← Back to Cardwell

Privacy Policy

Effective: March 19, 2026

1. Introduction

Cardwell Inc. ("Cardwell," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy describes how we collect, use, store, and share information when you use the Cardwell application and website (the "Service").

2. Information We Collect

a. Information You Provide

  • Account data: Email address, display name, and avatar (when you sign up)
  • Gift card data: Store names, card balances, expiration dates, and optional card numbers or PINs that you choose to enter
  • Transaction data: Spending records you log within the app
  • Preferences: Notification settings, privacy preferences, and consent choices

b. Information Collected Automatically

  • Usage data: Pages visited, features used, and interaction patterns (used to improve the Service)
  • Device data: Browser type, operating system, and screen size
  • Deal click data: When you click on a deal link, we record the click for analytics and affiliate tracking purposes

c. Information We Do Not Collect

  • We do not collect payment card numbers (credit/debit). Subscription payments are processed securely by Stripe; we never see or store your payment card details.
  • We do not access your contacts, camera, or microphone without explicit permission.
  • We do not sell your personal information to third parties.

3. How We Use Your Information

  • To provide and maintain the Service (balance tracking, alerts, deal discovery)
  • To personalize your experience (matching deals to your gift cards)
  • To send notifications you have opted into (expiration alerts, deal alerts, rewards)
  • To process subscription payments via Stripe
  • To improve the Service through aggregated, anonymized analytics
  • To comply with legal obligations

4. Data Security

We take data security seriously. Sensitive gift card information (card numbers and PINs) is encrypted at rest using AES-256 encryption at the database level. All data is transmitted over HTTPS/TLS. Access to user data is restricted through row-level security policies, meaning only you can access your own records.

5. Third-Party Services

We share limited data with the following third-party services:

  • Supabase — Database hosting, authentication, and real-time services (your data is stored securely on Supabase infrastructure)
  • Stripe — Payment processing for Premium subscriptions (Stripe handles all payment data; we never see your card number)
  • Vercel — Web application hosting and edge delivery

We do not sell, rent, or trade your personal information to advertisers or data brokers.

6. Cookies and Tracking

Cardwell uses essential cookies required for authentication and session management. We may use optional analytics cookies (such as PostHog) to understand how users interact with the Service. You can manage your cookie preferences at any time through the cookie banner displayed on your first visit.

7. Data Retention

  • Account and profile data: Retained until you delete your account
  • Gift card data: Retained until you delete the card or your account
  • Transaction history: Retained for up to 7 years for financial record-keeping
  • Notifications: Automatically purged after 90 days
  • Deleted account data: Permanently erased within 30 days of deletion request

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

All Users

  • Access: View all data we hold about you via the Privacy Dashboard in Settings
  • Export: Download a complete copy of your data at any time
  • Deletion: Delete your account and all associated data from Settings
  • Correction: Update your profile information at any time
  • Opt-out: Manage notification preferences and revoke analytics consent

California Residents (CCPA)

Under the California Consumer Privacy Act (CCPA), California residents have the right to: (a) know what personal information is being collected; (b) request deletion of personal information; (c) opt out of the sale of personal information (we do not sell your data); (d) non-discrimination for exercising your privacy rights.

EU/EEA Residents (GDPR)

Under the General Data Protection Regulation (GDPR), EU/EEA residents have the right to: (a) access and portability of your data; (b) rectification of inaccurate data; (c) erasure ("right to be forgotten"); (d) restriction of processing; (e) object to processing; (f) lodge a complaint with a supervisory authority.

9. Children's Privacy

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover we have collected data from a child under 13, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@cardwellapp.com.

10. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users within 72 hours via email and in-app notification, as required by applicable law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notification or email. The "Effective" date at the top reflects the most recent revision.

12. Contact Us

For privacy-related questions, data access requests, or to exercise your rights, contact us at: privacy@cardwellapp.com.

© 2026 Cardwell Inc. All rights reserved.