Privacy Policy

Last updated on March 1, 2026

Cardinal Apps Inc. ("we", "our", "Cardinal") reserves the right to change the Policies within this Privacy Policy at any time. When we make material changes to these Policies we will update the "Last updated" date at the top of this page. By continuing to use Cardinal's products after any such changes, you agree to the updated Policies.

This Privacy Policy is incorporated by reference into our Terms & Conditions.

In Short

We will only collect the exact minimum amount of data needed for features to function correctly, and we safeguard that data using leading industry practices. There is no tracking or any of that icky stuff going on.

Your Rights

Regardless of where you are located, Cardinal extends the following rights to all users:

  1. Right to access — You may request a copy of the personal information we hold about you.
  2. Right to rectification — You may request that we correct any inaccurate or incomplete personal information we hold about you.
  3. Right to erasure — You may request that we delete your personal information, subject to certain legal obligations (e.g., billing record retention).
  4. Right to withdraw consent — Where we process your data on the basis of consent, you may withdraw that consent at any time without affecting the lawfulness of processing that occurred prior to withdrawal.
  5. Right to data portability — You may request that we provide your personal information in a structured, commonly used, and machine-readable format.
  6. Right to restrict processing — You may request that we restrict the processing of your personal information in certain circumstances.
  7. Right to object — You may object to our processing of your personal information where we rely on legitimate interests as the legal basis.

To exercise any of these rights, please contact us as described in the Contact & Privacy Requests section below. We will respond to all requests within thirty (30) days.

Types of Data

Personally Identifiable Information

Personally identifiable information (PII) is data that can be used to determine the real-life identity of a user. When you create a Cardinal account, your email address and IP address are stored on Cardinal's cloud servers and associated with a unique user ID. We do this for security and authentication purposes.

Afterwards, you can optionally submit additional information about yourself, such as your name. This is also considered PII.

The legal bases on which we process your PII are:

  • Contract performance — processing your email address and IP address is necessary to provide you with a Cardinal account and the services you have requested.
  • Legitimate interests — we process IP addresses to maintain the security of our systems and prevent fraud or abuse.
  • Consent — where you voluntarily provide additional information such as your name, we process it on the basis of your consent, which you may withdraw at any time.
Media Data

Media data is the plaintext metadata of your image, audio, and video files, and also the bits and bytes that make up the files themselves. Media data can be found stored in your self-hosted applications.

No media data is stored on Cardinal cloud servers, and no information about your media data is collected.

Billing Data

If you choose to purchase a Cardinal product, your transaction and billing data will be handled securely by Stripe. Stripe is a PCI compliant payment processor, and Cardinal uses their services to handle all billing-related matters.

We do not store any credit card, billing, or shipping information on our own infrastructure. We may export and retain records of transactions (such as purchase dates and amounts) for our own tax, accounting, and legal compliance purposes.

Telemetry Data

Telemetry data is comprised of anonymous snippets of information collected from consenting users that describe how Cardinal applications are used. Telemetry is never sourced from PII or media data.

Telemetry data is stored on Cardinal's cloud servers in a way that makes it impossible to correlate to any individual user or self-hosted application instance.

Data Retention

Your account data is retained for the lifetime of your active Cardinal account. Upon account deletion, your data is handled as follows:

  • Database backups containing your data are retained for seven (7) days following account deletion.
  • Billing records are retained for a minimum of seven (7) years as required by Canadian law, regardless of account status.

If you are involved in a legal dispute with Cardinal Apps Inc., your account may be placed in a frozen state, and you may be unable to delete it until a later time.

Data Security

We take reasonable and industry-standard technical and organizational measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction.

However, in the event of a data breach that poses a real risk of significant harm to you, we will notify affected users and the relevant authorities without undue delay and in accordance with applicable law, including Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, GDPR.

Third-Party Data Processors

We use the services of a few trusted third-party providers who may process your data on our behalf. These providers are bound by contractual obligations to keep your data confidential and to use it only for the purposes for which it was disclosed. We do not sell your data to any third party.

Our current third-party data processors are:

  • MongoDB Atlas
    • Location: Canada
    • Purpose: Database Provider
  • Stripe
    • Location: Global
    • Purpose: Payment Processor
  • ActiveCampaign Postmark
    • Location: Global
    • Purpose: Email Delivery Services

Cookies

The website at cardinalapps.io and all of its subdomains do not use cookies for any purpose, tracking or otherwise.

Law 25

Cardinal Apps Inc. is a Canadian corporation, and as such we are compliant with Québec's Law 25 (French only). We have opted to apply these protections to all Cardinal users, not just those who originate from Québec.

We have taken measures to ensure that:

  1. Users are notified of our data collection practices prior to any data collection.
  2. Consent is requested in plain language, and does not bundle multiple purposes together.
  3. Users can withdraw their consent at any time to prevent further processing.
  4. Users have the right to data access, rectification, erasure, de-indexation, cessation of dissemination, and portability.
  5. Data is only collected for the specific purposes that the user has explicitly consented to.
  6. Should there be a need for data to be shared with a third party:
    1. A Privacy Impact Assessment (French only) will be conducted before any data is shared with that third party.
    2. The affected users will be notified.
  7. The consequences of accepting data collection are clearly explained.

In addition to data governance compliance, we have taken measures to ensure that the way we conduct business is also in compliance with Law 25 by:

  1. Keeping a registry of all confidentiality-related incidents that can be produced upon request by the Québec government.
  2. Notifying the Commission d'accès à l'information du Québec of any confidentiality-related incidents without delay.
  3. Documenting confidentiality-related incidents, taking action to reduce the scope of their impact, and preventing similar incidents from recurring.

Our appointed Privacy Officer is Brian. Please send inquiries regarding Law 25 to the legal email address on the Contact page.

GDPR

Cardinal's applications have been created in accordance with GDPR regulations. We have opted to apply these protections to all Cardinal users, not just those who originate from the European Union.

We have taken measures to ensure that:

  1. Just like this Privacy Policy, our applications use plain language to describe how data is used.
  2. We only collect the minimum amount of information necessary.
  3. Cardinal users can view and manage the data we store for them.
  4. Cardinal users can delete their accounts and have their data removed from our systems.
  5. We do not use cookies on our websites.

Legal Basis for Processing (EU Users)

As described in Personally Identifiable Information, we rely on contract performance, legitimate interests, and consent as our legal bases for processing personal data.

International Transfers (EU Users)

Where your personal data is transferred outside the European Economic Area (EEA) — for example, to servers located in Canada — such transfers are made on the basis that Canada has been deemed by the European Commission to provide an adequate level of data protection. Where data is transferred to other countries through third-party processors, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs).

Right to Lodge a Complaint (EU Users)

If you are an EU resident and believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with the supervisory authority in your EU member state of residence or the member state where the alleged infringement occurred.

Contact & Privacy Requests

For any questions, concerns, or requests relating to this Privacy Policy or your personal data — including exercising any of the rights described in the Your Rights section — please contact us via the legal email address on our Contact page.

We will acknowledge your request promptly and respond within thirty (30) days. In complex cases, we may extend this period by an additional thirty (30) days with prior notice.

GDPRLaw 25

This website does not use cookies.

Copyright © 2023-2026 Cardinal Apps Inc.