Privacy Policy

Last Updated: January 11, 2025

1. Introduction

PANDOR LAB, LLC (“Kardly,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Kardly platform and related services (the “Service”).

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

Data Controller:

• Legal Entity: PANDOR LAB, LLC
• Registered Address: 1111B South Governors Avenue, Dover, DE 19904, United States
• Contact Email: hello@kardly.app

2. Scope and Application

This Privacy Policy applies to:

• Our website at kardly.app
• Our web application and dashboard
• Mobile applications (if applicable)
• Digital loyalty passes distributed via Google Wallet
• All related services and features

This Privacy Policy does NOT apply to:

• Third-party websites or services linked from our Service
• Data practices of third-party integrations (see Section 9)
• Your own privacy practices with your customers

3. Information We Collect

We collect information in the following categories:

3.1 Information You Provide Directly

Account Information:

• Name
• Email address
• Password (encrypted)
• Phone number (optional)
• Profile photo (optional)

Organization Information:

• Organization name
• Business category
• Business address
• Phone number
• Website URL
• Tax information (for billing purposes)

Payment Information:

• Credit card details (processed by our payment processor)
• Billing address
• Transaction history

Loyalty Program Configuration:

• Card designs and branding
• Loyalty program rules and settings
• Campaign content and forms
• Location information (for multi-location businesses)

Customer Data (collected by you, stored on our platform):

• Customer names
• Customer email addresses
• Customer phone numbers (optional)
• Loyalty card data (stamps, points, tier status)
• Scan history and transaction data
• Custom form fields you create

3.2 Information Collected Automatically

Usage Data:

• IP address
• Browser type and version
• Device information (type, operating system)
• Pages viewed and features used
• Time and date of access
• Referring URLs
• Session duration

Analytics and Performance Data:

• Feature usage statistics
• Error logs and debugging information
• Performance metrics
• User interactions and behavior patterns

Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to collect data about your use of the Service. See Section 13 for details.

3.3 Information from Third Parties

Authentication Providers:

• When you sign in with Google OAuth, we receive your Google account information (name, email, profile photo)

Google Wallet:

• Pass redemption status
• Pass installation status
• Device-level notifications (pass added, removed, or updated)

Payment Processors:

• Payment confirmation and transaction details
• Fraud detection signals

4. Legal Basis for Processing (GDPR)

For users in the European Union, we process your personal data based on the following legal grounds:

Contract Performance (Art. 6(1)(b) GDPR):

• Providing the Service to you
• Managing your account and subscription
• Processing payments

Legitimate Interests (Art. 6(1)(f) GDPR):

• Improving the Service
• Security and fraud prevention
• Analytics and performance monitoring
• Customer support

Consent (Art. 6(1)(a) GDPR):

• Marketing communications (you can opt out anytime)
• Optional analytics and tracking
• Non-essential cookies

Legal Obligation (Art. 6(1)(c) GDPR):

• Tax and accounting requirements
• Compliance with law enforcement requests
• Fraud prevention and investigation

5. How We Use Your Information

We use your personal information for the following purposes:

5.1 Service Delivery

• Create and manage your account
• Authenticate and authorize access
• Process subscriptions and payments
• Provide customer support
• Generate and distribute digital loyalty passes via Google Wallet
• Enable loyalty program features (scanning, redemptions, etc.)
• Send transactional emails (account notifications, receipts, password resets)

5.2 Service Improvement

• Analyze usage patterns and trends
• Identify and fix bugs and errors
• Develop new features and functionality
• Conduct research and testing
• Monitor performance and uptime

5.3 Security and Compliance

• Prevent fraud and abuse
• Enforce our Terms of Service
• Comply with legal obligations
• Respond to law enforcement requests
• Protect our rights and property

5.4 Marketing and Communications

• Send you product updates and announcements (with consent)
• Provide information about new features
• Conduct surveys and gather feedback
• Marketing and promotional communications (you can opt out)

5.5 Analytics

• Track feature adoption and usage
• Measure campaign effectiveness
• Generate aggregated reports
• Improve user experience

6. How We Share Your Information

We do NOT sell your personal information to third parties. We may share your information in the following circumstances:

6.1 Service Providers

We share data with trusted third-party service providers who help us operate the Service:

Google LLC:

• Purpose: Authentication (OAuth), Digital pass distribution (Google Wallet)
• Data Shared: Email, name, profile photo (OAuth); Loyalty card data, customer information (Wallet)
• Privacy Policy: https://policies.google.com/privacy

Resend, Inc.:

• Purpose: Email delivery for authentication (magic links) and transactional emails
• Data Shared: Email addresses, email content
• Privacy Policy: https://resend.com/legal/privacy-policy

PostHog, Inc.:

• Purpose: Analytics, feature flags, and product insights
• Data Shared: Usage data, user IDs (pseudonymized), event data
• Privacy Policy: https://posthog.com/privacy

Neon (PostgreSQL Hosting):

• Purpose: Database hosting and storage
• Data Shared: All application data (encrypted)
• Privacy Policy: https://neon.tech/privacy-policy

Payment Processors:

• Purpose: Processing subscription payments
• Data Shared: Payment information, billing details
• Note: We do not store full credit card numbers

6.2 Business Transfers

If PANDOR LAB, LLC is involved in a merger, acquisition, sale of assets, bankruptcy, or similar transaction, your personal information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website.

6.3 Legal Requirements

We may disclose your information if required by law or in response to:

• Court orders or subpoenas
• Law enforcement requests
• National security requirements
• Legal processes or government investigations

We will notify you of such requests unless prohibited by law.

6.4 Protection of Rights

We may disclose information to:

• Enforce our Terms of Service
• Investigate fraud, security issues, or technical problems
• Protect our rights, property, or safety
• Protect the rights, property, or safety of our users or the public

6.5 With Your Consent

We may share information with third parties when you explicitly consent to such sharing.

6.6 Aggregated and Anonymized Data

We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you. This may be used for:

• Industry research and reports
• Public statistics
• Marketing and promotional purposes

7. Data Retention

We retain your personal information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy.

Account Data:

• Retained while your account is active
• Deleted 30 days after account termination (unless legal retention required)

Customer Data (in your organization):

• Retained according to your data retention settings
• You can delete customer data at any time through the dashboard
• Automatically deleted 30 days after organization deletion

Transactional and Financial Records:

• Retained for 7 years for tax and accounting purposes (legal requirement)

Analytics and Logs:

• Usage data retained for 24 months
• Error logs retained for 12 months
• Security logs retained for 24 months

Marketing Communications:

• Retained until you unsubscribe or delete your account

You can request deletion of your data at any time by contacting us at hello@kardly.app (see Section 11 for data subject rights).

8. Data Security

We implement reasonable administrative, technical, and physical security measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction.

Security Measures Include:

• Encryption of data in transit (TLS/SSL)
• Encryption of data at rest (database-level encryption)
• Secure authentication (password hashing, OAuth, magic links)
• Access controls and role-based permissions
• Regular security audits and monitoring
• Employee training on data protection
• Secure cloud infrastructure (enterprise-grade hosting)

However:

• No system is 100% secure
• We cannot guarantee absolute security
• You are responsible for maintaining the security of your account credentials
• Notify us immediately if you suspect unauthorized access

9. Third-Party Services and Links

The Service integrates with and links to third-party services. This Privacy Policy does NOT apply to those services.

Third-Party Services We Use:

• Google OAuth and Google Wallet - https://policies.google.com/privacy
• Resend - https://resend.com/legal/privacy-policy
• PostHog - https://posthog.com/privacy
• Neon - https://neon.tech/privacy-policy

When you use these services:

• You are subject to their privacy policies and terms
• We are not responsible for their data practices
• We encourage you to review their privacy policies

External Links: Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of those websites.

10. International Data Transfers

Kardly is based in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States.

For EU/EEA Users (GDPR Compliance):

• We comply with GDPR requirements for international data transfers
• We implement appropriate safeguards (Standard Contractual Clauses, adequacy decisions)
• Your rights under GDPR are preserved (see Section 11)

Data Processing Locations:

• Primary: United States (Delaware)
• Cloud Infrastructure: Neon PostgreSQL (AWS regions, may include US and EU)
• Third-Party Services: See Section 6.1 for locations

By using the Service, you consent to the transfer of your information to the United States and other countries where our service providers operate.

11. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

11.1 GDPR Rights (EU/EEA Users)

If you are in the European Union or European Economic Area, you have the following rights under GDPR:

Right of Access (Art. 15):

• Request a copy of your personal data
• Receive information about how we process your data

Right to Rectification (Art. 16):

• Correct inaccurate or incomplete data
• Update your account information

Right to Erasure / “Right to be Forgotten” (Art. 17):

• Request deletion of your personal data
• Subject to legal retention requirements

Right to Restriction of Processing (Art. 18):

• Limit how we use your data in certain circumstances

Right to Data Portability (Art. 20):

• Receive your data in a structured, machine-readable format
• Transfer your data to another service

Right to Object (Art. 21):

• Object to processing based on legitimate interests
• Opt out of marketing communications

Right to Withdraw Consent (Art. 7(3)):

• Withdraw consent for processing at any time (where consent is the legal basis)

Right to Lodge a Complaint:

• File a complaint with your local data protection authority
• EU supervisory authorities: https://edpb.europa.eu/about-edpb/board/members_en

To exercise your rights, contact us at hello@kardly.app

We will respond to your request within 30 days (or as required by law).

11.2 US Users (State Privacy Laws)

If you are a resident of California, Virginia, Colorado, Connecticut, or other states with privacy laws, you may have rights including:

Right to Know:

• What personal information we collect
• How we use and share your information

Right to Delete:

• Request deletion of your personal information

Right to Correct:

• Correct inaccurate personal information

Right to Opt-Out:

• Opt out of the sale of personal information (we do not sell personal information)
• Opt out of targeted advertising

Right to Non-Discrimination:

• We will not discriminate against you for exercising your privacy rights

To exercise your rights, contact us at hello@kardly.app

11.3 General Rights (All Users)

Account Access and Updates:

• Access and update your account information through the dashboard
• Change your email, password, and profile settings

Email Preferences:

• Opt out of marketing emails via the unsubscribe link in emails
• Manage email preferences in your account settings
• Transactional emails cannot be disabled (required for account security)

Cookie Preferences:

• Manage cookie settings through your browser
• Opt out of analytics cookies (see Section 13)

Account Deletion:

• Delete your account at any time through account settings
• Contact hello@kardly.app for assistance

Data Export:

• Export your data before deleting your account
• Request a data export at hello@kardly.app

12. Children’s Privacy

The Service is NOT intended for children under the age of 18. We do not knowingly collect personal information from children under 18.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@kardly.app. We will delete such information promptly.

13. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about your use of the Service.

13.1 What Are Cookies?

Cookies are small text files stored on your device by your web browser. They help us recognize you, remember your preferences, and improve your experience.

13.2 Types of Cookies We Use

Essential Cookies (Required):

• Authentication and session management
• Security and fraud prevention
• Core functionality of the Service
• Cannot be disabled without affecting Service functionality

Analytics Cookies (Optional):

• Usage statistics and feature adoption (PostHog)
• Error tracking and debugging
• Performance monitoring
• Can be disabled in cookie settings or browser

Preference Cookies (Optional):

• Language preferences
• UI settings and customizations
• Can be disabled in browser settings

13.3 Third-Party Cookies

The following third-party services may set cookies:

• PostHog - Analytics and product insights
• Google OAuth - Authentication

13.4 Cookie Duration

• Session Cookies: Deleted when you close your browser
• Persistent Cookies: Remain on your device for a set period (up to 1 year)

13.5 Managing Cookies

Browser Settings: You can control cookies through your browser settings:

• Block all cookies
• Block third-party cookies
• Delete cookies after each session
• Get notifications when cookies are set

Note: Disabling essential cookies will prevent you from using the Service.

Opt-Out of Analytics:

• PostHog: Opt out in your account settings or browser
• Do Not Track (DNT): We honor DNT signals

13.6 Other Tracking Technologies

Web Beacons:

• Small images embedded in emails or web pages
• Used to track email opens and engagement

Local Storage:

• Browser storage used for performance and functionality
• Similar to cookies but with greater storage capacity

14. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Categories of Personal Information We Collect:

• Identifiers (name, email, IP address)
• Commercial information (subscription history, transaction data)
• Internet activity (usage data, browsing behavior)
• Professional information (organization name, business details)

Business or Commercial Purpose:

• Providing the Service
• Analytics and improvement
• Customer support
• Marketing (with consent)

We Do NOT:

• Sell personal information to third parties
• Share personal information for cross-context behavioral advertising

Your Rights:

• Right to know what personal information we collect
• Right to delete personal information
• Right to correct inaccurate information
• Right to opt out of sale/sharing (not applicable - we don’t sell data)
• Right to limit use of sensitive personal information
• Right to non-discrimination

Shine the Light Law: California residents can request information about disclosure of personal information to third parties for direct marketing purposes (once per year). We do not disclose personal information for third-party direct marketing.

To Exercise Your Rights:

• Email: hello@kardly.app
• Subject: “California Privacy Rights Request”
• We will respond within 45 days

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notice of Changes:

• Updated “Last Updated” date at the top of this policy
• Email notification for material changes
• Notice in your account dashboard
• Continued use of the Service after changes constitutes acceptance

Reviewing Changes: We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Material Changes: For significant changes that affect your rights, we will provide at least 30 days’ notice and may require your explicit consent.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

PANDOR LAB, LLC 1111B South Governors Avenue Dover, DE 19904 United States

Email: hello@kardly.app Website: https://kardly.app

For Privacy-Related Inquiries:

• General privacy questions: hello@kardly.app
• Data subject rights requests: hello@kardly.app
• Security concerns: hello@kardly.app

For EU/EEA Users: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

17. Data Protection Authority

EU/EEA Users: If you have concerns about our data practices, you may contact your local data protection authority:

• List of EU Data Protection Authorities: https://edpb.europa.eu/about-edpb/board/members_en

UK Users:

• Information Commissioner’s Office (ICO): https://ico.org.uk/

US Users:

• Federal Trade Commission (FTC): https://www.ftc.gov/

Acknowledgment: By using the Kardly Service, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal information as described herein.