Privacy Policy

Who we are

Kard ("Kard", "we", "us", "our") operates the loyalty-card platform available at kard.gg. We provide digital loyalty stamp cards that venues can offer to their customers via Apple Wallet and Google Wallet.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have in relation to it. It applies to venue operators who sign up for a Kard account and to end customers who receive and use a Kard loyalty pass.

What data we collect

Venue operators (businesses that sign up for Kard)

  • Account information: business name, contact name, email address, and password (stored as a secure hash).
  • Venue details: venue name, address, and branding assets (logo, colour) you choose to upload.
  • Loyalty card configuration: stamp count, reward description, card design settings.
  • Billing information: payment method details are processed by our payment provider and are not stored on our servers.
  • Usage data: dashboard activity, QR code download timestamps, and support communications.

End customers (people who add a Kard loyalty pass to their phone)

  • Pass identifier: a unique, anonymised identifier assigned to each issued pass. This is not linked to a name or email address unless the customer chooses to provide one.
  • Stamp activity: the number of stamps collected and the date/time stamps were issued or redeemed. This data is associated with the pass identifier, not with personal identity.
  • Device push token: if a customer enables notifications on their wallet pass, we hold the push token provided by Apple or Google to send pass updates (for example, when a new stamp is added). This token does not identify the person — it identifies the device and the pass.

Automatically collected data (all users)

  • Log data: IP addresses, browser type, referring URL, and pages visited, collected automatically when you access our website or dashboard.
  • Cookies: we use a small number of session cookies required for the dashboard to function and, if you consent, analytics cookies to understand how the product is used. See our Cookie section below.

How we use the data

  • To provide the service: create and issue loyalty passes, update stamp counts, deliver pass updates to wallets, and power the venue dashboard.
  • To communicate with you: send transactional emails (account confirmation, password reset), and, where you have opted in, product updates or tips.
  • To improve the product: analyse aggregated, anonymised usage patterns to understand how the product is being used and how we can make it better.
  • To comply with legal obligations: retain records as required by applicable law and respond to lawful requests from authorities.

Apple Wallet and Google Wallet passes

Kard issues loyalty passes in formats compatible with Apple Wallet (using Apple's PassKit specification) and Google Wallet (using the Google Wallet API). When a customer adds a pass to their device:

  • The pass data (venue name, stamp count, reward description) is transmitted to Apple or Google servers so the pass can be displayed on the device.
  • Apple and Google may process pass data in accordance with their own privacy policies. Kard does not control how Apple or Google handle data once it is on their platforms.
  • Pass updates (for example, when a stamp is added) are sent to the device via Apple Push Notification service (APNs) or Google's equivalent. These updates contain only the new pass data — not personal information.

Legal basis for processing (GDPR)

If you are located in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases:

  • Contract performance: processing your account information and delivering the service you have signed up for.
  • Legitimate interests: improving our product, ensuring security, and preventing fraud.
  • Legal obligation: complying with applicable laws and regulations.
  • Consent: sending marketing emails or setting non-essential cookies, where we have obtained your consent. You may withdraw consent at any time.

Data sharing

We do not sell your personal data. We share it only in the following circumstances:

  • Service providers: we use third-party providers for hosting, email delivery, payment processing, and analytics. These providers act as data processors and are contractually bound to protect your data.
  • Apple and Google: pass data is transmitted to Apple and Google to deliver loyalty passes to customer devices, as described above.
  • Legal requirements: if required by law, court order, or governmental authority.
  • Business transfers: if Kard is acquired or merged, your data may be transferred as part of that transaction. We will notify you in advance.

Data retention

We retain venue account data for as long as your account is active and for a reasonable period afterwards in case you wish to reactivate. If you close your account, we will delete or anonymise your personal data within 90 days, except where retention is required by law.

End-customer pass data (stamp counts, pass identifiers) is retained for the lifetime of the associated venue account. When a venue account is deleted, the corresponding pass data is also deleted.

Your rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Request deletion of your personal data ("right to be forgotten").
  • Restrict or object to certain types of processing.
  • Data portability — receive a copy of your data in a structured, machine-readable format.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at ged.miseikis@gmail.com. We will respond within 30 days.

Cookies

We use the following types of cookies:

  • Essential cookies: required for the dashboard and website to function. These cannot be disabled.
  • Analytics cookies: help us understand how visitors use the site. We obtain your consent before setting these. You may opt out at any time by adjusting your browser settings or through our cookie preferences banner.

Security

We use industry-standard measures to protect your data, including encrypted connections (HTTPS/TLS), hashed passwords, and access controls that limit who within Kard can view personal data. No system is completely secure, and we cannot guarantee absolute security. If you become aware of a security issue, please contact us at ged.miseikis@gmail.com.

International transfers

Our infrastructure is hosted in the European Union. If we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, such as the EU Standard Contractual Clauses.

Children

Kard is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify venue operators by email and update the "Last updated" date at the top of this page. Continued use of Kard after a change takes effect constitutes acceptance of the updated policy.

Contact

For any questions about this Privacy Policy or to exercise your data rights, contact us at:

Kard
ged.miseikis@gmail.com