Security & Privacy

Your data security and privacy are our top priorities. We've built Card•1 Pro with enterprise-grade security practices to ensure your information remains protected at all times.

How We Protect Your Data

💳

Payment Security

All payments processed through Paddle, a PCI-DSS Level 1 certified payment processor. We never see or store your card details.

🔐

Data Encryption

All data transmitted between your browser and our servers is encrypted using industry-standard HTTPS/TLS protocols.

🛡️

Secure Infrastructure

Hosted on enterprise-grade servers with 24/7 monitoring, automatic backups, and DDoS protection.

👤

Minimal Data Collection

We only collect what's necessary: your email and subscription status. No tracking pixels or unnecessary analytics.

🌍

GDPR Compliant

Full compliance with EU data protection regulations. You can request data deletion at any time.

🔍

Regular Security Audits

We conduct regular security reviews and update dependencies to protect against vulnerabilities.

🔒 HTTPS Only 💳 PCI-DSS Compliant 🇪🇺 GDPR Compliant 🛡️ SOC 2 (via Paddle)

Data We Collect

✅ Information We Store on Our Servers:

  • Email address (for account access and notifications)
  • Subscription status (active, canceled, paused)
  • Payment transaction IDs from Paddle (no card details)
  • Authentication tokens (for secure login sessions)

🍪 Cookies Stored in Your Browser:

  • Authentication cookie: Keeps you logged in securely across sessions
  • Session token: Verifies your subscription access

These cookies expire after 1 year and can be cleared anytime via your browser settings or by using the logout button in your PRO account.

❌ What We DON'T Collect or Store:

  • Credit card numbers, CVV, or payment details
  • Billing addresses (handled securely by Paddle)
  • Browsing behavior or tracking data
  • Third-party analytics or advertising pixels
  • Personal information beyond your email
  • Your designs or graphics (everything stays in your browser)

100% Browser-Based Application

Card•1 Pro is a browser-based application, which means:

  • Your designs stay private: All graphics are created and stored locally in your browser's localStorage until you choose to export them.
  • No server storage of designs: We don't upload or store your creative work on our servers.
  • Privacy first: Your brand assets (logos, colors, fonts) remain on your device.
  • No downloads required: Fully functional without installing software, reducing security risks.
  • Logout safety: When you log out, only authentication data is cleared—your designs and settings remain safely in your browser.

Session Management & Logout

We provide secure session management with full user control:

  • Magic link authentication: No passwords to remember or store—we send you a secure link via email
  • Persistent sessions: Stay logged in for up to 1 year for convenience
  • Logout anytime: Use the logout button in your PRO account to end your session
  • Automatic token cleanup: When you logout, your authentication token is immediately deleted from our database
  • Multi-device support: Login from different devices with separate sessions

What happens when you logout:
✅ Your authentication token is deleted from our servers
✅ Your browser cookie is cleared
✅ Your session is destroyed
❌ Your settings remain in your browser (not affected by logout)

Your Privacy Rights

Under GDPR and other data protection regulations, you have the following rights:

  • Right to Access: Request a copy of all data we store about you
  • Right to Deletion: Request complete deletion of your account and associated data
  • Right to Portability: Export your data in a machine-readable format
  • Right to Rectification: Update or correct your information at any time
  • Right to Object: Opt out of any data processing activities
  • Right to Be Forgotten: Request removal of all your personal data from our systems

To exercise any of these rights, contact us at privacy@cardonedesigner.com

Third-Party Services

We use the following trusted third-party services:

Google Fonts:

We load fonts from Google Fonts to provide typography options in your designs. When you use Card•1 Pro, your browser connects to Google's servers to load these fonts.


Paddle (Payment Processing)

All payment processing, billing, and transaction management is handled by Paddle.com, our Merchant of Record. Paddle collects and processes your payment information, manages subscriptions, and handles refunds.


Cloudflare (PDF Generation)

We use Cloudflare's CDN to load the jsPDF library, which runs entirely in your browser to generate PDF exports for carousel formats. Your designs never leave your device during this process.


For more information about how these services handle data, you can review their privacy policies:
Google, Paddle, Cloudflare.


We do NOT use:

  • Google Analytics or tracking cookies
  • Facebook Pixel or social media tracking
  • Third-party advertising networks
  • Data brokers or resellers
  • Marketing automation or retargeting pixels

Our Security Practices

  • Webhook Verification: All payment webhooks are cryptographically signed and verified to prevent fraud
  • Content Security Policy: Strict CSP headers prevent XSS and injection attacks
  • Secure Session Management: HTTPOnly cookies with secure flags and SameSite protection
  • Access Control: Server-side validation for all PRO features—no client-side bypasses
  • Regular Updates: Dependencies and security patches applied promptly
  • No Plaintext Passwords: Magic link authentication means no passwords are ever stored
  • Token-Based Authentication: Secure, random tokens that are immediately invalidated on logout
  • Database Security: Prepared statements prevent SQL injection attacks
  • CORS Protection: Cross-origin requests properly configured and validated

Data Retention & Deletion

We retain your data only as long as necessary:

  • Active subscriptions: Data retained while your subscription is active
  • Canceled subscriptions: Account data deleted 30 days after cancellation (unless you request immediate deletion)
  • Transaction records: Payment transaction IDs kept for 7 years for tax and legal compliance (email + transaction ID only, no payment details)
  • Authentication tokens: Automatically deleted on logout or after 1 year of inactivity
  • Immediate deletion: Request full account deletion anytime via email—processed within 48 hours

What gets deleted when you cancel:
After 30 days of subscription cancellation:
✅ Your email address
✅ Subscription status records
✅ Authentication tokens
❌ Transaction IDs retained for legal compliance (email removed, only anonymous ID kept)

Questions About Security or Privacy?

We're here to help. Reach out to our team:

support@cardonedesigner.com

Last Updated: October 2025