Privacy Policy

Effective date: 29 March 2026 · Last updated: 29 March 2026

    Short version: Cardlyst collects your email address, display name, and game data so the app works. We don't sell your data, we don't run ads, and we don't track you across the web.
  

1. Who we are

Cardlyst is operated by Place IT Consulting Ltd, a company registered in New Zealand. When this policy says "we", "us", or "our", it means Place IT Consulting Ltd.

If you have questions about this policy or your data, contact us at privacy@cardlyst.online.

2. What data we collect

We collect only what is necessary to provide the service:

Email address — used to identify your account and send transactional emails (welcome email, OTP login codes).
Display name — shown to other players in games you participate in.
Game data — game types, scores, and round history you create or participate in.
Session data — a session cookie (connect.sid) is stored in your browser to keep you signed in. It contains only a session identifier; no personal data is stored in the cookie itself.

We do not collect: payment card details (handled entirely by Stripe), precise location, device identifiers, or browsing history.

3. How we use your data

To operate the app — authenticate you, save your games, and display scores.
To send transactional emails — login codes, welcome messages, and subscription confirmations. We do not send marketing emails without your consent.
To manage your subscription — via Stripe, our payment processor.
To improve the service — we use anonymised, aggregated usage data. Individual users are not identifiable in this data.

4. Cookies

Cardlyst uses one first-party cookie:

connect.sid — a session cookie set by the Cardlyst app. It is essential for keeping you signed in. It is HttpOnly (not accessible to JavaScript) and Secure (only sent over HTTPS). It expires when you sign out or after a period of inactivity.

We do not use advertising cookies, analytics cookies, or any third-party tracking cookies. The marketing website (cardlyst.online) sets no cookies at all.

5. Payments and Stripe

Premium subscriptions are processed by Stripe. When you subscribe, you enter your payment details directly on Stripe's secure pages — Cardlyst never sees or stores your card number, expiry date, or CVV. Stripe is PCI-DSS compliant.

We store your Stripe customer ID and subscription status to manage your access to premium features.

6. Data sharing

We do not sell your personal data. We share data only with:

Stripe — payment processing. Stripe Privacy Policy.
Resend — transactional email delivery. Resend processes your email address to deliver emails on our behalf. Resend Privacy Policy.
Microsoft Azure — our hosting provider. Your data is stored on Azure servers. Microsoft Privacy Statement.
Law enforcement — if required by law, court order, or to protect the rights and safety of our users.

7. Data storage and security

Your data is stored on Microsoft Azure infrastructure. We use encryption in transit (HTTPS/TLS) and at rest. Access to production data is restricted to authorised personnel only.

No method of transmission over the internet is 100% secure. We take reasonable precautions but cannot guarantee absolute security.

8. Data retention

Free accounts: Game history is retained for 30 days after a game ends, then deleted.
Premium accounts: Game history is retained indefinitely while your account is active.
Account data: Retained while your account is active. If you delete your account, we delete your personal data within 30 days, except where we are required to retain it by law (e.g. financial records).

9. Your rights

Depending on where you live, you may have the following rights:

Access — request a copy of the personal data we hold about you.
Correction — ask us to correct inaccurate data.
Deletion — ask us to delete your personal data ("right to be forgotten").
Portability — request your data in a machine-readable format.
Objection — object to certain processing of your data.
Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email privacy@cardlyst.online. We will respond within 30 days.

10. New Zealand — Privacy Act 2020

We comply with the New Zealand Privacy Act 2020 and the 13 Information Privacy Principles. As a New Zealand company, the Office of the Privacy Commissioner has jurisdiction over complaints. You can contact the OPC at privacy.org.nz.

11. Australia — Privacy Act 1988

For Australian users, we comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). Complaints can be directed to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

12. International users — GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) or equivalent legislation.

Our legal basis for processing your data is:

Contract — processing necessary to provide the service you signed up for.
Legitimate interests — anonymised analytics to improve the service.
Legal obligation — retaining financial records as required by law.

You have the right to lodge a complaint with your local supervisory authority. Place IT Consulting Ltd is based in New Zealand, which the European Commission has recognised as providing an adequate level of data protection.

13. Children

Cardlyst is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us at privacy@cardlyst.online and we will delete it promptly.

14. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes, we may notify you by email. Continued use of Cardlyst after changes take effect constitutes acceptance of the revised policy.

15. Contact

Place IT Consulting Ltd
New Zealand
privacy@cardlyst.online