Privacy Policy
This Privacy Policy explains how CardIQ ("we," "us," or "our") collects, uses, shares, and protects information about you when you use cardiq.pro and the CardIQ services (the "Service"). By using the Service, you agree to the practices described below.
1. Information We Collect
Information you give us
- Account information — name, email address, password (stored hashed by our identity provider), and any details you add to your card profile (title, company, photo, bio, phone, address, social links, credentials, etc.).
- Payment information — handled directly by Stripe; we never see or store full card numbers. We retain Stripe customer and subscription IDs to manage your billing.
- Content you upload — profile photos, banner images, logos, and other media you choose to add.
- Lead capture submissions — when a visitor fills out the lead form on your card, we store their submission so you can see it. If you have a connected CRM (Creativa/GoHighLevel) or webhook, we forward the submission to your configured destination.
- Support correspondence — anything you send through the contact form on the help center.
Information collected automatically
- Card analytics — when someone views your card or interacts with it (taps a button, downloads vCard, submits the lead form), we record the event type, timestamp, IP address, country/region/city (derived from IP, never the precise GPS), device type, and browser. These are visible only to you in your dashboard.
- Authentication and session data — needed to keep you signed in.
- Diagnostic logs — Netlify (our hosting provider) records request logs for security and reliability.
Cookies and similar technologies
We use a small number of cookies and localStorage entries:
| Purpose | What it stores |
|---|---|
| Authentication | Session token (Supabase) — required for sign-in |
| Trial / plan state | Cached dashboard data — performance only |
| Cookie preference | Your choice from the cookie banner |
| Card view de-duplication | Anonymous flag so the same visitor isn't counted twice in 30 minutes |
We do not use advertising cookies or third-party tracking pixels.
2. How We Use Information
- To provide the Service — render your card, send leads to your CRM, generate wallet passes, etc.
- To authenticate you and protect your account.
- To process payments through Stripe.
- To show you analytics about your own card.
- To send service emails (account confirmation, password reset, billing receipts).
- To improve the Service — debugging, performance, and feature development.
- To comply with law and respond to lawful requests.
3. Third-Party Services We Use
CardIQ relies on a small set of trusted vendors to operate. Each is bound by its own privacy practices:
| Vendor | What they handle |
|---|---|
| Supabase | Database + authentication (account data, card content, leads) |
| Netlify | Web hosting and serverless functions |
| Stripe | Subscription billing and payment processing |
| Anthropic | AI bio generation and translations (we send only the text needed for the request) |
| remove.bg (Kaleido) | AI photo background removal (we send the photo you upload only when you click the feature) |
| Google Wallet | Wallet pass generation (when you tap "Add to Google Wallet") |
| Apple Wallet | Wallet pass generation (when you tap "Add to Apple Wallet") |
| GoHighLevel / Creativa | CRM integration — only when YOU connect your own GHL account; we relay leads on your behalf |
4. How We Share Information
We share personal information only in these limited cases:
- With service providers listed above, who process data on our behalf.
- With CRMs and webhooks YOU configure — when you turn on a CRM/webhook integration, lead submissions and card events flow to your destination.
- With other team members — if you join a team workspace, the team owner can see card metadata and lead activity for cards assigned to that team.
- For legal reasons — to comply with valid legal process, prevent fraud, or protect rights and safety.
- In a business transfer — if CardIQ is acquired or merged, your data may transfer to the new owner under terms at least as protective as this policy.
We do not sell your personal information, and we do not share it with advertisers.
5. Public Card Pages
Anything you put on your CardIQ card (cardiq.pro/c/your-slug) is, by design, public. The public page is the product. Don't put information on your card that you don't want strangers to see.
6. Data Retention
- Account data and cards — kept while your account is active. Deleted within 30 days of account deletion (see Section 8).
- Lead submissions — kept until you delete them or delete your account.
- Analytics events — retained for the life of the card; aggregate counts may be retained longer.
- Billing records — retained for at least 7 years for tax and accounting compliance.
- Backups — typical retention is 30 days; deletion requests are honored on the live system immediately and remaining backup copies expire on the normal cycle.
7. Security
We use TLS in transit, encrypted storage at rest, hashed passwords, server-side authorization checks on every API call, and limited-access service credentials. No system is perfectly secure. If you discover a security issue, email security@cardiq.pro.
8. Your Rights
Depending on where you live, you may have the right to:
- Access your personal information — most of it is visible in your Dashboard.
- Correct inaccurate information — edit your card or account at any time.
- Delete your account and associated data — Dashboard → Account → Delete Account.
- Export your data — leads can be exported as CSV from the Leads tab; for everything else, email support@cardiq.pro.
- Object or restrict certain processing — email us.
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with your local data protection authority.
California residents have additional rights under CCPA/CPRA, including the right to know what categories of information we collect and the right to opt out of "sales" (we don't sell data). EU/UK residents have rights under GDPR.
9. Children
CardIQ is not directed to children under 16. We don't knowingly collect data from children under 16. If you believe a child has provided us information, contact us and we'll delete it.
10. International Users
CardIQ is operated from the United States. By using the Service, you understand that your information is processed in the U.S. We rely on standard contractual clauses or other appropriate legal mechanisms when transferring personal data of EU/UK residents.
11. Changes to This Policy
We may update this policy. Significant changes will be announced by email or in-app notice at least 14 days before they take effect. The "Last updated" date at the top reflects the current version.
12. Contact
Questions about this policy or your data:
- Email — privacy@cardiq.pro
- General support — cardiq.pro/help