Effective Date: April 17, 2026 | Last Updated: July 6, 2026 | Version: 2.1
This policy supersedes all prior versions. Previous versions are available on request from privacy@cardcuepro.com. We review and refresh this policy at least annually.
Data Controller: Pika Product Lab LLC (doing business as “CardCue Pro”), a Utah limited liability company (EIN 42-2325524), with registered address at 7493 S Brighton Way, Salt Lake City, UT 84121, United States (“we”, “us”, “our”). In this policy “CardCue Pro” refers to both the registered DBA name and the mobile app published under the same name on the Apple App Store.
Data Protection Contact / Privacy Officer: the founder of Pika Product Lab LLC – privacy@cardcuepro.com.
Privacy Officer (Canada / Quebec Law 25): the founder of Pika Product Lab LLC – privacy@cardcuepro.com.
Encarregado (LGPD Brazil Art. 41): the founder of Pika Product Lab LLC – privacy@cardcuepro.com.
Information Officer (POPIA South Africa s. 55): the Chief Executive Officer of Pika Product Lab LLC – privacy@cardcuepro.com.
Grievance Officer (India DPDP Act): the founder of Pika Product Lab LLC – privacy@cardcuepro.com.
Data Protection Officer (Singapore PDPA): the founder of Pika Product Lab LLC – privacy@cardcuepro.com.
This policy applies to the CardCue Pro mobile app for iOS, iPadOS, watchOS, and any companion website at cardcuepro.app. Cue is offered for use by adults aged 18 or older in the jurisdictions where the app is published on the Apple App Store; it is not currently available in the European Economic Area, the United Kingdom, Switzerland, mainland China, Russia, Belarus, Iran, North Korea, Syria, Cuba, or territories subject to comprehensive U.S. sanctions. See Section 11 for the age-gate policy and the App Store availability page for the current country list.
If you are under 18, or under the applicable age of digital consent in your jurisdiction (whichever is higher), you may not use CardCue Pro. See Section 11 for the full age-gate policy.
We collect only the information necessary to run CardCue Pro. Each category is listed with the purpose, storage location, and whether it leaves your device.
| Category | Examples | Where it's stored | Leaves device? |
|---|---|---|---|
| Card content you add | Card name, type, balance, expiry, notes, optional photo, optional card number, PIN, barcode | On-device SwiftData; card numbers, PINs, and barcodes in iOS Keychain. With Pro cloud sync, the card number and barcode are end-to-end encrypted on your device before they sync, with a key we never receive; other fields (notes, fine print, balance-check URLs) sync under row-level security and are server-readable to the authenticated owner. PINs and card photos never sync | Only with opt-in cloud sync (PINs and photos never leave the device) |
| Account identifiers | Email address (if email sign-up); Apple ID relay email (Sign in with Apple); anonymous auth token | Supabase Auth | Yes, to Supabase |
| Card content sent for AI extraction | Photo of the front/back of a gift card, and card text you dictate or paste (for example a forwarded gift-card email) | Sent in-flight to Anthropic's Claude API; retained per Anthropic's default commercial terms (up to 30 days for Trust & Safety unless a zero-retention agreement is in place) | Yes, to Anthropic (photos and dictated or pasted card text) |
| Add to Apple Wallet export | Card name, balance, and barcode of a card you choose to export | Sent in-flight to our pass-signing service to generate the Wallet pass; not retained after the pass is generated | Yes, only when you export a card |
| Card gifting & rewards | Gift records and claim tokens for cards you send, plus sender/recipient reward status under the Send a card, get a month program | Supabase (server-side gift and reward records); deleted with your account | Yes, when you send or claim a gifted card |
| Location data | Location used to decide "you're near a store" alerts. While a nearby-store reminder or distance banner is active, CardCue uses precise (GPS-grade) location, requested with Always authorization and background updates. A coarse (~1km cell) location is separately sent to estimate neighborhood store density | On-device only for the live position, which is used in the moment and never stored on or transmitted to our servers; a coarse ~1km cell is sent for neighborhood density | Live precise position: No. Coarse ~1km density cell: Yes |
| Contacts (optional) | Names and birthday dates of contacts you explicitly authorize, used only to surface upcoming-birthday gift-card reminders | On-device only, never transmitted | No |
| Anonymous analytics events (opt-in) | Event names (e.g. card_added, paywall_shown), anonymous device ID. Never card content, balances, photos, or location | PostHog (United States, us.i.posthog.com) | Only if you opt in |
| Crash & performance diagnostics | Crash logs you choose to share with developers via iOS Settings → Privacy & Security → Analytics & Improvements → "Share with App Developers" | Apple App Store Connect (no third-party crash SDK is bundled) | Only if you've enabled iOS-level diagnostics sharing |
| Subscription & transaction state | App Store receipt, entitlement status (Free / Pro). Family Sharing entitlements are managed entirely by Apple; no family-member data reaches us | Apple; we read the entitlement via StoreKit 2 on-device | With Apple only |
| Support correspondence | Emails you send us | Our email provider's servers | Yes, to our email provider |
| Brand logo lookup | The brand name / domain of a card, sent to Google's favicon service and Logo.dev to fetch a logo to display. No secrets, balances, email, or name | Not stored by us; the request carries the brand domain and your device IP to the logo services | Yes, brand name/domain + device IP to Google and Logo.dev |
The following subprocessors help us deliver CardCue Pro. Each is bound by a written data-processing agreement and by confidentiality, security, and purpose-limitation obligations under applicable law (e.g. LGPD Art. 39, PIPEDA Principle 4.1.3, APPI Art. 25, CCPA § 1798.100(d)).
| Subprocessor | Purpose | Data accessed | Primary location | Transfer safeguards |
|---|---|---|---|---|
| Apple Inc. | Sign in with Apple, App Store StoreKit, MapKit, WeatherKit, Push Notifications, iCloud backup | Apple-relay email, receipt, anonymous push token, approximate location for local weather (WeatherKit) | United States (global infrastructure) | Bound by Apple's own Privacy Policy and the Apple Developer Program License Agreement |
| Supabase Inc. | Cloud sync and account auth (Pro, opt-in) | Email, card data you elect to sync, auth tokens | United States | Data Processing Agreement; encrypted in transit (TLS 1.2+) and at rest; row-level security. Supabase Privacy Policy |
| Anthropic PBC | AI card extraction. Claude API processes card photos, and card text you dictate or paste, to fill in card details (per request) | Card photos you take while scanning, and card text you dictate or paste for extraction | United States | Commercial Terms; no zero-data-retention agreement is currently in place, so submitted content may be retained up to 30 days (see Sections 8 and 9). Anthropic Privacy Policy |
| PostHog Inc. | Product analytics, opt-in in the iOS app (default OFF), on-by-default (respects Do Not Track) on the marketing website cardcuepro.app | App: event names (e.g. card_added), anonymous device ID, app-version metadata. Website: pageviews, button / link clicks, referrer, screen-size bucket, anonymous visitor ID. Never your card content, balances, photos, location, card numbers / PINs, email, or name. | United States (us.i.posthog.com) | Data Processing Agreement; anonymous identifiers only; strict purpose-limitation to product improvement. PostHog Privacy Policy |
| Email provider | Support email intake and forwarding | Your email address and message body when you contact us | GoDaddy.com, LLC (domain email forwarding) and Apple Inc. (iCloud Mail). United States | Data Processing Addendum |
| Google (favicon service) and Logo.dev | Fetching a brand logo to display on a card | The card's brand name / domain and your device IP address. No card content, balances, secrets, email, or name | United States | Standard public logo/favicon APIs; requests carry only the brand domain and network-level IP, no account identifiers |
We do not use advertising SDKs, ad networks, remarketing pixels, fingerprinting SDKs, data brokers, or any other third-party tool whose purpose is cross-app/cross-site tracking for advertising.
Every processing activity in Cue is tied to at least one lawful basis. The table below summarises the purpose and legal basis for each activity, using the shared vocabulary of consumer-privacy laws we operate under (CCPA, LGPD, PIPEDA, APPs, APPI, PIPA, PDPA, POPIA, DPDP Act). Jurisdiction-specific rights are enumerated in Section 14.
| Purpose | Data used | Legal basis |
|---|---|---|
| Storing and displaying your gift card balances | Card content you add | Performance of the contract with you |
| Syncing cards across your devices (Pro) | Card content, account identifiers | Performance of the contract |
| Nearby-store and expiration notifications | Location (on-device), card content | Performance of the contract + your opt-in permission for notifications |
| AI card scanning | Card photo you take | Performance of the contract, on by default for scans; can be turned off with Scan on-device only |
| Account authentication | Email, Apple ID relay email, auth token | Performance of the contract |
| Generating an Apple Wallet pass you request | Card name, balance, and barcode of the exported card | Performance of the contract, only when you tap Add to Apple Wallet |
| Card gifting & the Send a card, get a month program | Gift records, claim tokens, sender/recipient reward status | Performance of the contract; see the program terms |
| Crash diagnostics | Crash logs you've opted into sharing with developers at the iOS level | Legitimate interest in keeping the app stable; we receive only what Apple sends through App Store Connect, which you control through iOS Settings → Privacy & Security → Analytics & Improvements. |
| Product analytics | Event names, anonymous device ID | Your opt-in consent |
| Security and fraud prevention | Auth tokens, anonymous device ID | Legitimate interest |
| Responding to support requests and privacy-rights requests | Your message + account identifiers | Legitimate interest + compliance with legal obligation |
| Complying with subpoenas, court orders, and statutory obligations | As required | Legal obligation |
CardCue Pro is a native iOS app and does not use web cookies. In-app product analytics (PostHog) are opt-in only, the Share Anonymous Analytics toggle in Settings → Your Profile defaults to OFF and must be explicitly turned on. No event is sent until you turn the toggle on. Because these analytics do not track you across other companies' apps or websites, the App Tracking Transparency prompt does not apply (see 6.3).
cardcuepro.app)The website uses one product-analytics service, PostHog, to measure which pages are read, which CTAs are clicked, and where visitors drop off. We use that data for one purpose: knowing where the site falls short so we can improve it. PostHog stores an anonymous visitor ID in localStorage and a cookie named ph_*.
What gets captured:
What is never captured on the website:
Do Not Track: If your browser sends a Do Not Track (DNT) or Global Privacy Control (GPC) signal, PostHog is disabled for your visit, no pageviews, no clicks, no cookies. You don't have to do anything beyond flipping the browser setting.
Opt out manually: If your browser doesn't send DNT and you still want to opt out, open the browser console on any cardcuepro.app page and run posthog.opt_out_capturing(). The opt-out is stored in localStorage and persists until you clear site data. We'll ship a one-click opt-out button here in the next site revision.
Advertising and retargeting cookies: this site sets no advertising or retargeting cookies. We do not participate in ad networks, do not place retargeting pixels, and do not use any SDK whose primary purpose is cross-site tracking for advertising.
CardCue does not track you across other companies' apps or websites, sets NSPrivacyTracking to false, and ships no IDFA, ad SDK, or tracking Info.plist keys, so the App Tracking Transparency prompt does not appear.
We honor Global Privacy Control signals on our website, see 6.2 above. Because Cue does not sell or share personal information for cross-context behavioral advertising, no additional in-app opt-out is required under California CPRA, Colorado CPA, Connecticut CTDPA, Oregon OCPA, New Jersey, or Delaware DPDPA regulations.
Telemetry consent: Product analytics (PostHog) are strictly opt-in and default to off in the iOS app. We do not bundle a third-party crash-reporting SDK; production crash diagnostics, when received, come exclusively through Apple's App Store Connect crash channel, which the user controls through iOS Settings → Privacy & Security → Analytics & Improvements → "Share with App Developers". Withdrawal of consent is as easy as giving it and does not affect the lawfulness of prior processing.
We apply the following technical and organizational measures:
kSecAttrAccessibleWhenUnlocked) for card numbers, PINs, barcodes, and authentication tokens. Keychain items are backed up to iCloud only if you have iCloud Keychain enabled and survive device-to-device transfer.LAPolicy.deviceOwnerAuthentication.PrivacyInfo.xcprivacy) shipped with every build.No method of transmission or storage is 100% secure. We commit to the breach-notification process in Section 10.
| Data category | Retention | Basis |
|---|---|---|
| Local card data (SwiftData + Keychain) | Until you delete it or uninstall the app | You control |
| Cloud-synced cards (Supabase) | Until you delete your account, or 36 months of continuous account inactivity, whichever comes first | Contract / user request |
| Supabase auth records (email, user_id) | Until account deletion | Contract |
| Anthropic AI-scan images | Retained by Anthropic per its commercial terms (up to 30 days for Trust & Safety); no zero-retention agreement is currently in place (see Section 9) | Controlled by Anthropic |
| Opt-in analytics events (PostHog) | 12 months rolling | Consent |
| Crash diagnostics (Apple App Store Connect) | Per Apple's retention schedule | Legitimate interest |
| Support email correspondence | 24 months from last reply | Legitimate interest, service history |
| Privacy-rights request logs | 36 months from closure (regulator audit trail) | Legal obligation |
| Authentication tokens (Keychain, on-device) | Until you sign out or the token expires | Contract |
When a retention period ends we either delete the data or anonymize it so that it can no longer be associated with you.
Cue is operated from the United States. If you use cloud sync, AI scanning, analytics, or crash reporting, your data is transferred to and processed by subprocessors in the United States. Section 4 lists each subprocessor, the data involved, and the contractual safeguards we have in place.
For users in jurisdictions that impose specific cross-border transfer requirements (e.g. LGPD Art. 33, Japan APPI Art. 28, Korea PIPA Art. 28, Canada Quebec Law 25, Australia APP 8), our processing of your personal data in the United States is disclosed above and governed by the subprocessor agreements and security measures described in Sections 4 and 7. Copies of relevant contractual clauses are available on request from privacy@cardcuepro.com.
Anthropic zero-retention status: A zero-retention agreement with Anthropic is not currently in place. Card photos sent for AI scanning are retained by Anthropic for up to 30 days under Anthropic's default commercial terms, then deleted, and are not used to train models. Status last reviewed 2026-06-21. We will update this line whenever the status changes.
If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will:
This commitment meets or exceeds the obligations under PIPEDA, POPIA, Singapore PDPA (notification if ≥500 individuals or significant harm), Japan APPI, Korea PIPA, Australia's Notifiable Data Breaches scheme, California's breach-notification law, and the Brazilian LGPD.
Cue is intended for adults and enforces a hard age gate on first launch: you must confirm you are 18 years old or older to use the app. We chose 18 as the minimum age because it is the highest of the applicable thresholds across:
We do not knowingly collect personal information from anyone under 18. If you believe a child has provided personal information to us, please email privacy@cardcuepro.com and we will delete it promptly.
Cue does not make decisions about you that produce legal or similarly significant effects based solely on automated processing. The app surfaces local, on-device reminders (e.g. "your card expires in 7 days", "you're near a store where you have a balance") but these are heuristic notifications, not legal or financial decisions. No scoring, targeted advertising, or profiling for commercial purposes takes place.
Regardless of where you live, you can:
The following sections enumerate the specific rights you have where you live. We honor them worldwide on a best-effort basis even if your country does not appear explicitly.
California residents have:
Categories collected in the past 12 months (matching CCPA's statutory list): identifiers, commercial information (cards you choose to track), internet/app activity (opt-in), geolocation (on-device only, coarse), photos (transient for AI scanning), account authentication data.
Sources: directly from you; automatically from your device; from Apple (Sign in with Apple).
Commercial purposes: providing the service, security, and, if you opt in, improving the product via aggregated analytics.
To exercise your rights, email privacy@cardcuepro.com with subject "California Privacy Request". We verify by matching the email you used to sign up. We respond within 45 days (extendable by 45 with notice).
This policy is reviewed and, where necessary, updated at least annually as required by California Civil Code § 1798.130(a)(5)(A).
Residents of Colorado (CPA), Connecticut (CTDPA), Delaware (DPDPA), Indiana (ICDPA), Iowa (ICDPA), Kentucky, Maryland (MODPA), Minnesota (MCDPA), Montana (CDPA), Nebraska, New Hampshire, New Jersey, Oregon (OCPA), Rhode Island, Tennessee (TIPA), Texas (TDPSA), Utah (UCPA), and Virginia (VCDPA) have rights substantially similar to California's Right to Know / Access / Delete / Correct / Opt Out of Sale-or-Sharing / Opt Out of Targeted Advertising / Opt Out of Profiling. We honor all of these through the same channel: privacy@cardcuepro.com.
Global Privacy Control (GPC): We honor GPC signals on the marketing website. The in-app analytics opt-out is provided directly with the Share Anonymous Analytics toggle in Settings → Your Profile.
Precise geolocation: classified as "sensitive" under Colorado CPA and several other state laws. While a nearby-store reminder or distance banner is active, CardCue uses precise (GPS-grade) location, requested with Always authorization and background updates. Your live position is used in the moment and is never stored on or transmitted to CardCue servers. Separately, a coarse (~1km cell) location is sent to estimate neighborhood store density. The iOS permission prompt serves as the opt-in consent mechanism required under Colorado CPA § 6-1-1307.
Washington My Health My Data Act: Not applicable. Cue does not collect consumer health data.
Under Lei Geral de Proteção de Dados (Law 13.709/2018), Brazilian residents have nine rights (Art. 18):
Encarregado (DPO): See Section 1. You may also lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.
A Portuguese translation of this policy will be made available for Brazilian residents on request. Until the translated page is published, the English version above applies. In case of a conflict between language versions, the English version controls except to the extent Brazilian law requires the Portuguese version to prevail for Brazilian residents.
Canadian residents have the rights granted under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Quebec Law 25, Alberta PIPA, and British Columbia PIPA. These include the right to access, correct, and withdraw consent for the processing of your personal information. Our Privacy Officer is identified in Section 1.
Complaints may be directed to the Office of the Privacy Commissioner of Canada at priv.gc.ca and, for Quebec residents, to the Commission d'accès à l'information du Québec at cai.gouv.qc.ca.
Under Quebec Law 25, we have conducted an assessment of cross-border transfers to the United States, considering the sensitivity of the data, the purposes, the measures taken to mitigate risks, and the recipient's legal environment.
We handle personal information in accordance with the 13 Australian Privacy Principles. You have the right to access and correct your personal information, to raise a complaint with us, and (if unresolved) with the Office of the Australian Information Commissioner at oaic.gov.au.
We participate in the Notifiable Data Breaches (NDB) scheme and will notify affected individuals and the OAIC of any eligible data breach.
APP 8 cross-border disclosure: your personal information may be disclosed to the United States (Apple, Supabase, Anthropic, PostHog).
Under the Act on the Protection of Personal Information, you have rights of access, correction, suspension of use, and deletion. Provision of personal data to third parties in foreign countries requires your consent under Article 28, by using Cue's cloud sync and AI scanning features, you consent to the transfer of the relevant data to the United States with the subprocessors listed in Section 4. Complaints may be directed to the Personal Information Protection Commission at ppc.go.jp.
Under the Personal Information Protection Act and the Information and Communications Network Act, you have the right to access, correct, delete, suspend processing, and withdraw consent. CardCue Pro distinguishes between required processing (for the service) and optional processing (analytics and crash diagnostics). In-app analytics consent is the Share Anonymous Analytics toggle in Settings → Your Profile; crash diagnostics are controlled at the iOS level in Settings → Privacy & Security → Analytics & Improvements.
Overseas transfers: your data may be transferred to Apple, Supabase, Anthropic, and PostHog in the United States for the purposes described in Section 5. You may withhold consent to optional items without losing access to the service. Complaints: Personal Information Protection Commission at pipc.go.kr.
Under the Personal Data Protection Act 2012 (as amended in 2020), you have rights of access and correction. Our Data Protection Officer is named in Section 1 and reachable at privacy@cardcuepro.com. Complaints may be filed with the Personal Data Protection Commission at pdpc.gov.sg.
We will notify you of a data breach that is likely to result in significant harm or that affects 500 or more individuals, in accordance with the PDPA's notification obligation.
Under the Protection of Personal Information Act, 2013, you have the rights listed in section 5 of POPIA, including access, correction, deletion, and objection to processing. Our Information Officer is named in Section 1. Complaints may be filed with the Information Regulator at inforegulator.org.za.
Cue is offered in India to users aged 18 and older, consistent with the hard age gate in Section 11. You have the rights to access, correction, deletion, grievance redressal, and nomination (appointing another person to exercise your rights on your behalf in the event of death or incapacity) under the Digital Personal Data Protection Act, 2023. Our Grievance Officer is named in Section 1 and responds within 30 days.
We monitor rule-making under the DPDP Act and will integrate with a registered Consent Manager when the ecosystem permits, as required by § 6(7).
If you live in Turkey (KVKK), Mexico (LFPDPPP), Argentina (PDPL 25.326), Israel (Privacy Protection Law), Thailand (PDPA), Indonesia (PDP Law 2024), Vietnam (PDPD / Decree 13), Philippines (Data Privacy Act), Nigeria (NDPA 2023), Kenya (DPA 2019), the UAE (Federal DP Law), Saudi Arabia (PDPL), or any other country with a comprehensive privacy law, we honor rights equivalent to those listed above and respond to requests via privacy@cardcuepro.com. Where local law requires a locally designated representative, grievance officer, or filed registration and we have not yet done so, the app may not be available in your App Store region until that requirement is met.
We review this policy at least annually and update it more frequently when the law, our practices, or the subprocessor list changes materially. Material changes are announced in-app at least 15 days before taking effect and by email for users with cloud accounts. The "Last Updated" and "Version" fields at the top of this page always reflect the current state. Prior versions are archived and available on request.
For any privacy question or to exercise any right in this policy:
If you are unable to reach us, or are unsatisfied with our response, you retain the right to complain to your national supervisory authority or data-protection regulator, contact details appear in the jurisdiction-specific sections above.