Your data, plainly.

The headline answers, in plain language. Each point links to the full treatment below.

What we process. Account identifiers (email, display name, OAuth subject ID), usage telemetry (IP, device, browser, referrer), and payment metadata if you purchase a paid plan. We do not process sensitive personal information.

From third parties. We do not collect personal information from third parties beyond what you authorize via Google OAuth at sign-in.

Why we process it. To provide and improve the Services, communicate with you, prevent fraud, and comply with law. We process your information only when we have a valid legal reason to do so.

Who we share it with. A small set of named processors (Stripe for payments, Anthropic for AI assistance, Google for sign-in and analytics). Never sold.

How we keep it safe. Industry-standard transport encryption, encrypted refresh-token storage with quarterly key rotation, OWASP-aligned secure-coding practice. No system is 100% secure; we do not guarantee otherwise.

Your rights. Depending on where you live, you may request access, correction, a copy, or deletion of your personal information. Contact [email protected] or submit a data subject access request.

We process your personal information for the following purposes:

• To provide and maintain accounts. Create and authenticate accounts, keep them in working order.
• To deliver the Services. Pricing tools, agentic comparables, alerts, and any feature you enable.
• To respond to user inquiries. Customer support, bug reports, account questions.
• To send administrative information. Service announcements, security notices, policy updates.
• To prevent fraud and abuse. Detect and respond to suspicious activity, protect Card Pulse and its users.
• To comply with legal obligations. Respond to lawful requests, exercise or defend legal rights.
• To save or protect a person’s vital interest. For example, to prevent harm.

We process your information only when we have a valid legal reason to do so, and only with your prior explicit consent for purposes outside this list.

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases for processing. We rely on:

• Consent — when you have given us permission. You can withdraw consent at any time.
• Performance of a contract — to provide the Services you have signed up for.
• Legal obligations — when compliance with law requires it.
• Vital interests— when necessary to protect anyone’s safety.

If you are located in Canada, we may process your information with your express or implied consent. In limited cases (fraud detection, investigations, public-interest disclosures, etc.) Canadian law permits processing without consent; we follow those rules.

We may share your personal information in these specific situations:

• Business transfers. In connection with a merger, sale of assets, financing, or acquisition of all or a portion of our business.
• Service providers. Stripe (payments), Anthropic (AI), Google (sign-in and analytics), our hosting and database providers — each bound by a written contract.
• External pricing sources. When the agentic pricing engine pulls comparables from third-party APIs (eBay, PriceCharting, GoCollect, etc.), we send only the search terms necessary to identify the card; we do not send your account information to these sources.
• Compliance with law. When required by court order, subpoena, regulatory inquiry, or to defend legal claims.

We do not sell or share personal information for cross-context behavioral advertising.

We use cookies and similar technologies to maintain session security, remember preferences, and assist with basic site functions. We may permit Google Analytics to collect usage information on our behalf. Specifics — including how to opt out — live in our Cookie Notice.

Cardpulse offers tools powered by artificial intelligence, including agentic price recommendations and decision cards backed by Anthropic (Claude). When you use these tools, your input and the resulting output are processed by the underlying AI provider under their terms and ours. We do not sell your inputs or outputs and we do not use them to train any third-party model. See Anthropic’s privacy policy for their handling.

Cardpulse currently supports sign-in via Google OAuth only. When you choose to sign in with Google, Google sends us the profile fields described in §1: email, display name, profile picture URL, and a stable subject ID. We use this information solely to create and authenticate your account. We do not receive your Google password and we do not request access to your Gmail, Drive, Calendar, or any other Google service.

We recommend reviewing Google’s privacy notice to understand how they handle your information.

We keep personal information only as long as necessary for the purposes outlined in this notice, unless a longer retention period is required or permitted by law (tax, accounting, fraud-prevention). Where there is no ongoing legitimate business need to process your information, we will either delete it or anonymize it. If immediate deletion is not possible (for example, because the data is in backup archives), we will securely store and isolate it from further processing until deletion is possible.

We use appropriate organizational and technical safeguards: HTTPS in transit, encrypted refresh-token storage with quarterly key rotation, restricted internal access on a need-to-know basis, and continuous monitoring for unusual activity. No electronic transmission or storage system can be guaranteed 100% secure, so we cannot promise your information will never be improperly accessed.

Cardpulse is not directed to children, and we do not knowingly collect data from anyone under 18 years of age (or the equivalent age of majority in your jurisdiction). If we learn that we have collected personal information from a person under that age, we will delete it and deactivate the associated account. If you believe we may have collected information from a minor, please contact [email protected].

Depending on your jurisdiction, you have rights including:

• request access to your personal information
• request correction or deletion
• request a portable copy
• restrict or object to processing
• withdraw consent at any time

You can review or update your account from your dashboard, or contact us at [email protected]. We will consider and act upon any request consistent with applicable law. If you are in the EEA or UK and you believe we are processing your personal information unlawfully, you have the right to complain to your Member State data protection authority or the UK ICO.

Most browsers offer a Do-Not-Track (“DNT”) setting. There is no industry or legal standard for honoring DNT signals, so we do not currently respond to them. If a uniform standard is adopted in the future, we will update this notice to reflect our practice.

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the right to:

• know whether we are processing your personal data
• access and obtain a copy of your personal data
• correct inaccuracies
• request deletion
• opt out of processing for targeted advertising or sale
• not be subject to discrimination for exercising your rights

Cardpulse has not sold, shared, or disclosed personal information to third parties for cross-context behavioral advertising in the preceding twelve (12) months and will not do so in the future. To exercise any of these rights, email [email protected] or submit a data subject access request. Authorized agents may submit requests on your behalf with written permission. If we decline a request, you may appeal by replying to our decision; if your appeal is denied, you may submit a complaint to your state attorney general.

We may update this Privacy Notice as our practices evolve and as laws change. The “Last updated” date at the top reflects the most recent revision. For material changes we will notify you directly or post a prominent notice in the Services.

For questions or comments about this notice, email our Data Protection Officer at [email protected], call (707) 315-7458, or write to:

Card Pulse, LLC
Data Protection Officer
Wilmington, NC 28405
United States

To request access to, a copy of, correction of, or deletion of the personal information we hold about you, sign in to your dashboard, or submit a data subject access request. We will respond consistent with applicable law.