Privacy Policy

Acardai LLC (“Acardai,” “we,” “our”) operates the web application at acardai.com. This Privacy Policy explains how we collect, use, store, and share your personal information when you use our service.

By creating an account or using Acardai, you agree to the practices described in this policy. If you do not agree, please do not use the service.

Account Information

• Name, email address, and account credentials
• Authentication provider (Google, Apple) if using OAuth
• Subscription tier and billing status

Wallet & Card Data

• Credit card names, issuers, networks, and reward categories you add to your wallet
• Last 4 digits of card numbers (optional, for your identification only)
• Loyalty program account numbers (encrypted at rest with AES-256-GCM)

What We Do NOT Collect

• Full credit card numbers, CVVs, PINs, or security codes
• Bank account numbers or login credentials
• Plaintext passwords (we store only bcrypt hashes)

Usage Data

• Recommendations requested and viewed
• Feature interactions (for product improvement)
• IP addresses and browser user-agent strings (for security and session management)

• Provide and improve our credit card recommendations and benefit tracking services
• Manage your account and authenticate your identity
• Process subscription billing through Stripe
• Send transactional emails (password resets, benefit reminders, billing receipts)
• Detect and prevent fraud, abuse, or security incidents
• Comply with legal obligations

We do not sell your personal information. We do not use your data for advertising.

We share limited data with the following service providers, solely to operate the service:

• Stripe — payment processing (billing details only)
• SendGrid — transactional email delivery
• Fly.io — application hosting infrastructure
• Sentry — error monitoring (anonymized stack traces)

Each provider is bound by their own privacy policies and data processing agreements. We do not share data with data brokers or ad networks.

• Loyalty account numbers are encrypted at rest using AES-256-GCM
• Passwords are hashed with bcrypt (cost factor 12)
• All connections use TLS/HTTPS encryption in transit
• Access tokens expire after 15 minutes; refresh tokens after 30 days
• Session activity is logged for security auditing

Access & Export

You can download all data we hold about you at any time from Settings > Privacy & Data. The export is provided as a JSON file.

Deletion

You can request account deletion from Settings > Privacy & Data. Your account will be deactivated immediately with a 30-day grace period during which you can restore it. After 30 days, all data is permanently deleted.

California Residents (CCPA)

California residents have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact [email protected].

We use strictly necessary cookies for authentication (access tokens and refresh tokens). We do not use advertising or third-party tracking cookies. Analytics, if enabled, use privacy-focused tools with anonymized data.

We retain your data for as long as your account is active. After account deletion (following the 30-day grace period), all personal data is permanently removed from our systems. Anonymized, aggregated data may be retained for analytics.

Acardai is not intended for users under 18 years of age. We do not knowingly collect information from children. If you believe a minor has provided us with personal information, please contact us immediately.

We will notify you of material changes at least 30 days in advance via email. Your continued use of the service after the effective date of any changes constitutes acceptance of the updated policy.

For privacy inquiries: [email protected]

For general support: [email protected]

Acardai LLC