We collect the minimum, and we tell you what.

• We collect your email for authentication, and an optional display name if you set one.
• We store every API key you mint (hashed, never in plaintext) and every order placed against it.
• We record the Stellar transaction IDs for every payment so we can reconcile on-chain events against your orders.
• We do not store card PANs, CVVs, or any cardholder PII beyond the point of issuance. Issuance is proxied directly to the card issuer (Pathward, N.A.).
• We do not sell, rent, or license any customer data to anyone, ever. We never will.

Account data. Email address, display name (optional), and timestamp of each login. We use email as the only account identifier — we do not ask for phone numbers, physical addresses, real names, or government IDs.

API data. API key metadata (hashed token, label, spend limit, creation and revocation timestamps) and every order placed against the key (amount, timestamps, status, payment asset, Stellar transaction ID, agent-supplied metadata).

Operational telemetry. IP address and user agent on API requests, kept for 14 days for abuse detection and rate-limit enforcement, then rotated out.

Billing data. Stellar wallet addresses that have paid for orders and the amounts paid. We retain these indefinitely for audit and legal reasons.

• No cookies for tracking. The dashboard uses first-party session cookies only. No Google Analytics, no Segment, no Mixpanel, no ad pixels, no third-party trackers of any kind.
• No behavioural profiles. We do not build user profiles, run A/B tests on real users, or share usage patterns with anyone.
• No cardholder PII. Cards are issued by Pathward. Cards402 receives the PAN / CVV / expiry at issuance time, streams them to your agent over the order response, and discards them from memory. They are not written to disk on our infrastructure.

We use the following sub-processors:

• Pathward, N.A. — card issuance. Receives the order amount at issuance time.
• Stellar Development Foundation infrastructure — the Stellar mainnet itself, where on-chain payment records live permanently and publicly. Cards402 does not control this data and cannot delete it.
• Resend — transactional email delivery (login codes, order notifications). Receives your email address.
• Hetzner Cloud — primary infrastructure provider (EU data centre). Cards402 operates on dedicated cloud instances under our own control.

We do not use any other sub-processors. If we add one, we update this page first.

• Email, API key metadata, orders: kept while the account is active. On deletion, orders are retained for 2 years for audit, then hard-deleted. Email and API key rows are hard-deleted immediately.
• Operational logs (IPs, user agents): 14-day rolling window.
• Stellar transaction records: retained indefinitely. These are also permanently visible on the Stellar public ledger.
• Login codes: expire 15 minutes after being sent.

If you're a resident of the EU / UK / California / any jurisdiction with a data rights law, you have the right to:

• Access the data we hold on you
• Correct inaccurate data
• Delete your account and associated data
• Export your orders and API key metadata as JSON (the Settings → Export button in the dashboard)
• Object to processing or request restriction

Email privacy@cards402.com with any of these requests. We respond within 30 days, usually within 48 hours.

API keys are stored as bcrypt hashes with per-key salt — we can verify a key on request but we cannot recover one. The database is encrypted at rest. HTTPS is enforced on every endpoint with a 90-day certificate rotation. More detail on our security posture is on the Security page.

Material changes to this policy (new sub-processor, new retention policy, new data category collected) are announced via email to all active account holders at least 30 days before they take effect. You can review the history of this page on our Changelog.

Questions about this policy: privacy@cards402.com