Legal

Privacy Policy

Effective date: May 22, 2026 · Version 1.0

HardCards ("we," "us," or "our") operates hardcards.co and the HardCards platform. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our services.

1. Information we collect

Merchant information

When you create a HardCards account, we collect:

  • Business name, contact information, and business address
  • Payment information for subscription billing
  • Staff member names and email addresses for scanner app access
  • Loyalty program configuration (card types, reward rules, branding assets)

Cardholder information

When your customers add your loyalty card to Apple Wallet or Google Wallet, we collect:

  • Device identifiers for wallet pass delivery
  • Transaction history (scan timestamps, locations, reward redemptions)
  • Geolocation data (only when geofenced push notifications are enabled on Pro plan)
  • Push notification engagement metrics (delivery, open rates, click rates)

Automatically collected information

  • Device information, browser type, and IP address
  • Usage data (features accessed, time spent, error logs)
  • Analytics data for platform performance and optimization

2. How we use your information

We use collected information to:

  • Deliver wallet passes to Apple Wallet and Google Wallet
  • Process loyalty transactions and track cardholder balances
  • Send push notifications based on your configured triggers
  • Provide analytics dashboards showing cardholder activity
  • Process subscription payments and manage your account
  • Deliver customer support and respond to inquiries
  • Improve platform performance and develop new features
  • Comply with legal obligations and enforce our Terms of Service

3. Information sharing and disclosure

We do not sell cardholder data. We share information only in these circumstances:

With third-party service providers (sub-processors)

We use the following sub-processors to operate the Service. Each is contractually required to handle data only on our instructions and to maintain appropriate security measures.

  • Supabase — database, authentication, file storage (United States)
  • Stripe — subscription billing, payment processing, sales tax (United States)
  • Resend — transactional and marketing email delivery (United States)
  • Boomerangme — Apple Wallet and Google Wallet pass infrastructure (United States / European Union)
  • Anthropic — AI-powered customer support chat (United States)
  • PostHog — product analytics, session replay (with input masking), web analytics (US Cloud region)
  • Upstash — rate limiting via Redis (United States)
  • Better Stack — uptime monitoring and public status page (United States / European Union)
  • Cloudflare — Turnstile bot protection on public forms; DNS (United States)
  • Fly.io — application hosting and infrastructure (United States, primary region: San Jose)
  • Apple and Google — wallet pass delivery and push notification infrastructure
  • Integration partners you explicitly connect — Zapier, Make, Shopify, Square, and any others you authorize via API, webhooks, or OAuth

We update this list as our infrastructure evolves. Material changes will be reflected in the "Last updated" date and the version log at the end of this policy.

With your explicit authorization

  • When you connect third-party integrations via API, Zapier, or webhooks
  • When you enable white-label features for agency partnerships

For legal compliance

  • To comply with legal obligations, court orders, or regulatory requirements
  • To protect our rights, privacy, safety, or property
  • To investigate fraud, security issues, or Terms of Service violations

4. Data retention

Account deletion grace period: When you request account deletion, we maintain your data for 30 days before permanent purge. During that 30-day window you can cancel the deletion and recover your full account. After the 30-day window, account data is permanently and irreversibly deleted unless retention is required by law (e.g., financial records mandated by tax authorities).

Subscription cancellation: Cancelling a subscription (without requesting account deletion) does NOT delete your data. Your designs, cardholder data, and history remain in your account; the account simply moves to a read-only state at the end of your billing period and you can resubscribe at any time.

Audit logs: Security and access audit logs are retained for 1 year for fraud prevention and incident investigation.

Cardholder data: Transaction history and analytics are retained according to your subscription plan:

  • Starter: 6 months of historical data
  • Growth: Unlimited historical data
  • Pro: Unlimited historical data

When a cardholder removes your loyalty card from their wallet, transaction history remains in your analytics dashboard but no further push notifications are sent to that device.

5. Data security

We implement industry-standard security measures:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Regular security audits and vulnerability assessments
  • Access controls and authentication for merchant accounts
  • Secure API authentication for integrations

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Your rights and choices

Merchants — general rights

  • Access and download your account data at any time
  • Update business information and payment details
  • Delete your account and request permanent data deletion (subject to the 30-day grace period described in §4)
  • Opt out of marketing communications

GDPR — additional rights for residents of the European Economic Area, United Kingdom, and Switzerland

If you are a resident of the EEA, UK, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR) and equivalent UK / Swiss law:

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: request correction of inaccurate or incomplete personal data.
  • Right to erasure ("right to be forgotten"): request deletion of your personal data, subject to our legal retention obligations.
  • Right to restrict processing: request that we limit how we use your data in specified circumstances.
  • Right to data portability: request a copy of your personal data in a structured, commonly-used, machine-readable format.
  • Right to object: object to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent: where processing relies on consent, withdraw that consent at any time.
  • Right to lodge a complaint with your local data protection authority.

To exercise any of these rights, email privacy@hardcards.co. We respond within 30 days as required by GDPR Article 12.

CCPA / CPRA — additional rights for California residents

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

  • Right to know what categories of personal information we collect, the sources of that information, the business purpose for collection, and the categories of third parties with whom we share it.
  • Right to delete personal information we have collected from you, subject to our legal retention obligations.
  • Right to correct inaccurate personal information.
  • Right to opt out of "sale" or "sharing" of personal information. We do not sell personal information, and we do not share it for cross-context behavioral advertising. There is no opt-out required because there is no sale or sharing to opt out of.
  • Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes that require an opt-out under CPRA.
  • Right to non-discrimination — we will not deny service, charge different prices, or provide a different quality of service because you exercised a CCPA right.

To exercise any of these rights, email privacy@hardcards.co. We respond within 45 days as required by CCPA § 1798.130.

Cardholders

Your customers control their own data through Apple Wallet and Google Wallet:

  • Remove loyalty cards at any time (stops all push notifications)
  • Manage location permissions through device settings
  • Contact you directly to request transaction history or data deletion

7. Geolocation data (Pro plan only)

Geofenced push notifications use location data provided by Apple and Google's wallet infrastructure. We do not continuously track cardholder location. Location is only checked when:

  • The device enters a geofence you configured (typically 100 meters)
  • Apple or Google's system determines a location check is appropriate

Cardholders can disable location permissions through their device settings at any time.

8. International data transfers

HardCards is based in the United States. If you are accessing our services from outside the US, your information may be transferred to, stored, and processed in the United States. By using our services, you consent to this transfer.

9. Children's privacy

HardCards is not intended for use by children under 13. We do not knowingly collect information from children under 13. If you believe a child has provided us with personal information, contact us immediately.

10. Cookies and similar technologies

We use cookies and similar browser storage (localStorage, sessionStorage) for three categories of purpose. You control the non-essential categories through the cookie banner that appears on your first visit to our marketing site.

Necessary cookies (always on)

Required for the Service to function. These cannot be disabled. Examples: authentication session tokens, CSRF tokens, your stored cookie-consent preference itself, and rate-limit identifiers.

Analytics cookies (opt-in)

Set only after you grant analytics consent. We use these to understand how merchants navigate the platform, measure feature adoption, and improve UX. Specifically: PostHog product analytics and session replay (with input masking and PII redaction enabled by default). If you decline analytics consent, the PostHog snippet is not loaded — not just disabled, but fully absent from the page.

Marketing cookies (opt-in)

Set only after you grant marketing consent. We currently use these for UTM attribution on inbound traffic to measure marketing-channel performance. We do not use third-party advertising or retargeting cookies.

You can update your cookie preferences at any time via your account settings page (when signed in) or by clearing the cookieConsent entry from your browser's localStorage and reloading.

11. Changes to this privacy policy

We may update this Privacy Policy periodically. We will notify you of material changes by email or through the HardCards dashboard. Continued use of our services after changes constitutes acceptance of the updated policy.

12. Contact us

For privacy questions or to exercise your data rights:

  • Email: privacy@hardcards.co
  • Mail: HardCards, 2066 N Capitol Ave, Unit #8135, San Jose, CA 95132, United States

13. Version log

  • v1.0 — 2026-05-22 — initial v1 launch privacy policy. Defines sub-processor list, GDPR / CCPA rights, cookie categories, account-deletion 30-day grace, audit-log retention.

Questions about this policy?

Email us at privacy@hardcards.co

Hardcards

Loyalty cards that live in Apple Wallet and Google Wallet.

Product

Features

Industries

Company

Account

© 2026 Hardcards. All rights reserved.