Legal

Privacy Policy

Last updated: 2026-05-06

Plain-English note. This page describes what data EmiCard collects, why, where it's stored, and your rights over it. It is written to be readable rather than airtight legal prose. If anything below conflicts with applicable law in your jurisdiction, the law wins.

1. Who we are

EmiCard is a small, independent loyalty-wallet project. The data controller for the purposes of EU/UK GDPR and the business operator under California's CCPA/CPRA is the operator of the EmiCard service, reachable at support@emicard.app. Throughout this document, "we", "us" and "EmiCard" refer to the same operator.

2. What we collect

2.1 Account data

When you sign in with Apple or Google, we receive whatever the provider decides to share with the app: a stable user identifier, your email address (or, with Apple's "Hide My Email", an Apple-relay address that forwards to your real one), your full name (only if you explicitly choose to share it), and — for Google only — a profile photo URL. We never see your provider password.

2.2 Anonymous-session data

EmiCard creates an anonymous Supabase user the first time you open the app, before you sign in with anything. Tied to that anonymous user we store: a UUID, an auto-generated public handle (e.g. @quietowl947), your selected theme, view mode, and discoverability setting. Anonymous accounts are deleted automatically after 90 days of inactivity, or when you sign in and merge them into an authenticated account.

2.3 Card data

For every loyalty card you save, we may store: brand name, program name, card number, discount text, optional notes, optional website, optional phone number, color palette key, optional category, optional initials, optional folder id, and timestamps. Card data lives only on your device (iCloud private CloudKit) until you turn on Cloud Sync — only then is a copy written to our database so you can open your wallet from emicard.app on the web.

2.4 Friends and groups

If you create groups or send friend requests, we store the membership rows that make those features work: who's in which group, who sent which friend request to whom, and the request's status.

2.5 Contacts

We never read your address book automatically. If you tap Import from Contacts, we upload the names, email addresses and phone numbers of your contacts to our database (table: contact_imports) so we can match them against existing EmiCard members. The import is one-shot and only the contacts you confirmed are kept; others are not persisted. You can delete the imported set at any time from inside the app.

2.6 Server logs

Our hosting providers (Vercel and Supabase) keep standard access logs — IP address, request URL, timestamp, user-agent — for debugging, rate-limiting and DDoS mitigation. These logs are rotated within 30 days.

2.7 What we do NOT collect

We do not embed third-party analytics SDKs (no Mixpanel, Segment, Amplitude, Google Analytics, Facebook Pixel, AppsFlyer, Adjust, or equivalents). We do not track you across websites. We do not sell or rent any data we hold to anyone, ever.

3. How we use your data

To authenticate you and keep your session alive across devices.
To sync your cards, folders, groups and friend list across your phone and the web.
To match imported contacts against existing EmiCard accounts (only when you tap Import).
To generate share links so you can let others see a card you choose to share.
To prevent abuse (fraud detection, rate-limiting, ban evasion).
To respond to your support requests when you email us.

4. Legal bases (GDPR Art. 6)

Performance of a contract (Art. 6(1)(b)) — for the core service: storing cards, syncing, sharing.
Consent (Art. 6(1)(a)) — for contact import. You can withdraw consent at any time by deleting the imported set.
Legitimate interest (Art. 6(1)(f)) — for fraud prevention, abuse mitigation and basic server logging.
Legal obligation (Art. 6(1)(c)) — when we have to retain or disclose data to comply with law (e.g. valid law-enforcement request).

5. Sub-processors and third parties

We do not sell your personal data. We use the following sub-processors to operate the service:

Supabase, Inc. — database, authentication, storage. Region: AWS us-east-1.
Vercel, Inc. — web hosting, edge network.
Apple Inc. — Sign in with Apple, iCloud private CloudKit storage of cards on your device.
Google LLC — Sign in with Google.

Each provider has its own privacy policy governing its handling of any data passed to it.

6. International data transfers

Our database is hosted in the United States (AWS us-east-1). If you access EmiCard from the European Economic Area, the United Kingdom, or Switzerland, your data is transferred to the United States. We rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK and Swiss addenda where applicable.

7. Retention

Authenticated accounts: while your account is active. After you request deletion, we hard-delete within 30 days.
Anonymous-session accounts: 90 days idle, then automatically purged.
Server logs: 30 days, rolling.
Backups: encrypted snapshots are retained for up to 14 days for disaster recovery.

8. Your rights

Depending on where you live, you may have the right to:

Access the personal data we hold about you.
Correct it if it's inaccurate.
Delete it (right to erasure).
Receive a copy in a portable format (right to data portability).
Object to or restrict certain processing.
Withdraw consent (e.g. for contact import).
Lodge a complaint with your local data-protection authority.

Most of these are self-serve from inside the EmiCard app: Settings → Account → Export and Settings → Account → Delete. For anything else, email support@emicard.app and we'll get back to you within 30 days, or 45 days if your request is unusually complex (and we'll tell you in advance if so).

9. California-specific notice (CCPA / CPRA)

California residents have the additional rights to know what categories of personal information have been collected, the purposes for collection, the categories of third parties with whom we share that information, and to opt out of any "sale" or "sharing" of personal information. EmiCard does not sell or share your personal information for cross-context behavioral advertising.

10. Children

EmiCard is not directed at children under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has signed up for EmiCard, contact us and we will promptly delete the account.

11. Security

All traffic is encrypted in transit with TLS 1.2+.
Data is encrypted at rest by our database provider.
Auth tokens on iOS live in the system Keychain.
Card data on your device, when Cloud Sync is off, lives in iCloud's private CloudKit container — readable only by your iCloud account.
Database row-level-security policies make sure each account can read and write only its own rows.

12. Cookies

On emicard.app we set only the auth cookies we need to keep you signed in (issued by Supabase Auth: sb-access-token and sb-refresh-token) plus a small NEXT_LOCALE cookie that remembers your language choice. We do not set tracking cookies.

13. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top will reflect when. If a change is material — for example, a new category of data collected, or a new sub-processor — we'll surface an in-app notice or email registered users.

14. Contact

Privacy questions, data requests, or anything else: support@emicard.app.