Security
We implement industry-standard security measures to protect your data, including:
- Encrypted data transmission (TLS)
- Hashed password storage (applicable to email/password accounts only)
- Row-level security on our database
- Access controls limiting who can view user data
No method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
8. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible, in accordance with applicable law.
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
Breach notifications to users will be sent to your registered email address and will include: the nature of the breach, the categories of data affected, the likely consequences, and the measures we are taking to address it.
If you believe your account has been compromised, contact us immediately at support@cardstorage.app.
9. Your Rights
Depending on your location, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your account and associated personal data
- Object to processing based on legitimate interests — we will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests
- Restrict certain processing activities
- Data portability — request a copy of your personal data in a structured, machine-readable format by contacting us at support@cardstorage.app (there is no in-app export feature)
- Withdraw consent at any time where processing is based on consent (including cookie preferences and push notifications), without affecting the lawfulness of processing before withdrawal
Automated decision-making. We do not use automated decision-making or profiling that produces legal or similarly significant effects on you, as described in GDPR Article 22.
To exercise any of these rights, contact us at support@cardstorage.app. We will respond within one month of receiving your request, as required by applicable law.
Legal bases for processing (EEA and UK)
| Processing activity | Legal basis |
|---|---|
| Creating and managing your account | Performance of a contract |
| Providing the Service (cards, folders, family sharing) | Performance of a contract |
| Processing transactions via Apple / Google | Performance of a contract |
| Sending transactional emails | Performance of a contract |
| Fraud prevention and security | Legitimate interests |
| Analytics and Service improvement | Legitimate interests |
| Push notifications | Consent |
| Non-essential cookies | Consent |
| Compliance with legal obligations | Legal obligation |
California residents (CPRA / CCPA): You have the right to know what personal information we collect, request its correction or deletion, limit the use of sensitive personal information, and opt out of the sale or sharing of personal information. We do not sell or share personal information.
EEA and UK residents (GDPR / UK GDPR): You may lodge a complaint with your local data protection authority at any time. A list of EEA supervisory authorities is available at edpb.europa.eu. The UK supervisory authority is the Information Commissioner's Office (ico.org.uk).
10. Children's Privacy
The Service is not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us at support@cardstorage.app and we will delete it within 30 days.
11. Third-Party Links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies before sharing any personal information.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the Effective date at the top of this page. For material changes, we will notify you via email or an in-app notice at least 14 days before the changes take effect. Your continued use of the Service after changes take effect constitutes your acceptance of the revised policy.
13. Contact Us
If you have questions or concerns about this Privacy Policy, please contact us:
CardStorage Ihor Rosliakov Ukraine Email: support@cardstorage.app