Privacy Policy

1.1 Information you provide

• Account information: Email address, name, phone number, date of birth
• Merchant information: Business name, address, contact details, Shopify store domain
• Identity verification: Government-issued ID, address verification (for enhanced KYC levels)
• Communications: Messages you send to us or other users via the gift card sending feature

1.2 Information collected automatically

• Transaction data: Card loads, reloads, transfers, redemptions, amounts, timestamps
• Device information: IP address, browser type, operating system
• Usage data: Pages visited, features used, search queries
• Location data: Approximate location (if you enable nearby store discovery)

1.3 Information from third parties

• Stripe: Payment processing status, account verification status
• Shopify: Store information, gift card balances (for Shopify-integrated merchants)
• Identity verification providers: Verification results (for enhanced KYC)

• Provide the Service: Process transactions, manage accounts, facilitate transfers
• Security and fraud prevention: Detect and prevent fraudulent activity, enforce transaction limits
• Legal compliance: Comply with anti-money laundering (AML) regulations, respond to legal requests. Recurring Auto-reload subscriptions are subject to automated cumulative-spend monitoring; see our Auto-reload AML policy for what is monitored and the review process.
• Communication: Send transaction confirmations, security alerts, service updates
• Improvement: Analyze usage patterns to improve the Service

We do not sell your personal information. We share information only as follows:

• Stripe, Inc.: Payment processing and merchant account management
• Shopify: Gift card synchronization for Shopify-integrated merchants
• Merchants: Transaction information related to your purchases at their store (email, transaction amounts)
• Identity verification providers: For KYC verification when you request enhanced account features
• Law enforcement: When required by law, subpoena, or court order
• Service providers: Email delivery (Resend), hosting (Vercel), database (Supabase) — all under data processing agreements

3.1 Recurring billing (Auto-reload)

When you enable Auto-reload on a gift card, we share payment-method tokens (specifically your Stripe Customer ID and PaymentMethod ID) with Stripe, Inc. so that future scheduled charges can run on your behalf. These tokens are opaque references — they let Stripe charge the saved card without revealing the card number to anyone. We do not store full card numbers, CVCs, or expiry dates on ReloadCard servers. The full card details are tokenized inside Stripe's vault at the moment you enter them and never transit our infrastructure. Stripe's use of this data is governed by Stripe's own privacy policy at stripe.com/privacy. You can revoke this sharing at any time by cancelling Auto-reload from your wallet.

• Account data: Retained for the life of your account plus 7 years after closure (for legal/tax compliance)
• Transaction records: Retained for 7 years (financial regulation requirement)
• Identity verification data: Retained for 5 years after verification
• Session data: Expires after 7 days

Depending on your jurisdiction, you may have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your data (subject to legal retention requirements)
• Portability: Request your data in a machine-readable format
• Opt-out: Opt out of non-essential communications

To exercise these rights, email privacy@reloadcard.app from the address on your account. We will acknowledge your request and respond within 30 days (often sooner). Every request is logged internally as a data-rights event and the action we take — export, correction, or deletion — is recorded alongside the reason, the timestamp, and the staff member who actioned it.

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption of data in transit (TLS) and at rest
• AES-256-GCM PII vault with separate keys per data domain
• Signed session cookies (iron-session) — no plain-text authentication
• API key hashing (SHA-256) — raw keys never stored
• Rate limiting on all endpoints
• Row-level security on database tables
• Admin access is role-based, two-factor authenticated, rate-limited, and every privileged action is recorded in a tamper-evident audit log (ISO 27001 A.8.15 aligned)
• Quarterly access reviews of all staff with administrative privileges
• Regular security audits

We use only essential cookies required for the Service to function:

• consumer_session: Encrypted authentication session (7-day expiry)
• merchant_session: Encrypted authentication session (7-day expiry)

We do not use advertising or tracking cookies.

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

Your data may be processed in the United States and other countries where our service providers operate. By using the Service, you consent to the transfer of your data to these jurisdictions.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.

• Privacy inquiries: privacy@reloadcard.app