Privacy Policy

This Privacy Policy explains how Cardify ("we", "us") collects, uses, shares, and protects information when you use our Service. It applies to users worldwide and includes specific disclosures for the EU/EEA, UK, California, and other jurisdictions where required.

1. Nature of the Service

Cardify is an independent entertainment, parody, and novelty tool. All cards, ratings, rarities, stats, lore, and related outputs are algorithmic, creative expressions produced for amusement only. Nothing generated by the Service constitutes an official product, endorsement, affiliation, appraisal, authentication, or statement of fact. The Service transforms user-provided photos into stylized, fictional trading-card parodies and should be understood strictly as entertainment and fan-art commentary.

2. Data we collect

• Account data: email, username, display name, password hash, OAuth identifiers (Google, Apple).
• Profile data: avatar, bio, marketing preferences, accepted-terms timestamp.
• Uploaded photos & generated cards: Source Content you upload and Generated Content produced for you.
• Usage data: device, browser, IP address, log timestamps, feature interactions, referral codes.
• Cookies: session cookies, security cookies, and (with consent) analytics.

3. How we use data

• To operate, personalize, and secure the Service.
• To prevent fraud and abuse.
• To generate AI cards from your uploaded photos for entertainment and parody purposes only.
• To respond to support requests and enforce our Terms and Content Policy.
• With your consent, to send marketing communications (you can unsubscribe anytime).
• To comply with legal obligations.

4. AI processing

When you generate a card, your Source Content is sent to AI model providers acting as our processors. We do not permit those providers to train their public models on your Source Content. Generated outputs are stored on your account so you can re-download or share them. All AI-generated outputs are entertainment and parody only and do not represent official products or endorsements.

5. Usage limitations & prohibited content

You agree not to upload Source Content that contains or depicts:

• Third-party trademarks, brand logos, or service marks without authorization.
• Professional sports team names, league names, or league logos.
• Athlete, celebrity, or public figure likenesses without their consent.
• Copyrighted characters, artwork, or other protected works you do not own or have permission to use.
• Any content intended to impersonate, deceive, or mislead others about the origin or affiliation of the generated card.

We may scan uploaded content for protected terms and refuse processing if prohibited content is detected. We may remove content and terminate accounts for violations.

6. Legal bases (EU/EEA & UK)

• Contract: to provide the Service you signed up for.
• Legitimate interests: security, fraud prevention, product improvement.
• Consent: marketing emails, optional analytics cookies, processing of biometric-like facial features in your photos for AI generation.
• Legal obligation: tax, accounting, regulatory requests.

7. Sharing

• Processors: hosting, authentication, AI inference, analytics, email delivery, customer support — bound by data protection contracts.
• Public content: cards you choose to publish or share are viewable by anyone with the link.
• Legal: when required by law, regulators, or to protect rights and safety.
• Business transfers: in connection with a merger or acquisition, with notice to you.

We do not sell your personal information. We do not share personal information for cross-context behavioral advertising without consent.

8. International transfers

We process data in the United States and other countries. Where required, transfers from the EU/EEA, UK, or Switzerland rely on Standard Contractual Clauses or other lawful mechanisms.

9. Retention

• Account and profile data: while your account is active.
• Source Content: deleted within 30 days of card generation unless you save it to your library.
• Generated cards: kept until you delete them or close your account.
• Payment records: 7 years for tax and accounting compliance.
• Logs: up to 12 months for security purposes.

10. Your rights

Depending on your region you have the right to access, correct, delete, port, restrict, or object to processing of your personal data, and to withdraw consent. EU/EEA & UK users can lodge a complaint with their local data protection authority. California residents have rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of sale or sharing (we do neither).

Exercise rights via in-app account settings. We will verify your identity before responding.

11. Children

Cardify is not directed to children under 13. We do not knowingly collect data from children under 13 (or 16 in the EU/EEA without parental consent). Contact us if you believe a child has provided data; we will delete it.

12. Security

We use encryption in transit, encryption at rest for sensitive fields, role-based access controls, and continuous monitoring. No system is 100% secure; please use a strong unique password.

13. Changes

We will post updates here and notify you of material changes by email or in-app notice.

14. Contact & data controller

Cardify, Inc. — reach out through the contact form on our website or via our support channels.