Overview
Cryptocardium operates a crypto-funded card programme. This privacy policy explains what data we collect, how we use it, who we share it with, and what your rights are. It applies to everyone who visits cryptocardium.com, opens an account, or uses any of our APIs.
Our architecture is built around the absence of identity verification. We don't ask for KYC, so the data list below is genuinely short. Read it; question anything that's missing.
What we collect
The complete list of data we store about an account:
- Email address — the only identifier we ask for. Used for sign-in, account recovery, ticket replies.
- Password hash — bcrypt, cost 12. The plaintext never touches disk and is dropped from memory after each request.
- TOTP secret (if 2FA enabled) — encrypted at rest with a key rotated every 90 days.
- Backup codes (if 2FA enabled) — bcrypt-hashed, consumed once each, never re-shown after generation.
- Treasury balance — USDT-denominated, updated on every top-up, load, and withdrawal.
- Top-up records — amount, asset, chain, deposit address, on-chain txid, timestamps, status.
- Card metadata — BIN, last 4 digits, status, limits, MCC rules, geo-locks. The full PAN is never stored at rest on our side; the issuer holds it.
- Transaction events — auth, capture, refund, decline records pushed by the issuer.
- Sign-in IPs — kept for 90 days for fraud defence and rate-limiting.
- API key metadata — name, sha256-hashed key, prefix (visible), last-used timestamp + IP.
- Support ticket history — subject, body, status, replies, attachments.
What we don't collect
Equally important — the list of things we never ask for and never store:
- Government ID, passport, driving licence, residence permit
- Selfie, liveness video, biometric data
- Real name, date of birth, tax identification number
- Proof of address (utility bill, lease, bank statement)
- Source-of-funds attestation, income declaration, employer info
- Phone number (the panel works without one)
- Social security number, national ID number
- Marketing preferences, behavioural tracking data, third-party cookie IDs
How we use it
Every piece of data we collect serves one of three purposes:
- Running your account — authentication, balance display, card authorisation routing.
- Preventing fraud — rate-limiting failed sign-ins, anti-fraud scoring on top-ups and card auths, anomaly detection on API usage.
- Aggregate analytics — anonymised, never tied back to individual accounts. We measure platform-wide metrics (cards issued per day, median auth latency, decline rates) for product decisions.
We do not use your data for advertising, profiling, behavioural targeting, or any third-party marketing purpose.
Sharing & third parties
The short list of third parties that ever see your data:
- Card issuer (PCI DSS Level 1 sponsored BIN issuer) — receives card metadata, top-up amounts, and transaction events. Strictly required to run the card programme.
- Blockchain networks — top-up deposits are public on-chain by nature. The deposit addresses we generate are unique per top-up to avoid linking your activity together.
- Infrastructure providers — cloud hosting, CDN, monitoring. They process data on our behalf under standard data-processing agreements.
- Lawful authorities — we comply with valid legal process. We do not voluntarily share data with advertisers, data brokers, marketing platforms, or any party that would correlate your activity outside Cryptocardium.
Retention
- Active accounts — data retained while the account is active.
- Closed accounts — 12 months of retention after closure for fraud-defence overlap, then anonymised. Audit trails required by financial regulation are retained for 7 years in anonymised form.
- Sign-in IP logs — 90 days.
- API request logs — 30 days.
- Webhook delivery logs — 30 days.
- Support ticket history — retained while the account is active; deleted on account closure.
Your rights
You can request access, rectification, deletion, or restriction of your data through the authenticated ticket system. Where required by law (GDPR, CCPA and similar), we honour these requests within the statutory deadlines.
Cookies
We use one cookie: CCMSESS. It's an httpOnly, Secure, SameSite=Lax session cookie used for sign-in. No tracking cookies. No advertising cookies. No third-party cookies of any kind.
Browser local storage holds your CSRF token and the panel's UI state preferences. Nothing in local storage is sent to us — it stays on your device.
Security
All data in transit is protected by TLS 1.3. Passwords are stored as bcrypt hashes. Card balances sit at our PCI DSS Level 1 issuing partner in segregated accounts. See security for the full architecture.
Contact us
For privacy questions, open a ticket from the authenticated panel. We respond within 7 days for standard requests, faster for security or breach concerns.
Changes to this policy
We may update this privacy policy. Material changes will be announced at least 14 days in advance via the dashboard and email. The latest version is always reachable at /privacy.