Privacy Policy

Introduction

Welcome to CardVis! CardVis ("CardVis", "we", "us" or "our") provides an AI-powered card grading mobile application (the "App" or "Service") that allows users to grade collectible cards. We respect your privacy and are committed to protecting your personal information. This Privacy Policy explains what information we collect, how we use and share it, how we secure it, and your rights in relation to that information. By using CardVis, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the App.

Definitions

For clarity in this Privacy Policy, we use the following definitions:

• Account: Your CardVis account created when you register with an email address or via Apple ID (Sign in with Apple).
• Personal Information (or "Personal Data"): Any information that identifies or relates to an identifiable individual. This includes information like your name and email, as well as data about how you use the App.
• Card Images: Photographs or scans of the front and back of collectible cards that you upload to the App for grading.
• Grading Data: The results of our AI analysis of your card images, including grades for centering, edges, surface, corners, and an overall grade.
• Grading Credits: Units tied to your subscription (weekly or monthly) which allow you to submit cards for grading.
• Service Providers: Third parties that process data on our behalf to help us deliver the Service (e.g. cloud storage, payment processors).

Any other capitalized terms not defined here have the meaning given to them in our Terms of Service.

Information We Collect

We collect only the information that is necessary to provide and improve our Service. The categories of information we collect include:

How We Use Your Information

We use the collected information for the following purposes, all in accordance with applicable law:

We will not use your personal information for purposes that are unrelated to the above without notifying you and obtaining any necessary consent. We do not engage in automated decision-making that produces legal or similarly significant effects on you without human review – the grading process is automated, but its sole purpose is to provide you with card evaluations that you have requested.

Cookies and Tracking Technologies

Currently, CardVis does not use any cookies, third-party analytics services, or advertising trackers in our mobile app. Unlike a web service, our mobile App does not set cookies in a browser. We also have not integrated any analytics SDKs or tracking libraries that collect personal data for analytics or advertising purposes at this time.

In summary, as of the Effective Date of this Policy, no cookies or third-party tracking technologies are used by CardVis. If this changes, we will let you know and update this Policy so you can make an informed choice.

How We Share Your Information

CardVis does not sell your personal information to anyone. We also do not share or disclose user data to third parties for their independent marketing or advertising purposes at this time. However, we do share certain information with trusted third parties who provide services that allow us to run CardVis (under strict data protection agreements), as well as in a few other circumstances described below:

Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Because CardVis allows you to maintain a personal collection of graded cards, we generally keep your data until you actively request deletion. Below is an overview of our retention practices:

• Account Information: We keep your account data (email, Apple ID info, and any profile information) for as long as your account is active. If you decide to delete your CardVis account or request deletion, we will remove or anonymize your personal information from our active systems (subject to the exceptions below). However, we may retain certain limited information after account deletion as needed for legal compliance, record-keeping, or legitimate business purposes (e.g., maintaining records of consents or opt-outs, or if required for tax and accounting for any purchases). If we retain data for these reasons, we will restrict its use to those purposes only.
• Card Images and Grading Data: The photos of your cards and their grading results are stored indefinitely by default, so that you can access your graded collection at any time. We will continue to store this data until you choose to delete it. You have the ability to delete individual card entries from your collection within the App; doing so will remove the associated images and grading data from our active database. If you delete your entire account (or request that we do so), all Card Images and Grading Data associated with your account will be deleted from our active systems as part of that process. Please note that when data is deleted from our active systems, it may remain in our secure backups for a short period (typically up to 30-60 days) before those backups are overwritten or purged. We maintain this backup retention for integrity and disaster recovery purposes. During any such brief backup retention, the data is isolated and protected.
• Login and Usage Logs: We maintain logs of login activity and other usage events for as long as needed for security monitoring and analysis. Typically, login records (such as a log of successful and failed login attempts, with timestamps and IPs) are retained for approximately 12 months. This allows us to review past security events and investigate fraud or abuse. After this period, we may either delete these logs or anonymize and aggregate them for long-term analysis. If we are required by law to retain certain logs (for example, in response to a legal order or as part of an investigation), we will retain the specific data necessary for that purpose.
• Subscription and Transaction Records: We keep records of your subscriptions and transactions as long as you are a subscriber and for a reasonable period thereafter. This information is needed for accounting, auditing, and any potential disputes. For example, we retain confirmation of your subscription purchases (e.g., receipt IDs from Apple and subscription status) while your subscription is active and for a period of time after cancellation (generally a minimum of a year, and up to several years if required by tax law or financial regulations). We do not have your credit card details, but the fact that a purchase occurred and related metadata may be kept for our financial records. Even if you delete your account, we may retain transactional records as required for legal compliance (we will, however, disassociate these records from your personal identity where possible if the account is deleted).
• Support Communications: Copies of your support requests and our responses are retained for up to 365 days from when the support issue is resolved or closed. We keep these for a year to refer back to prior communications in case you have follow-up questions and to improve our customer service. After 365 days, support tickets and chat logs are deleted from our systems, unless they contain information we are required to retain for legal reasons (which is uncommon). If you would like us to delete a particular support conversation sooner, you can request that and we will do so provided we have no ongoing legitimate need for it.
• AI Training Data: If your card images and grading data are used in anonymized or aggregated form for AI model training (as described in How We Use Your Information), the resulting machine learning models or aggregated datasets do not personally identify you. We may retain these trained models and anonymized data indefinitely to improve our services, since they no longer contain personal data. However, if you request deletion of your personal data, we will ensure that any raw data tied to your identity is removed and not used in any future model training. (An already-trained model cannot usually extract the original personal data, but we mention this for completeness.)
• Legal Holds: Notwithstanding the stated retention periods, if we are subject to a legal hold or are otherwise legally required to retain data (for example, pursuant to a court order, subpoena, or government directive), we will retain the relevant information for as long as the order is in effect or as required by law. We will also retain information as needed to pursue or defend against legal claims. During such a period, we will isolate the data and prevent it from being used for other purposes.

When we no longer have a business need or legal obligation to retain your personal information, we will securely delete it or anonymize it. If immediate deletion is not possible (for instance, because the data is stored in a backup archive), we will secure the data and isolate it from further use until deletion is feasible.

Data Security

CardVis takes the security of your personal information very seriously and implements a variety of measures to protect your data from unauthorized access, disclosure, alteration, or destruction. We follow industry best practices to safeguard your information, recognizing that no system can be 100% secure but striving to reduce risks to an appropriate level. Our security measures include:

• Secure Cloud Storage: All card images and grading data are stored on Amazon Web Services (AWS) infrastructure (specifically, Amazon S3 cloud storage). AWS is a reputable cloud provider that employs robust physical and network security controls. Data stored on Amazon S3 is protected by Amazon's security measures, and we configure our S3 storage so that your files are private and only accessible to authorized CardVis services and personnel. For example, each image uploaded is assigned a unique address on S3 that is not guessable, and access to the storage bucket is restricted to our backend servers. Amazon S3 also offers encryption at rest, which we utilize – meaning your stored images are encrypted on the disk/storage level to add an extra layer of protection.
• Encryption in Transit: The CardVis app communicates with our servers over secure, encrypted channels. This means any data transferred between your device and our backend (such as when you upload card images or download grading results) is encrypted using HTTPS/TLS. Encryption in transit protects your data from eavesdropping while it travels over the internet.
• Authentication Security: We use one-time passwords (OTP) and/or Apple ID authentication to secure account access, which avoids the need to store a password. For OTP logins, the codes we send are time-limited and one-use. Our systems also enforce measures like rate-limiting login attempts to prevent brute force attacks. If Apple ID is used, we rely on Apple’s secure authentication tokens. We also store account identifiers and any sensitive tokens in an encrypted form in our database. Access to accounts is further protected by the security of your email or Apple credentials; please keep those secure on your end as well.
• Access Controls and Internal Policies: Access to personal data within CardVis is restricted on a need-to-know basis. Only a limited number of authorized CardVis team members (for example, an admin or an engineer addressing a user-reported issue) have access to user personal data, and even then, only to the extent necessary. All access to the database or storage systems is logged and monitored. Our employees and contractors are bound by confidentiality obligations and are trained on proper handling of personal data. We have internal policies in place forbidding any unauthorized access or use of user data. For instance, CardVis personnel will never view the images you upload unless it is absolutely necessary to troubleshoot a specific issue you requested help with, or unless required by law – and even in such cases, access is carefully controlled and logged. By default, no one at CardVis browses or shares your card images without your permission.
• Network and Application Security: We maintain up-to-date security practices in our application development and infrastructure. Our servers are protected by firewalls and routinely updated with security patches to mitigate vulnerabilities. We utilize reputable hosting services (like AWS) which provide security monitoring. We also employ techniques such as input validation and regular code reviews to prevent common security issues (e.g., SQL injection, cross-site scripting). Additionally, we may use third-party security services (like Cloudflare or others) to defend against denial-of-service attacks or other malicious traffic aimed at our service.
• Data Backups and Recovery: We perform regular backups of critical data (including your card images and grading data) to ensure we can recover in case of a system failure or disaster. These backups are encrypted and stored securely (often also on AWS). Backup data is retained only for a limited duration and is purged on a rolling schedule (as mentioned in Data Retention). In the event of a data loss incident, we have disaster recovery plans to restore availability of the Service as quickly as possible.
• Testing and Assessment: We periodically review our security measures and may conduct testing such as vulnerability scans or employ third-party audits/assessments of our systems to ensure our safeguards remain effective. Any identified issues are addressed with high priority.
• Payment Security: Although we do not process payments directly, we rely on Apple's App Store payment system which is PCI-DSS compliant (a strict security standard for handling payment information). Your financial information is handled by Apple's secure infrastructure. We never receive your full payment details, and any limited information we get (like a transaction ID) is handled in accordance with this Policy.

Despite all these measures, it's important to understand that no method of electronic storage or transmission over the internet is completely immune to security breaches. We cannot guarantee absolute security of information. However, we continuously work to protect your data and to update our security protocols in line with evolving threats. In the unlikely event of a data breach that affects your personal information, we will notify you and any applicable regulators of the breach as required by law, and we will take immediate steps to mitigate the impact and prevent future incidents.

You also play a role in keeping your data secure. We encourage you to maintain control over access to the email account associated with CardVis and your Apple ID (if used), as those are primary means of accessing your CardVis account. Notify us immediately if you suspect any unauthorized access to your account.

Your Rights and Choices

You have various rights regarding your personal information and certain choices in how we use it. CardVis is committed to upholding your rights and enabling you to exercise control over your data. These rights may vary depending on your jurisdiction (for example, residents of certain states or countries have specific legal rights), but we provide all users with a core set of privacy protections. Key rights and choices include:

• Right to Access: You have the right to request access to the personal information we hold about you. This includes the right to ask for a copy of specific information, such as the data in your account profile, your card grading data, and login records. We can provide this in a common electronic format. For example, you can request an export of your grading results or a summary of your account details.
• Right to Correct: If any of your personal information is incorrect or out-of-date, you have the right to request correction. For instance, if you change email addresses or notice that we have an incorrect name on file (perhaps as provided by Apple), you can update this through the app if possible or by contacting us. We encourage you to keep your account information current. We will correct any factual inaccuracies you point out in the personal data we hold.
• Right to Delete: You have the right to request deletion of your personal data ("right to be forgotten"). This can be exercised by requesting to delete specific data (like a particular card entry) or your entire account. You can delete individual cards from within the app, which erases those card images and grades from our systems. If you wish to delete your account entirely, you can use any in-app deletion feature (if available) or contact us at our support email with a deletion request. Once we verify it’s you, we will delete your account and all associated personal data (including stored card images, grading data, and personal details) from our active databases, except for any information we are required to retain (we will inform you if such an exception applies). Please note: deleting your account is irreversible – your data and graded collection cannot be recovered once deleted. If you simply uninstall the app without deleting your account, your data will remain on our servers until you delete it or request deletion.
• Right to Data Portability: You have the right to obtain a copy of personal information you provided to us in a structured, commonly used, machine-readable format. In practice, this means you can ask us for an export of your data (for example, a CSV or JSON file containing your card grading results, or a JPEG archive of your card images that you uploaded). Where technically feasible, you may also request that we transmit this data to another service provider at your direction. We will help with data portability requests to the extent required by law and technically practical.
• Right to Withdraw Consent: In cases where we rely on your consent to process personal data (for example, if we eventually ask for your consent to send marketing emails or to use a new feature), you have the right to withdraw that consent at any time. If you withdraw consent for a particular feature (like email marketing), we will stop the processing of your data for that purpose. Withdrawal of consent will not affect the lawfulness of any processing done prior to withdrawal. For instance, if you had agreed to receive a newsletter and later opt out, we will honor that going forward. To withdraw consent, you can typically use the provided opt-out mechanism (such as an "unsubscribe" link in an email) or adjust settings in the App (if available), or you can contact us for assistance.
• Right to Object to Processing: Depending on applicable law, you may have the right to object to certain types of processing. For example, even though we do not use your data for marketing as of now, if we did, you could object to your personal data being used for direct marketing purposes, and we would immediately stop. If we process your data on the basis of a legitimate interest (as defined by law), you can object if you feel our processing impacts your rights. One common example under some laws is the right to object to any form of "profiling" – however, CardVis's profiling is limited to analyzing card images (not profiling you as an individual). If you object to any processing that we undertake, we will review your objection and respond in accordance with law, ceasing the processing unless we have a compelling legitimate ground to continue (in which case we will inform you).
• Right to Opt Out of Sale or Sharing: We do not sell your personal information or share it for targeted advertising, as noted above. Therefore, there is no need to opt out of sale/sharing at this time – by default, you are opted out. If our practices change such that these rights become relevant (for example, if we ever considered "selling" data under a legal definition), we will update this Policy and provide a clear method for you to opt out. We comply with applicable state laws such as the California Consumer Privacy Act (CCPA) and Delaware’s privacy law which grant the right to opt out of the sale of personal data and certain sharing. Since we do not engage in those activities, we treat all users as having those preferences honored automatically.
• Right to Non-Discrimination: CardVis will not discriminate against you for exercising any of your privacy rights. This means we will not deny you the Service, charge you a different price, or provide a lesser quality of service just because you exercised your rights. The Service features you receive will remain the same. (Do note that deletion of certain data or an account might naturally mean you can no longer use some features – for example, if you delete your account entirely, you won’t be able to log in – but this is a result of providing the requested service (deletion), not a punitive action.)
• California and Delaware Residents: If you are a resident of California or Delaware (or another state with similar privacy laws), you are entitled to specific disclosures and rights under those state laws. We believe we have addressed many of these in the rights above. California residents can request a notice identifying the categories of personal information we have collected, used, and disclosed (see sections of this Policy for those details) and the specific pieces of information we hold about you (access request). They also have rights to deletion, to opt out of sale/sharing (addressed above), and to correct inaccurate information. Delaware residents (effective 2025) have similar rights to access, confirm, correct, delete, or transfer their data, and to opt out of targeted advertising, sales, or profiling. CardVis is designed to respect these rights for all users. If you have any questions or special requests pertaining to your state privacy rights, please contact us.
• Managing Your Data in the App: In addition to formal requests, we strive to give you direct control within the CardVis app when possible. For instance, you can delete card entries (as mentioned), and you can update certain profile details. If we introduce features like account settings pages, you may be able to download data or adjust preferences right in the app. We will continue to enhance user controls in the app.
• Marketing Communications: As noted, we currently do not send marketing emails. If and when we start, any marketing email you receive from us will include an unsubscribe link or instructions so you can opt out easily. You can always also opt out by contacting us. Once you opt out, we will remove you from the marketing list. Please note you will still receive essential service emails (we cannot, for example, stop sending OTP login codes or critical account alerts, unless you deactivate your account entirely).

To exercise any of your rights or make any requests regarding your personal data, you may contact us using the information in the Contact Information section below. Please clearly describe your request. We may need to verify your identity before fulfilling certain requests, especially for access, deletion, or portability, to ensure that we do not give your data to an unauthorized person. For most requests, we will respond within 30 days, and if more time is needed (for complex requests, some laws allow 60 or 90 days), we will inform you of the extension. There is no fee for exercising your rights unless a request is manifestly unfounded or excessive, in which case we will explain any nominal fee or reason for refusal.

International Data Transfers

CardVis is operated from the United States (with our company based in Delaware, USA), and the infrastructure (servers, databases, storage) we use is primarily located in the United States. If you are accessing CardVis from outside the U.S., please be aware that your personal information will likely be transferred to, stored in, and processed in the United States. Data protection laws in the U.S. may not be as comprehensive as those in your country of residence. However, we will protect your personal information in accordance with this Privacy Policy and applicable law, no matter where it is processed.

For users in the European Economic Area (EEA), United Kingdom, Switzerland, or other regions with data transfer restrictions: whenever we transfer your personal data out of those regions, we will implement appropriate safeguards to ensure an adequate level of data protection. For example, we may rely on the European Commission’s Standard Contractual Clauses (SCCs) or other approved transfer mechanisms to legally transfer data from the EEA/UK to the U.S. These are contractual commitments between companies transferring personal data, binding them to protect the privacy and security of your data according to EU standards. Our key service providers (like AWS and Apple) are also part of international frameworks or have their own SCCs in place, as needed. AWS, for instance, is certified under various security standards and offers strong contractual privacy commitments.

By using CardVis or submitting information to us, you understand that your data may be transferred to and stored in the United States and potentially other jurisdictions where our service providers are located. In all such cases, we take steps to ensure your data is treated securely and lawfully. If international transfer of your data is required, we will do so in compliance with the relevant data protection laws.

If you reside outside the U.S. and have any questions about our data transfer practices, you can contact us. We will be happy to provide more information on the safeguards we use for cross-border data transfers.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. If we make changes, we will post the updated policy within the App and update the "Effective Date" at the top. For significant changes, we will take additional steps to inform you of the update: for example, by sending a notice to the email associated with your account or by displaying a prominent announcement within the App.

Significant changes might include, for instance, adding new categories of personal information we collect, new purposes for data processing, or any changes that affect your rights. Minor changes (such as clarifications, grammatical fixes, or updates to contact information) may be simply updated on our website or in-app without a direct notice, but you can always see the latest Effective Date to know when it was last revised.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of CardVis after any changes to this Privacy Policy constitutes your acceptance of those changes (to the extent permitted by law). If you do not agree with any updates or changes, you should stop using the Service and can request deletion of your data.

Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal information, please do not hesitate to contact us:

• Email:support@cardvis.com
• Support: You can also contact us through the in-app support chat or help center, if available, for privacy inquiries.

We will respond to your inquiries as soon as reasonably possible, generally within 30 days. If you are contacting us to exercise a specific privacy right, please clearly describe your request and the context (e.g., "Right to Access – EU GDPR" or "request to delete my account data") so we can handle it efficiently.

Governing Law

This Privacy Policy, and any disputes arising from it or your use of the Service, are governed by the laws of the State of Delaware, USA, without regard to its conflict of law principles. By using CardVis, you agree that any legal action or proceeding concerning this Privacy Policy shall be brought in the appropriate federal or state courts located in Delaware. You consent to the personal jurisdiction of such courts and waive any objections to venue in those courts. We make no representation that this Privacy Policy complies with the laws of any other country. If you access the Service from outside the United States, you do so on your own initiative and are responsible for compliance with local laws, if and to the extent local laws are applicable.