Privacy Policy

Who we are

CardBinder AI is operated by Ian Powell ("we", "us"), the data controller responsible for personal data processed through the Service. You can reach us at support@cardbinderai.com.

What we collect

Account information (email, display name), images you intentionally upload to scan, and the cards you add to your binders.

How we use it

To identify cards, estimate values, sync your collection across devices, and operate the Service. We do not sell your data.

Legal basis for processing (GDPR)

• Contract: creating and operating your account, scanning cards, and syncing your collection.
• Legitimate interests: securing the Service, preventing fraud and abuse, and improving recognition accuracy.
• Legal obligation: retaining records required by tax, accounting, or other applicable laws.
• Consent: where required, for optional communications you opt into.

Image uploads

Only photos you intentionally choose to scan are uploaded. They are stored securely and used to provide recognition results for you.

Data retention

• Account data is kept while your account is active and deleted within 30 days of account deletion.
• Uploaded scan images are kept until you delete them or your account; you can clear them anytime from Settings.
• Backups are rotated and overwritten within 90 days.
• Billing and tax records held by our payment provider are kept as required by law (typically 7 years).

Your rights

• Delete your scan history at any time from Settings.
• Delete all uploaded scan images from Settings.
• Permanently delete your account and associated data from Settings.
• Under GDPR/UK GDPR you also have rights of access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with your supervisory authority. Contact us to exercise these rights.

Payments — Paddle as Merchant of Record

Our order process is conducted by our online reseller Paddle.com. Paddle is the Merchant of Record for all our orders and acts as an independent data controller for payment data (card details, billing address, tax identifiers). Paddle handles checkout, billing, tax compliance, invoicing, customer service inquiries, and returns. See Paddle's Buyer Terms and Privacy Notice.

Third-party services

We use Lovable Cloud for storage and authentication, and third-party APIs for card metadata, AI vision, and pricing. API keys are never exposed to the browser.

Security

We apply appropriate technical and organisational measures to protect your data, including encryption in transit (HTTPS/TLS), encryption at rest for stored data and images, scoped access controls and row-level security on our database, secret management for API keys, and regular dependency and security reviews. No system is perfectly secure, but we work to keep risk low.

International transfers

Our providers may process data outside your country, including in the US and EU. Where required, transfers rely on Standard Contractual Clauses or equivalent safeguards.

Contact

Privacy questions: support@cardbinderai.com.