Effective Date: April 17, 2026 | Last Updated: April 17, 2026 | Version: 2.0
This policy supersedes all prior versions. Previous versions are available on request from privacy@cardcuepro.com. We review and refresh this policy at least annually.
Data Controller: Pika Product Lab LLC (doing business as “CardCue Pro”), a Utah limited liability company [TO-FILL: company file/EIN number], with registered address at [TO-FILL: street, city, postal code, Utah, United States] (“we”, “us”, “our”). In this policy “CardCue Pro” refers to both the registered DBA name and the mobile app published under the same name on the Apple App Store.
Data Protection Contact / Privacy Officer: [TO-FILL: Name or designated role] – privacy@cardcuepro.com.
Privacy Officer (Canada / Quebec Law 25): [TO-FILL: Name and role] – privacy@cardcuepro.com.
Encarregado (LGPD Brazil Art. 41): [TO-FILL: Name and role] – privacy@cardcuepro.com.
Information Officer (POPIA South Africa s. 55): [TO-FILL: Name and role – defaults to CEO if not designated] – privacy@cardcuepro.com.
Grievance Officer (India DPDP Act): [TO-FILL: Name and role] – privacy@cardcuepro.com.
Data Protection Officer (Singapore PDPA): [TO-FILL: Name and role] – privacy@cardcuepro.com.
This policy applies to the CardCue Pro mobile app for iOS, iPadOS, watchOS, and any companion website at cardcuepro.app. Cue is offered for use by adults aged 18 or older in the jurisdictions where the app is published on the Apple App Store; it is not currently available in the European Economic Area, the United Kingdom, Switzerland, mainland China, Russia, Belarus, Iran, North Korea, Syria, Cuba, or territories subject to comprehensive U.S. sanctions. See Section 11 for the age-gate policy and the App Store availability page for the current country list.
If you are under 18, or under the applicable age of digital consent in your jurisdiction (whichever is higher), you may not use CardCue Pro. See Section 11 for the full age-gate policy.
We collect only the information necessary to run CardCue Pro. Each category is listed with the purpose, storage location, and whether it leaves your device.
| Category | Examples | Where it's stored | Leaves device? |
|---|---|---|---|
| Card content you add | Card name, type, balance, expiry, notes, optional photo, optional card number, PIN, barcode | On-device SwiftData; Card numbers/PINs/barcodes in iOS Keychain; copied to Supabase only if you enable Pro cloud sync | Only with opt-in cloud sync |
| Account identifiers | Email address (if email sign-up); Apple ID relay email (Sign in with Apple); anonymous auth token | Supabase Auth | Yes, to Supabase |
| Photos taken for AI scanning (Pro) | Photo of the front/back of a gift card | Sent in-flight to Anthropic's Claude API; retained per Anthropic's default commercial terms (up to 30 days for Trust & Safety unless a zero-retention agreement is in place) | Yes, to Anthropic (Pro only) |
| Location data | Coarse location used to decide "you're near a store" alerts | On-device only, never transmitted to our servers | No |
| Contacts (optional) | Names and birthday dates of contacts you explicitly authorize, used only to surface upcoming-birthday gift-card reminders | On-device only, never transmitted | No |
| Anonymous analytics events (opt-in) | Event names (e.g. card_added, paywall_shown), anonymous device ID. Never card content, balances, photos, or location | PostHog (US or EU cloud, routed by device region) | Only if you opt in |
| Crash & performance diagnostics | Crash logs you choose to share with developers via iOS Settings → Privacy & Security → Analytics & Improvements → "Share with App Developers" | Apple App Store Connect (no third-party crash SDK is bundled) | Only if you've enabled iOS-level diagnostics sharing |
| Subscription & transaction state | App Store receipt, entitlement status (Free / Pro) | Apple; we read the entitlement via StoreKit 2 on-device | With Apple only |
| Support correspondence | Emails you send us | Our email provider's servers | Yes, to our email provider |
The following subprocessors help us deliver CardCue Pro. Each is bound by a written data-processing agreement and by confidentiality, security, and purpose-limitation obligations under applicable law (e.g. LGPD Art. 39, PIPEDA Principle 4.1.3, APPI Art. 25, CCPA § 1798.100(d)).
| Subprocessor | Purpose | Data accessed | Primary location | Transfer safeguards |
|---|---|---|---|---|
| Apple Inc. | Sign in with Apple, App Store StoreKit, MapKit, Push Notifications, iCloud backup | Apple-relay email, receipt, anonymous push token | United States (global infrastructure) | Bound by Apple's own Privacy Policy and the Apple Developer Program License Agreement |
| Supabase Inc. | Cloud sync and account auth (Pro, opt-in) | Email, card data you elect to sync, auth tokens | United States | Data Processing Agreement; encrypted in transit (TLS 1.2+) and at rest; row-level security. Supabase Privacy Policy |
| Anthropic PBC | AI card scanning. Claude API processes card photos to extract text (Pro, per-scan) | Card photos you take while scanning | United States | Commercial Terms and Zero-Data-Retention amendment where in place; see Section 9. Anthropic Privacy Policy |
| PostHog Inc. | Product analytics , opt-in in the iOS app (default OFF), on-by-default (respects Do Not Track) on the marketing website cardcuepro.app | App: event names (e.g. card_added), anonymous device ID, app-version metadata. Website: pageviews, button / link clicks, referrer, screen-size bucket, anonymous visitor ID. Never your card content, balances, photos, location, card numbers / PINs, email, or name. | United States (us.i.posthog.com) | Data Processing Agreement; anonymous identifiers only; strict purpose-limitation to product improvement. PostHog Privacy Policy |
| Email provider | Support email intake and sending | Your email address and message body when you contact us | [TO-FILL: e.g. "Google Workspace. United States"] | Data Processing Addendum |
We do not use advertising SDKs, ad networks, remarketing pixels, fingerprinting SDKs, data brokers, or any other third-party tool whose purpose is cross-app/cross-site tracking for advertising.
Every processing activity in Cue is tied to at least one lawful basis. The table below summarises the purpose and legal basis for each activity, using the shared vocabulary of consumer-privacy laws we operate under (CCPA, LGPD, PIPEDA, APPs, APPI, PIPA, PDPA, POPIA, DPDP Act). Jurisdiction-specific rights are enumerated in Section 14.
| Purpose | Data used | Legal basis |
|---|---|---|
| Storing and displaying your gift card balances | Card content you add | Performance of the contract with you |
| Syncing cards across your devices (Pro) | Card content, account identifiers | Performance of the contract |
| Nearby-store and expiration notifications | Location (on-device), card content | Performance of the contract + your opt-in permission for notifications |
| AI card scanning (Pro) | Card photo you take | Performance of the contract, invoked only on your explicit per-scan action |
| Account authentication | Email, Apple ID relay email, auth token | Performance of the contract |
| Crash diagnostics | Crash logs you've opted into sharing with developers at the iOS level | Legitimate interest in keeping the app stable; we receive only what Apple sends through App Store Connect, which you control through iOS Settings → Privacy & Security → Analytics & Improvements. |
| Product analytics | Event names, anonymous device ID | Your opt-in consent |
| Security and fraud prevention | Auth tokens, anonymous device ID | Legitimate interest |
| Responding to support requests and privacy-rights requests | Your message + account identifiers | Legitimate interest + compliance with legal obligation |
| Complying with subpoenas, court orders, and statutory obligations | As required | Legal obligation |
CardCue Pro is a native iOS app and does not use web cookies. In-app product analytics (PostHog) are opt-in only , the toggle in Settings → Privacy & Support defaults to OFF and must be explicitly turned on. No event is sent until both the toggle is on and (on iOS 14.5+) you have granted App Tracking Transparency permission.
cardcuepro.app)The website uses one product-analytics service , PostHog , to measure which pages are read, which CTAs are clicked, and where visitors drop off. We use that data for one purpose: knowing where the site falls short so we can improve it. PostHog stores an anonymous visitor ID in localStorage and a cookie named ph_*.
What gets captured:
What is never captured on the website:
Do Not Track: If your browser sends a Do Not Track (DNT) or Global Privacy Control (GPC) signal, PostHog is disabled for your visit , no pageviews, no clicks, no cookies. You don't have to do anything beyond flipping the browser setting.
Opt out manually: If your browser doesn't send DNT and you still want to opt out, open the browser console on any cardcuepro.app page and run posthog.opt_out_capturing(). The opt-out is stored in localStorage and persists until you clear site data. We'll ship a one-click opt-out button here in the next site revision.
No advertising or retargeting cookies are set by this site under any circumstance. We do not participate in ad networks, do not place retargeting pixels, and do not use any SDK whose primary purpose is cross-site tracking for advertising.
We do not track you across apps or websites owned by other companies and do not share your data with data brokers. Because of that, we do not currently trigger the ATT prompt. The Info.plist includes an NSUserTrackingUsageDescription string as a safeguard in case a future feature requires tracking; that feature is disabled today and will prompt you for consent before activating.
We honor Global Privacy Control signals on our website , see 6.2 above. Because Cue does not sell or share personal information for cross-context behavioral advertising, no additional in-app opt-out is required under California CPRA, Colorado CPA, Connecticut CTDPA, Oregon OCPA, New Jersey, or Delaware DPDPA regulations.
Telemetry consent: Product analytics (PostHog) are strictly opt-in and default to off in the iOS app. We do not bundle a third-party crash-reporting SDK; production crash diagnostics, when received, come exclusively through Apple's App Store Connect crash channel, which the user controls through iOS Settings → Privacy & Security → Analytics & Improvements → "Share with App Developers". Withdrawal of consent is as easy as giving it and does not affect the lawfulness of prior processing.
We apply the following technical and organizational measures:
kSecAttrAccessibleWhenUnlocked) for card numbers, PINs, barcodes, and authentication tokens. Keychain items are backed up to iCloud only if you have iCloud Keychain enabled and survive device-to-device transfer.LAPolicy.deviceOwnerAuthentication.PrivacyInfo.xcprivacy) shipped with every build.No method of transmission or storage is 100% secure. We commit to the breach-notification process in Section 10.
| Data category | Retention | Basis |
|---|---|---|
| Local card data (SwiftData + Keychain) | Until you delete it or uninstall the app | You control |
| Cloud-synced cards (Supabase) | Until you delete your account, or 36 months of continuous account inactivity, whichever comes first | Contract / user request |
| Supabase auth records (email, user_id) | Until account deletion | Contract |
| Anthropic AI-scan images | Retained by Anthropic per its commercial terms (up to 30 days for Trust & Safety) unless a zero-retention agreement is active | Controlled by Anthropic |
| Opt-in analytics events (PostHog) | 12 months rolling | Consent |
| Crash diagnostics (Apple App Store Connect) | Per Apple's retention schedule | Legitimate interest |
| Support email correspondence | 24 months from last reply | Legitimate interest, service history |
| Privacy-rights request logs | 36 months from closure (regulator audit trail) | Legal obligation |
| Authentication tokens (Keychain, on-device) | Until you sign out or the token expires | Contract |
When a retention period ends we either delete the data or anonymize it so that it can no longer be associated with you.
Cue is operated from the United States. If you use cloud sync, AI scanning, analytics, or crash reporting, your data is transferred to and processed by subprocessors in the United States. Section 4 lists each subprocessor, the data involved, and the contractual safeguards we have in place.
For users in jurisdictions that impose specific cross-border transfer requirements (e.g. LGPD Art. 33, Japan APPI Art. 28, Korea PIPA Art. 28, Canada Quebec Law 25, Australia APP 8), our processing of your personal data in the United States is disclosed above and governed by the subprocessor agreements and security measures described in Sections 4 and 7. Copies of relevant contractual clauses are available on request from privacy@cardcuepro.com.
Anthropic zero-retention status: [TO-FILL: "A zero-retention agreement with Anthropic IS in place, card photos are discarded by Anthropic immediately after processing" / "A zero-retention agreement with Anthropic is NOT currently in place, photos are retained for up to 30 days per Anthropic's default terms. Status last reviewed YYYY-MM-DD"]. We will update this line whenever the status changes.
If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will:
This commitment meets or exceeds the obligations under PIPEDA, POPIA, Singapore PDPA (notification if ≥500 individuals or significant harm), Japan APPI, Korea PIPA, Australia's Notifiable Data Breaches scheme, California's breach-notification law, and the Brazilian LGPD.
Cue is intended for adults and enforces a hard age gate on first launch: you must confirm you are 18 years old or older to use the app. We chose 18 as the minimum age because it is the highest of the applicable thresholds across:
We do not knowingly collect personal information from anyone under 18. If you believe a child has provided personal information to us, please email privacy@cardcuepro.com and we will delete it promptly.
Cue does not make decisions about you that produce legal or similarly significant effects based solely on automated processing. The app surfaces local, on-device reminders (e.g. "your card expires in 7 days", "you're near a store where you have a balance") but these are heuristic notifications, not legal or financial decisions. No scoring, targeted advertising, or profiling for commercial purposes takes place.
Regardless of where you live, you can:
The following sections enumerate the specific rights you have where you live. We honor them worldwide on a best-effort basis even if your country does not appear explicitly.
California residents have:
Categories collected in the past 12 months (matching CCPA's statutory list): identifiers, commercial information (cards you choose to track), internet/app activity (opt-in), geolocation (on-device only, coarse), photos (transient for AI scanning), account authentication data.
Sources: directly from you; automatically from your device; from Apple (Sign in with Apple).
Commercial purposes: providing the service, security, and, if you opt in, improving the product via aggregated analytics.
To exercise your rights, email privacy@cardcuepro.com with subject "California Privacy Request". We verify by matching the email you used to sign up. We respond within 45 days (extendable by 45 with notice).
This policy is reviewed and, where necessary, updated at least annually as required by California Civil Code § 1798.130(a)(5)(A).
Residents of Colorado (CPA), Connecticut (CTDPA), Delaware (DPDPA), Indiana (ICDPA), Iowa (ICDPA), Kentucky, Maryland (MODPA), Minnesota (MCDPA), Montana (CDPA), Nebraska, New Hampshire, New Jersey, Oregon (OCPA), Rhode Island, Tennessee (TIPA), Texas (TDPSA), Utah (UCPA), and Virginia (VCDPA) have rights substantially similar to California's Right to Know / Access / Delete / Correct / Opt Out of Sale-or-Sharing / Opt Out of Targeted Advertising / Opt Out of Profiling. We honor all of these through the same channel: privacy@cardcuepro.com.
Global Privacy Control (GPC): We honor GPC signals on the marketing website. In-app opt-outs are provided directly in Settings → Privacy & Support.
Precise geolocation: classified as "sensitive" under Colorado CPA and several other state laws. Cue uses only coarse location (iOS kCLLocationAccuracyReduced-grade) and processes it on-device. The iOS permission prompt serves as the opt-in consent mechanism required under Colorado CPA § 6-1-1307.
Washington My Health My Data Act: Not applicable. Cue does not collect consumer health data.
Under Lei Geral de Proteção de Dados (Law 13.709/2018), Brazilian residents have nine rights (Art. 18):
Encarregado (DPO): See Section 1. You may also lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.
A Portuguese translation of this policy will be made available for Brazilian residents on request. Until the translated page is published, the English version above applies. In case of a conflict between language versions, the English version controls except to the extent Brazilian law requires the Portuguese version to prevail for Brazilian residents.
Canadian residents have the rights granted under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Quebec Law 25, Alberta PIPA, and British Columbia PIPA. These include the right to access, correct, and withdraw consent for the processing of your personal information. Our Privacy Officer is identified in Section 1.
Complaints may be directed to the Office of the Privacy Commissioner of Canada at priv.gc.ca and, for Quebec residents, to the Commission d'accès à l'information du Québec at cai.gouv.qc.ca.
Under Quebec Law 25, we have conducted an assessment of cross-border transfers to the United States, considering the sensitivity of the data, the purposes, the measures taken to mitigate risks, and the recipient's legal environment.
We handle personal information in accordance with the 13 Australian Privacy Principles. You have the right to access and correct your personal information, to raise a complaint with us, and (if unresolved) with the Office of the Australian Information Commissioner at oaic.gov.au.
We participate in the Notifiable Data Breaches (NDB) scheme and will notify affected individuals and the OAIC of any eligible data breach.
APP 8 cross-border disclosure: your personal information may be disclosed to the United States (Apple, Supabase, Anthropic, PostHog).
Under the Act on the Protection of Personal Information, you have rights of access, correction, suspension of use, and deletion. Provision of personal data to third parties in foreign countries requires your consent under Article 28, by using Cue's cloud sync and AI scanning features, you consent to the transfer of the relevant data to the United States with the subprocessors listed in Section 4. Complaints may be directed to the Personal Information Protection Commission at ppc.go.jp.
Under the Personal Information Protection Act and the Information and Communications Network Act, you have the right to access, correct, delete, suspend processing, and withdraw consent. CardCue Pro distinguishes between required processing (for the service) and optional processing (analytics and crash diagnostics) and obtains separate consents for each in Settings → Privacy & Support.
Overseas transfers: your data may be transferred to Apple, Supabase, Anthropic, and PostHog in the United States for the purposes described in Section 5. You may withhold consent to optional items without losing access to the service. Complaints: Personal Information Protection Commission at pipc.go.kr.
Under the Personal Data Protection Act 2012 (as amended in 2020), you have rights of access and correction. Our Data Protection Officer is named in Section 1 and reachable at privacy@cardcuepro.com. Complaints may be filed with the Personal Data Protection Commission at pdpc.gov.sg.
We will notify you of a data breach that is likely to result in significant harm or that affects 500 or more individuals, in accordance with the PDPA's notification obligation.
Under the Protection of Personal Information Act, 2013, you have the rights listed in section 5 of POPIA, including access, correction, deletion, and objection to processing. Our Information Officer is named in Section 1. Complaints may be filed with the Information Regulator at inforegulator.org.za.
Cue is offered in India to users aged 18 and older, consistent with the hard age gate in Section 11. You have the rights to access, correction, deletion, grievance redressal, and nomination (appointing another person to exercise your rights on your behalf in the event of death or incapacity) under the Digital Personal Data Protection Act, 2023. Our Grievance Officer is named in Section 1 and responds within 30 days.
We monitor rule-making under the DPDP Act and will integrate with a registered Consent Manager when the ecosystem permits, as required by § 6(7).
If you live in Turkey (KVKK), Mexico (LFPDPPP), Argentina (PDPL 25.326), Israel (Privacy Protection Law), Thailand (PDPA), Indonesia (PDP Law 2024), Vietnam (PDPD / Decree 13), Philippines (Data Privacy Act), Nigeria (NDPA 2023), Kenya (DPA 2019), the UAE (Federal DP Law), Saudi Arabia (PDPL), or any other country with a comprehensive privacy law, we honor rights equivalent to those listed above and respond to requests via privacy@cardcuepro.com. Where local law requires a locally designated representative, grievance officer, or filed registration and we have not yet done so, the app may not be available in your App Store region until that requirement is met.
We review this policy at least annually and update it more frequently when the law, our practices, or the subprocessor list changes materially. Material changes are announced in-app at least 15 days before taking effect and by email for users with cloud accounts. The "Last Updated" and "Version" fields at the top of this page always reflect the current state. Prior versions are archived and available on request.
For any privacy question or to exercise any right in this policy:
If you are unable to reach us, or are unsatisfied with our response, you retain the right to complain to your national supervisory authority or data-protection regulator, contact details appear in the jurisdiction-specific sections above.