This policy explains what personal data Cardcature ("we", "us") collects when you use cardcature.com(the "Service"), how we use it, and the rights you have over it. We've tried to keep this in plain English. If anything is unclear, email hello@cardcature.com.
1. Who we are
Cardcature is a service that lets you create personalised trading cards from photos and details you provide. The data controller is the operator of cardcature.com. To exercise any of your rights below, contact us at hello@cardcature.com.
2. What we collect
When you use the Service, we collect:
- Information you give us — your email address (when you submit it to reveal a card), the photos you upload, the names, stats, descriptions and other text you type into the card editor or funnel questions.
- Generated content — the cards, stats, ability descriptions and image transformations our AI creates based on your inputs.
- Usage data — funnel step events (page views, which step you reached, when you submitted), session identifiers, UTM campaign parameters, browser type, device type, IP-derived country.
- Marketing/ad data— when we run paid ads, the advertising platform (e.g. Meta) may pass us a click ID we send back to confirm conversion, in line with that platform's terms.
We do not knowingly collect data from children under 16. Cardcature is for adults.
3. How we use it
- Deliver the Service — generate your card, send you the high-res file, save your inputs while you complete the funnel.
- Improve the product — measure where users drop off, which prompts work best, fix bugs.
- Marketing — if you submit your email, we may send you your finished card and a small number of follow-up emails about Cardcature (new features, print-on-demand availability). You can opt out at any time using the unsubscribe link in any email.
- Ad measurement — confirm conversions back to ad platforms so our ads can find people similar to you, and so we don't waste budget showing you ads after you've already used the Service.
- Legal & security — prevent abuse, comply with law enforcement requests where required.
4. Legal basis (UK / EU users)
We rely on the following legal bases under UK GDPR and EU GDPR:
- Performance of a contract — to deliver the card you asked us to create.
- Legitimate interests — for product analytics, fraud prevention, and basic ad measurement.
- Consent — for marketing emails (you give consent by submitting your email at the gate; you can withdraw it any time).
5. Who we share it with
We use a small number of trusted third parties to run the Service. We don't sell your data.
- Vercel — hosting and serverless functions (data processed in the United States).
- Neon — managed Postgres database (United States).
- Google Gemini — AI content and image generation. The photo and prompts you submit are sent to Google for processing and are subject to Google's API terms.
- Meta (Facebook / Instagram) — when running ads, conversion events may be shared with Meta via the Facebook Pixel and Conversions API for ad measurement and optimisation.
- Email provider — to deliver transactional and marketing emails.
These transfers may move your data outside the UK / EEA (typically to the United States). Where that happens, we rely on the receiving party's Standard Contractual Clauses or equivalent safeguards.
6. How long we keep it
- Email captures — until you ask us to delete them.
- Uploaded photos & generated cards — processed in memory and not retained on our servers after your session ends, unless you opt-in to a saved gallery feature in future.
- Funnel events — kept for up to 24 months for analytics, then aggregated or deleted.
- Server logs — kept for up to 30 days for security and debugging.
7. Your rights
If you're in the UK or EU, you have the right to:
- Access the personal data we hold about you
- Have it corrected if it's wrong
- Have it deleted
- Object to processing or restrict it
- Have your data sent to another service (data portability)
- Withdraw consent for marketing at any time
- Lodge a complaint with the UK Information Commissioner's Office at ico.org.uk
Email hello@cardcature.comwith the subject "Privacy request" and we'll respond within 30 days.
8. Cookies & similar tech
We use a small amount of browser storage to remember your funnel session so you can refresh without losing progress. We don't use third-party advertising cookies for retargeting on this site. If we add a Meta Pixel or other tracking later, we'll update this policy and surface a cookie banner where required by law.
9. Security
Data is encrypted in transit (HTTPS) and at rest. We use access controls and audit logging on our database. No system is perfect — if you spot a vulnerability please email hello@cardcature.com.
10. Changes to this policy
If we change this policy materially we'll update the "Last updated" date above and, for significant changes, email anyone in our marketing list. Continued use of the Service after a change means you accept the updated policy.
11. Contact
Questions, complaints, or requests: hello@cardcature.com.