CardStock — Privacy Policy

Effective date: 2026-06-12  ·  Last updated: 2026-06-12

1. Overview and Scope

This Privacy Policy explains how CardStock Inc. TODO: final registered legal name (“CardStock,” “we,” or “us”) collects, uses, discloses, and safeguards information when you visit cardstock.cards or use our related services (the “Service”). It applies to all users globally and is supplemented by region-specific disclosures in Section 13.

If you do not agree with this Policy, please do not use the Service. Your use of the Service is also subject to our Terms of Service.

2. Data Controller and Contact

The data controller responsible for your personal information is:

If you have any question about this Policy, your data, or to exercise your rights, please write to the address above.

3. Information We Collect

3.1 Information you provide directly

• Google account information. When you sign in, Google shares with us your email address, display name, profile picture URL, locale (where provided), and a stable Google account identifier. We do not receive your Google password.
• Communications. Messages you send to privacy@cardstock.cards or other contact channels (subject line, body, and any attachments you choose to include).

3.2 Information collected automatically

• Session cookies. A Flask signed-cookie session is set on sign-in and used to authenticate subsequent requests. It contains your email, display name, and profile picture URL, signed with our server key. Lifetime: up to 30 days, unless you sign out earlier.
• Server access logs. Our application server records standard request metadata for security, debugging, and abuse-prevention purposes: source IP address, user-agent string, requested URL, HTTP status, timestamp, and referrer. These logs are retained for up to 90 days and are not used for advertising.
• First-party click logs. When you click an affiliate-tagged outbound link to a marketplace (for example, a “Buy on eBay” link), we record the listing identifier, target marketplace, click timestamp, and, if you are signed in, your account identifier, to measure interest and reconcile partner-network reporting.

3.3 Information we do not collect

We do not: receive payment-card or banking details (all purchases occur on third-party marketplaces); read your Gmail, Drive, Calendar, Contacts, or any other restricted Google data; sell personal information; serve third-party advertising; or operate ad-targeting cookies. We do not use cross-site tracking pixels.

4. How We Use Information

We do not use your personal information to train machine-learning models, to build advertising profiles, or for any automated decision-making with legal or similarly significant effects.

5. Legal Bases for Processing (EEA / UK)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:

• Contract (Art. 6(1)(b)) — to authenticate you and provide account features.
• Legitimate interests (Art. 6(1)(f)) — to operate, secure, and improve the Service, including server logs and first-party click measurement, balanced against your interests.
• Legal obligation (Art. 6(1)(c)) — to respond to lawful requests from regulators or courts.
• Consent (Art. 6(1)(a)) — where required, for example for optional analytics in jurisdictions that require opt-in.

6. Google User Data and Limited Use

Specifically:

• We request only the openid, email, and profile scopes. We do not request, store, or use any restricted or sensitive Google scopes (Gmail, Drive, Calendar, Contacts, Photos, Fit, Classroom, etc.).
• We use Google user data only to authenticate you, to display your account identity within the Service, and to authorize access to non-public features.
• We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you.
• We do not use Google user data for serving advertisements, including retargeting or personalized advertising.
• We do not allow humans to read Google user data unless we have your affirmative consent, it is necessary for security purposes, to comply with applicable law, or the data is aggregated and used for internal operations in compliance with the Google API Services User Data Policy.

You can revoke our access at any time at myaccount.google.com/permissions. Revoking access will sign you out of the Service.

7. Cookies and Similar Technologies

We use the minimum set of cookies needed to operate the Service:

• Session cookie (strictly necessary) — signed by our server, carries your sign-in state. First-party. Expires up to 30 days after sign-in.
• OAuth state cookie (strictly necessary) — short-lived, used by the Google sign-in flow to defend against CSRF. First-party. Discarded after callback.

We do not use advertising, analytics, social-media, or cross-site tracking cookies. Because we rely only on strictly-necessary cookies, no cookie-consent banner is shown; this aligns with ePrivacy Directive Art. 5(3) and equivalent provincial guidance.

8. Affiliate Programs and Outbound Tracking

CardStock participates in third-party affiliate programs including the eBay Partner Network and the Amazon Services LLC Associates Program. When you click an affiliate-tagged outbound link:

• You leave CardStock and are routed to the marketplace, which may append its own tracking parameters identifying CardStock as the referring partner.
• The destination marketplace places its own cookies and processes your data under its privacy policy, not ours. Review eBay’s User Privacy Notice and Amazon’s Privacy Notice for details.
• We retain a first-party record of the click (see Section 3.2) to reconcile partner-network reports. We do not receive your subsequent browsing activity on the marketplace.

9. How We Share Information

We share personal information only in the limited circumstances below:

• Service providers / processors. Cloud hosting, database, email delivery, error monitoring, and similar infrastructure providers, who process data on our behalf under written contracts that restrict use to the purposes we specify.
• Affiliate partners (limited identifiers only). Outbound affiliate links carry our partner identifier and, in some cases, an opaque customid tag to attribute conversions. We do not send the partner your email address, name, or profile picture.
• Legal and safety. When required to comply with applicable law, lawful requests, court orders, or to protect the rights, property, or safety of CardStock, our users, or the public.
• Business transfers. In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to the recipient honoring this Policy or providing notice and choice where required.

We do not sell or rent personal information, and we do not “share” it for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act.

10. Data Retention

• Google account profile (email, name, picture, Google id): retained while your account is active. Deleted within 30 days of your deletion request or 24 months of account inactivity, whichever comes first.
• Session cookies: up to 30 days from sign-in.
• Server access logs: up to 90 days, then deleted or aggregated.
• First-party affiliate click logs: up to 24 months for partner-network reconciliation, then aggregated.
• Communications you send us: retained as long as needed to address the matter and meet legal/recordkeeping obligations.

11. Security

We apply administrative, technical, and physical safeguards proportionate to the limited sensitivity of the data we collect. Examples include TLS in transit, secrets stored outside source control, principle-of-least-privilege access to production systems, signed session cookies, server-side authorization checks on every protected request, and an explicit master-admin allowlist for elevated access. No method of transmission or storage is 100% secure; we cannot guarantee absolute security and encourage you to use a strong, unique Google password and enable Google’s two-step verification.

12. International Data Transfers

CardStock is operated from Canada, and certain service providers we use may be located in the United States or other jurisdictions. Where personal data is transferred outside the EEA, UK, or other regions that restrict international transfers, we rely on adequacy decisions or appropriate safeguards such as the European Commission’s Standard Contractual Clauses, as applicable.

13. Your Rights and Choices

13.1 All users

You can:

• Sign out from the account menu in the navigation bar at any time;
• Revoke our access to your Google account at myaccount.google.com/permissions;
• Request a copy or deletion of your account data by emailing privacy@cardstock.cards. We will verify your identity (typically by replying from your Google-registered email) and respond within 30 days.

13.2 Residents of Canada (PIPEDA / Quebec Law 25)

You have the right to access and correct your personal information, to withdraw consent (subject to legal or contractual restrictions), and to lodge a complaint with the Office of the Privacy Commissioner of Canada or, for Quebec residents, the Commission d’accès à l’information.

13.3 Residents of the EEA / UK (GDPR / UK GDPR)

You have the rights to access, rectify, erase, restrict or object to processing, and to data portability. You also have the right to lodge a complaint with your local supervisory authority.

13.4 Residents of California (CCPA / CPRA)

You have the rights to know, delete, correct, and limit use of sensitive personal information. As noted in Section 9, we do not sell or share personal information for cross-context behavioral advertising. You may exercise your rights by writing to privacy@cardstock.cards. We will not discriminate against you for exercising your rights.

14. Children’s Privacy

The Service is not directed to children under 13 (or under 16 in jurisdictions where that is the threshold for digital consent). We do not knowingly collect personal information from children below those ages. If you believe a child has provided us with personal information, please email privacy@cardstock.cards and we will delete it promptly.

15. Changes to this Policy

We may update this Policy from time to time. The current version is identified by the “Effective date” at the top. For material changes that reduce your rights, we will provide reasonable advance notice (for example, by an in-Service banner or email to your signed-in address) before they take effect.

16. Contact and Complaints

For privacy questions, requests, or complaints, write to:

If you are not satisfied with our response, you may contact the privacy regulator in your jurisdiction, including (where applicable) the Office of the Privacy Commissioner of Canada at priv.gc.ca.