Privacy Policy
Effective Date: June 24, 2026
1. Overview
CardCade ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the CardCade platform and related services (the "Service").
Please read this policy carefully. By using CardCade, you agree to the collection and use of information in accordance with this policy. If you disagree with any part, please discontinue use of the Service.
2. Information We Collect
2.1 Information You Provide Directly
- User Information: Email address, authentication identifiers, and selected product modes such as Teacher, Classroom Student, or Solo Learner
- Profile Data: Display name and optional avatar
- Content: Solo Decks, Classroom Decks, Worksheets, Virtual Labs, questions, answers, and other educational content you create or submit
- Payment Information: When subscribing to a paid plan, payment details are collected and processed directly by Stripe. We do not store your full card number or CVV.
2.2 Information Collected Automatically
- Study Activity: Reviewed Cards, Study Sessions, SRS State, Assignment Progress, Solo Progress, and Solo XP
- Usage Data: Pages visited within the app, features used, and interactions with live game sessions
- Device & Technical Data: Browser type, operating system, IP address, and approximate geographic location (country/region level)
2.3 Information from Third Parties
- WorkOS AuthKit: We use WorkOS AuthKit to authenticate Users. WorkOS may process login identifiers, session data, and identity-provider information needed to sign you in.
- Stripe: We receive confirmation of subscription status and billing events from Stripe but do not receive raw payment card data.
3. How We Use Your Information
We use the information we collect to:
- Create and manage your account
- Deliver the core Service — Deck study, spaced repetition, Arcade, Live Activities, and Assignment Progress
- Power AI features, such as Deck generation, Worksheet generation, Virtual Lab generation, and AI-assisted grading (relevant content is sent to our AI provider for processing; see Section 7)
- Calculate and display study statistics, Solo XP, Mission Streaks, Gradebook data, and leaderboards
- Process subscription payments and manage billing
- Send transactional emails (account verification, password reset, subscription receipts)
- Improve and debug the platform through aggregate analytics
- Comply with legal obligations
We do not sell your personal information to advertisers or third-party marketers.
4. How We Store Your Data
Database and application data: User, Profile, Deck, Card, Classroom, Assignment, Assignment Progress, Solo Progress, and entitlement data are stored in Convex. Data is encrypted in transit, and Convex provides managed application data storage for the Service.
Application Hosting: The CardCade web application is served by our hosting provider and supporting content delivery infrastructure.
Authentication: WorkOS AuthKit provides authentication, session handling, and supported identity-provider login flows.
Convex privacy policy: convex.dev/legal/privacy
WorkOS privacy policy: workos.com/privacy
5. Data Sharing & Disclosure
We do not sell, rent, or trade your personal information. We may disclose information only in the following limited circumstances:
- Service Providers: We share necessary data with trusted third-party vendors including Convex, WorkOS, Stripe, OpenRouter/AI providers, hosting providers, and support or analytics providers solely to operate, secure, support, and improve the Service
- Classroom Context: Classroom Teachers can view Classroom Student Assignment Progress, Evidence, submissions, Gradebook data, and Live Activity participation for the Classrooms they manage
- Legal Requirements: We may disclose information if required to do so by law or in good-faith belief that such action is necessary to comply with a legal obligation, protect our rights, or protect the safety of users
- Business Transfers: If CardCade is involved in a merger, acquisition, or sale, user data may be transferred as part of that transaction, with advance notice provided to affected users
6. Cookies & Local Storage
CardCade uses the following to maintain your session and preferences:
- Authentication Cookies: Secure session cookies issued through WorkOS AuthKit and CardCade to keep you logged in
- localStorage: Used to remember UI preferences such as theme (dark/light mode) — this data stays on your device only
- No Third-Party Ad Trackers: We do not use Google Analytics, Facebook Pixel, or any advertising tracking cookies
7. AI Features & Data Processing
When you use AI-powered features, the relevant content is transmitted to our AI provider (OpenRouter, which may route requests to model providers such as Google Gemini) for processing.
Solo Learner AI requests may include Solo Deck titles, Card prompts and answers, imported source text, missed-card patterns, weakness-study signals, and generation instructions needed to create or improve Solo study content.
Classroom content AI requests may include Classroom Deck, Worksheet, Virtual Lab, prompt, rubric, and Teacher-provided source material needed to generate or grade classroom learning content.
Classroom Student evidence AI requests may include the specific Submission, answer, or Evidence being graded or summarized. We minimize the data transmitted to AI providers to what is necessary for the requested operation and avoid sending student names or emails when they are not needed.
AI provider data practices are governed by their respective privacy policies. We encourage you to review these if you have concerns about AI data processing.
8. Children's Privacy (COPPA)
CardCade is intended for users 13 and older. We do not knowingly collect personal information from children under 13.
Schools using CardCade Classroom with students under 13 are responsible for obtaining verifiable parental consent as required by COPPA before enrolling such students. The school, acting as an educational agency, serves as the consent intermediary on behalf of parents.
If you believe we have inadvertently collected information from a child under 13 without proper consent, please contact us immediately at matis@cardca.de and we will delete it promptly.
9. Your Rights & Choices
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate personal data
- Deletion: Request deletion of your account and associated personal data. You can initiate this from your account settings or by emailing us. Note that some data may be retained for legal or operational purposes for a limited time.
- Data Portability: Request an export of your Decks and study data in a machine-readable format
- Opt-Out of Marketing: You may opt out of any marketing emails via the unsubscribe link in the email. Transactional emails (account verification, receipts) cannot be disabled while your account is active.
To exercise any of these rights, contact us at matis@cardca.de. We will respond within 30 days.
10. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. If you delete your account:
- Your Profile and Solo-owned Deck content are deleted or de-identified within 30 days
- Classroom Student records may be retained as needed to support a Classroom, school request, legal requirement, or DPA
- Anonymized aggregate analytics data (not linked to you) may be retained indefinitely
- Billing records may be retained for up to 7 years as required by tax law
11. Security
We take reasonable technical and organizational measures to protect your data, including:
- TLS encryption for all data in transit
- Managed encryption for stored application data through Convex and other service providers
- Server-side authorization checks for User, Organization, Classroom, Teacher, Classroom Student, and Solo Learner access
- Authentication and session management through WorkOS AuthKit
No system is 100% secure. If you discover a security vulnerability, please report it responsibly to matis@cardca.de.
12. International Users
CardCade is operated from the United States. If you are accessing the Service from outside the United States, be aware that your information may be transferred to, stored, and processed in the US where our servers are located. By using CardCade, you consent to this transfer.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal basis for collecting and using the personal data described above is our legitimate interest in providing and improving the Service, performance of a contract (your account agreement), and compliance with legal obligations.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by sending an email to your registered address or by displaying a prominent notice within the application at least 14 days before the changes take effect.
We encourage you to review this policy periodically. The "Effective Date" at the top of the page indicates when it was last revised.
14. Contact Us
If you have any questions, concerns, DPA requests, or requests related to this Privacy Policy or your personal data, please contact us at:
CardCade Privacy Team
matis@cardca.de
