Privacy Statement

Last updated: 29 January 2026

1. Introduction

AltCards ("the Service") is operated by AltCard Limited, a company registered in New Zealand. We are committed to protecting your privacy and handling your personal information responsibly.

This Privacy Statement explains how we collect, use, store, and share your information when you use the Service. By using the Service, you agree to the collection and use of information in accordance with this statement.

2. Information We Collect

We collect the following types of information:

Account Information

• Email address.
• Authentication provider (Google or email/password).

User Content

• Photos you upload for card creation.
• Text inputs and messages you provide.
• Card designs you create.

Technical Information

• IP address.
• Device type and model.
• Browser type and version.
• Operating system.

Usage Information

• Pages and features you access.
• Actions you take within the Service.
• Timestamps of your activity.

3. How We Use Information

We use the information we collect to:

• Operate and provide the Service, including generating cards.
• Process payments and manage your account.
• Prevent misuse, fraud, and abuse of the Service.
• Improve the Service, including analysing usage patterns and fixing issues.
• Communicate with you about your account, service updates, and (where you have opted in) marketing communications.

We may use your text inputs for service improvement purposes. We will not use your photos for marketing or any purpose beyond card generation without your explicit consent.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following legal bases:

• Consent — where you have given clear consent for us to process your personal data for a specific purpose (e.g. uploading photos for card generation).
• Contract performance — where processing is necessary to perform our contract with you (e.g. creating and delivering your card).
• Legitimate interests — where processing is necessary for our legitimate interests and those interests are not overridden by your rights (e.g. fraud prevention, service improvement).
• Legal obligation — where processing is necessary to comply with a legal obligation.

5. Third-Party Services & Data Sharing

We share your information with the following third-party services as necessary to operate the Service:

• Google Firebase — we use Firebase for authentication (email/auth provider), database (account and card data), file storage (uploaded and generated images), and hosting. Google receives your account information and content as needed to provide these services.
• OpenAI — we send your uploaded photos and text inputs to OpenAI for AI-powered image generation. OpenAI processes this data in accordance with their API data usage policy.
• SendGrid — we use SendGrid to deliver emails (e.g. card delivery emails, account notifications). SendGrid receives recipient email addresses and email content.
• Stripe — we use Stripe for payment processing. Stripe receives your payment information (e.g. card details) directly; we do not store your full payment card details.

We do not sell your personal information to third parties.

6. International Data Transfers

Your data may be processed outside of your country of residence, including in the United States and other jurisdictions where our third-party service providers operate (including Google Cloud and OpenAI servers).

Where data is transferred from the EEA or UK to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, or other lawful transfer mechanisms.

7. Data Retention

We retain your information for the following periods:

• User photos sent to external services (OpenAI): deleted from their systems within 30 days in accordance with their data retention policies.
• User photos on our infrastructure: retained while your account is active, and deleted upon account deletion.
• Sent cards: retained for the purpose of recipient access and delivery.
• Account data: retained until you delete your account.
• Rate-limiting and analytics logs: retained for 90 days.

When you delete your account, we will delete or anonymise your personal data within a reasonable timeframe, except where we are required to retain it by law.

8. Image Data Specifically

Photos you upload are processed by OpenAI for the purpose of generating card designs. We want to be transparent about how your image data is handled:

• Your photos are sent to OpenAI's API for image generation. Under OpenAI's API data usage policy, data submitted via the API is not used to train their AI models.
• We do not reuse your uploaded photos for any purpose other than generating your requested cards.
• Generated images (AI output) are not guaranteed to be unique — similar inputs from different users may produce similar results.
• You retain ownership of your uploaded photos. See our Terms of Use for details on the licence you grant us to process them.

9. Device & Analytics Data

We collect device and technical information (IP address, device type, browser, operating system) for the following purposes:

• Fraud and misuse prevention — identifying suspicious activity and protecting the Service.
• Product improvement — understanding how the Service is used to improve features and fix issues.
• Rate limiting — preventing abuse of the Service.

This data is retained for up to 90 days and is not used for advertising purposes.

10. Your Rights (EU/EEA — GDPR)

If you are located in the EEA or UK, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access — you can request a copy of the personal data we hold about you.
• Right to rectification — you can request that we correct inaccurate or incomplete personal data.
• Right to erasure — you can request that we delete your personal data.
• Right to restriction of processing — you can request that we limit how we use your data.
• Right to data portability — you can request a copy of your data in a structured, commonly used, machine-readable format.
• Right to object — you can object to our processing of your data based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, you can withdraw it at any time.
• Right to lodge a complaint — you have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, please contact us at support@altcards.app.

11. Your Rights (NZ — Privacy Act 2020)

If you are located in New Zealand, you have rights under the Privacy Act 2020, including:

• Right of access — you can request access to the personal information we hold about you.
• Right to correction — you can request that we correct any personal information that is inaccurate, incomplete, or misleading.
• Right to complain — you have the right to lodge a complaint with the New Zealand Privacy Commissioner if you believe your privacy has been interfered with.

To exercise your rights or make a complaint, please contact us at support@altcards.app.

12. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information as soon as practicable.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@altcards.app.

13. Cookies & Local Storage

The Service uses browser local storage to maintain your session and store your preferences. This is essential for the Service to function correctly.

We do not use third-party advertising cookies or tracking cookies. We do not use third-party trackers for advertising purposes.

14. Data Security

We take reasonable measures to protect your information, including:

• All data is transmitted over HTTPS (encrypted in transit).
• Firebase security rules restrict access to authorised users.
• Access controls limit who can access your data within our systems.
• Data is stored using encrypted storage provided by our infrastructure providers.

While we strive to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

15. Changes to This Statement

We may update this Privacy Statement from time to time. If we make material changes, we will notify you by email or through the Service.

Your continued use of the Service after any changes constitutes your acceptance of the updated statement. We encourage you to review this statement periodically.

16. Contact

If you have any questions about this Privacy Statement or how we handle your data, please contact us at:

Email: support@altcards.app
AltCard Limited
New Zealand