Privacy Policy

Version 2.1.2 — published on May 20, 2026

Privacy Policy

Version 2.1.2 — Applicable as of May 20, 2026 Last updated: May 20, 2026

The essentials in 30 seconds

  • Cardonaut SAS (France) processes your data to manage your account, your orders and the experience in the Cardonaut mobile application.
  • Your payments are processed by Stripe (Ireland / United States, certified under the EU-US Data Privacy Framework).
  • Your AI card scans are processed by Google Gemini (United States, DPF) or Anthropic Claude (United States, Standard Contractual Clauses). Your prompts are not used to train these AIs.
  • You can at any time access, rectify or delete your data from the application or by email at [email protected].
  • The Cardonaut application is reserved for persons aged 15 or older, or with parental consent (see Terms).
  • Your full rights under the GDPR are detailed in § 11.

Preamble

CARDONAUT SAS ("Cardonaut", "we") attaches fundamental importance to the protection of its users' personal data ("you").

This Privacy Policy (the "Policy") informs you, in accordance with articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR") and amended French Law n° 78-17 of January 6, 1978 (the "French Data Protection Act"), of the identity of the data controller, the purposes and legal bases of processing, the recipients, the retention periods, any transfers outside the EU, and your rights.

It applies to the Cardonaut mobile application (iOS and Android), the Cardo IA assistant, the AI card scan pipeline, the integrated TCG product sales service ("Cardonaut Shop") and all associated features.

Table of contents

  1. Identity of the controller
  2. Personal data collected
  3. Sources of collection
  4. Purposes, legal bases and retention periods
  5. Automated decisions and profiling
  6. Minors
  7. Recipients of the data and processors
  8. Transfers outside the European Union
  9. App Tracking Transparency (iOS) and mobile SDKs
  10. Data security
  11. Your rights
  12. How to exercise your rights
  13. Complaint to a supervisory authority
  14. Changes to the Policy
  15. Contact

1. Identity of the controller

ItemInformation
NameCARDONAUT
Legal formSimplified joint-stock company (SAS), share capital €1,000
Registered office61 Avenue de Toulouse, 31750 Escalquens, France
Trade register (RCS)Toulouse — 988 997 573
SIRET988 997 573 00015
Intra-EU VAT numberFR90 988 997 573
Legal representativeMr. Luc LABBÉ, President
GDPR contact[email protected]

Cardonaut SAS acts as data controller within the meaning of article 4, 7° of the GDPR for all the processing operations described in this Policy.

Cardonaut is not currently legally required to designate a Data Protection Officer (DPO) within the meaning of article 37 of the GDPR. Any question relating to the protection of your data may be addressed directly to [email protected].

2. Personal data collected

Depending on the features you use, Cardonaut collects the following categories of data:

2.1. Identification and contact data

  • Email address (mandatory — used for OTP login)
  • Username (chosen by you, public in the app)
  • Title, first name, last name (only for physical orders)
  • Mobile phone (only for orders — Mondial Relay delivery)
  • Postal address (only for physical orders)

2.2. Technical data

  • Device technical identifiers (unique identifier generated locally by the application, model, operating system)
  • IP address (logged for security purposes, anonymised after 30 days)
  • App version, preferred language
  • Firebase Cloud Messaging token (only if you enable notifications)

2.3. Usage and gameplay data

  • Cards scanned and collected
  • Composition of your collection and your storages
  • Scan history (image + recognition metadata)
  • Conversations with the Cardo IA assistant
  • Quests, events, Aether Fragments earnings
  • Usage preferences (favourites, filters)

2.4. Transaction data (Cardonaut Shop)

  • Order history (products, prices, dates, statuses)
  • Payment data processed by Stripe (Cardonaut does not store your card number)
  • Mondial Relay tracking number
  • Customer reviews (if you leave any)

2.5. Audit data (security, GDPR compliance)

  • Authentication logs (OTP connections, failures, hashed IP)
  • Account mutation logs (profile changes, orders, deletions)
  • Application server logs (short lifetime, anonymised)

3. Sources of collection

Cardonaut collects your personal data:

  • Directly from you: at account creation, at each login, at each card scan, at each order, at each conversation with Cardo IA, when setting usage preferences.
  • Automatically: during your use of the app (opt-in analytics, technical telemetry, server logs).
  • Indirectly:
    • From Stripe: payment status, transaction ID (not the card number).
    • From Mondial Relay: delivery status, tracking number.
    • From the App Store / Play Store: in-app purchase receipts for Aether Fragments.

4. Purposes, legal bases and retention periods

In accordance with articles 13.1.c and 13.2.a of the GDPR, the following table details each purpose with its legal basis and retention period:

PurposeLegal basis (GDPR art. 6)Data concernedRetention period
Creation and management of the user accountPerformance of contract (6.1.b)Email, username, deviceSecret, userIdActivity period + 3 years after last login (French CNIL recommendation)
Email OTP authenticationPerformance of contractEmail, hashed OTPOTP: 15 minutes; OTP logs: 30 days
Order processing (Shop)Performance of contractIdentity, address, phone, payment data5 years (art. L.110-4 of the French Commercial Code); accounting records: 10 years (art. L.123-22)
Push notifications (transactional + marketing)Consent (6.1.a) — OS opt-inFCM token, appId, userIdUntil revoked; opening logs: 13 months
Marketing communications by emailConsent (6.1.a) — explicit opt-inEmail, username, segment3 years from last active contact (French CNIL prospection recommendation)
Product analytics (Firebase Analytics)Consent (6.1.a + art. 82 French Data Protection Act) — opt-inPseudonymous identifiers, events14 months max (CNIL recommendation)
Fraud / abuse / security detectionLegitimate interest (6.1.f)userId, hashed IP, fingerprint, behavioural signals30 days (authentication logs) to 90 days (storage mutation logs)
AI recognition of scanned cardsPerformance of contractScanned image, OCR, derived signalsOriginal image: 24 months; signals/OCR: account lifetime
Cardo IA conversational assistantImplicit consent through useUser prompts, conversation history24 months or deletion on request
Crash reporting (self-hosted GlitchTip)Legitimate interest — service securityStack trace, hashed email, device tags90 days
GDPR audit logs (user mutations)Legal obligation (6.1.c — art. 5.2 GDPR)userId, event type, hashed IP30 days
Accounting, Stripe invoicingLegal obligation (6.1.c)Transaction data10 years (art. L.123-22 of the French Commercial Code)
In-app purchases of Aether Fragments (cosmetics)Performance of contractuserId, Apple/Google transactionId10 years (accounting evidence)
Response to GDPR requestsLegal obligation (6.1.c — art. 12 GDPR)Content of the request, response3 years (proof of response)
In-app moderation (message reports, abuse)Legitimate interest + legal obligation (DSA)Reported content, reason, decision2 years post-decision

Opt-in principle for sensitive processing: analytics (Firebase) and marketing notifications are disabled by default. You must explicitly enable each purpose from the application settings ("Settings" > "Privacy").

4.1 Order data retained after account deletion

In accordance with article L.123-22 of the French Commercial Code (accounting retention obligation of 10 years), certain order data is retained even after the deletion of your account, but is pseudonymised:

  • Pseudonymisation: your user identifier is replaced by an anonymous sentinel value (__deleted__).
  • Immediate erasure: full name, detailed address line (street + complement), postal code, phone number, and email associated with the order.
  • Retention (accounting obligation): total amount, currency, list of items, taxes, status, payment date, creation date, country and city (used solely for aggregated regional statistics).

This pseudonymised data can no longer be linked to your identity after account deletion.

5. Automated decisions and profiling

Cardonaut uses several automated processing operations. In accordance with article 22 of the GDPR:

5.1 AI card scan pipeline

When you scan a card, machine-learning models analyse the image to identify the card:

  • TensorFlow Lite on-device (corner detection)
  • Google Gemini Flash 2.5 or Anthropic Claude Sonnet server-side (OCR + recognition)

No legal decision is made on the basis of these analyses; the final confirmation belongs to you (you validate or correct the proposed card). You may at any time refuse to scan a card.

5.2 Cardo IA conversational assistant

Cardo IA uses Anthropic's Claude Sonnet model. The transfer of your prompts to the United States is governed by the European Commission's Standard Contractual Clauses (decision 2021/914).

Important — Your prompts are not used to train the AIs. Anthropic contractually undertakes not to reuse the prompts of its API clients to train its models (see Anthropic Trust Center). Conversations are kept for 24 months on Cardonaut's side and then deleted (unless you request an earlier deletion).

5.3 Behavioural anti-abuse detection

To protect the service, automated indicators detect abnormal behaviour (unusual scan rate, mass card additions, etc.). These indicators may trigger a human review; they never directly trigger an account suspension.

5.4 Your rights in respect of these processing operations

You may at any time:

  • Request human intervention on any automated decision
  • Express your point of view or contest the decision
  • Request the deletion of the AI history associated with your account

To exercise these rights: [email protected]

6. Minors

The Cardonaut application is reserved for persons aged 15 or older (see our Terms). By creating an account, you declare that you are at least 15 years old, or that you have obtained the consent of one of the holders of parental authority.

This restriction takes into account article 8 of the GDPR and article 45 of the French Data Protection Act, which require joint parental consent to process the personal data of a minor under 15 in France where this processing is based on consent (for example: analytics, marketing notifications).

If you are a parent or guardian and find that a minor under 15 is using the application without your agreement, please write to us at [email protected]: we will delete the account and all associated data within a maximum of 30 days, in accordance with article 17 of the GDPR.

7. Recipients of the data and processors

Cardonaut relies on a limited number of technical processors to provide the Services. Each is bound by a processing contract compliant with article 28 of the GDPR.

7.1 Categories of recipients

CategoryProcessorsCountryTransfer mechanism
Back-end hostingHetzner Online GmbHGermany (EU)No transfer outside EU
PaymentsStripe Payments Europe Ltd + Stripe Inc.Ireland + United StatesEU-US Data Privacy Framework
DeliveryMondial RelayFranceNo transfer outside EU
Analytics + push notificationsGoogle Ireland Ltd (Firebase Analytics + FCM)Ireland → United StatesEU-US Data Privacy Framework
iOS app distributionApple Distribution International LtdIreland → United StatesAdequacy + Apple DPF
Android app distribution + IAPGoogle LLC (Play Store)United StatesEU-US Data Privacy Framework
Subscription management (legacy)RevenueCat Inc.United StatesStandard Contractual Clauses
Cardo IA assistantAnthropicUnited StatesStandard Contractual Clauses
AI scan OCRGoogle LLC (Gemini API)United StatesEU-US Data Privacy Framework
Crash reportingGlitchTip (self-hosted on Hetzner)Germany (EU)No transfer outside EU
Admin authenticationLogto (self-hosted on Hetzner)Germany (EU)No transfer outside EU
Internal admin alertsDiscord Inc.United StatesInternal use — not your data

7.2 Up-to-date list

The detailed and up-to-date list of processors (with precise role, data processed, link to their policy) is published on the dedicated page:

👉 https://cardonaut.com/legal/subprocessors

Cardonaut undertakes to inform its users prior to any substantial change to this list (addition of a new processor, change of country of establishment).

8. Transfers outside the European Union

Some of our processors are established in or process data outside the European Union (mainly in the United States). These transfers are framed by the following mechanisms:

8.1 EU-US Data Privacy Framework (DPF)

The EU-US Data Privacy Framework is a mechanism recognised by the European Commission's adequacy decision of July 10, 2023. The following processors are DPF-certified:

  • Stripe Inc. (certification)
  • Google LLC (including Firebase Analytics, FCM, Play Store, Gemini API)
  • Apple Inc.

You can verify the active certification of each on dataprivacyframework.gov.

8.2 Standard Contractual Clauses (SCCs)

For US processors not certified under the DPF, Cardonaut has signed the Standard Contractual Clauses adopted by the European Commission (implementing decision 2021/914 of June 4, 2021), in accordance with article 46.2.c of the GDPR:

  • Anthropic (Cardo IA)
  • RevenueCat Inc. (legacy)

Copies of these clauses may be provided to you on request at [email protected].

8.3 Post-Schrems II assessment

In accordance with the Schrems II case law (CJEU, C-311/18 of July 16, 2020), Cardonaut has carried out a risk assessment for each transfer to a third country and has implemented additional measures where necessary (encryption in transit and at rest, pseudonymisation of identifiers).

9. App Tracking Transparency (iOS) and mobile SDKs

9.1 Why this paragraph?

Cardonaut does not have a public website (the former cardonaut.shop having been closed). No cookies are used. However, the mobile application integrates technical SDKs that may collect pseudonymous identifiers.

9.2 Active SDKs in the application

SDKPurposeActivation
Firebase AnalyticsProduct audience measurement (screens visited, key events)Opt-in from "Settings" > "Privacy"
Firebase Cloud Messaging (FCM)Push notifications (transactional + marketing)Opt-in native iOS/Android OS + fine-grained opt-in per category
GlitchTip SDK (Sentry-compatible)Crash reporting (anonymised)Enabled by default — can be disabled from "Settings"
RevenueCat SDKLegacy subscription history managementEnabled by default, does not collect any advertising identifier

9.3 App Tracking Transparency (iOS 14.5+)

On iOS 14.5 and above, Cardonaut respects Apple's App Tracking Transparency framework:

  • On first use of the analytics features, an Apple permission request is displayed.
  • You may refuse or allow tracking.
  • In the event of refusal, Cardonaut does not use any advertising identifier (IDFA) and disables Firebase Analytics. All essential features of the app remain available.
  • You may change your choice at any time from: iOS Settings > Cardonaut > Tracking.

9.4 First-party vs cross-app distinction

Cardonaut does not perform cross-app tracking: no data is shared for advertising purposes with third-party networks (Meta, TikTok, etc.). Firebase Analytics remains first-party, used exclusively to improve the Cardonaut Services.

10. Data security

Cardonaut implements appropriate technical and organisational measures to protect your data against loss, alteration, unauthorised access or disclosure, in accordance with article 32 of the GDPR:

  • Encryption: all client/server communications in HTTPS/TLS 1.3; sensitive data encrypted at rest
  • Authentication: single-use OTP by email + signed JWT tokens
  • Audit logs: all sensitive mutations are tracked in an audit journal kept for 30 days
  • Hashing: emails hashed (SHA-256) for audit logs
  • Hosting: Hetzner servers in Germany (EU) — isolated environment
  • Backups: daily encrypted backups
  • Restricted access: only authorised administrators access production data, via reinforced authentication based on the OpenID Connect standard
  • Pseudonymisation: identifiers are systematically pseudonymised in analytical contexts

In the event of a personal data breach likely to result in a risk to your rights and freedoms, Cardonaut undertakes to notify the French CNIL within 72 hours (art. 33 GDPR) and to inform you without undue delay if the breach is likely to result in a high risk to your rights (art. 34 GDPR).

11. Your rights

In accordance with articles 15 to 22 and 77 of the GDPR, if you reside in the European Union, the EEA or the United Kingdom, you have the following rights:

RightDescriptionGDPR article
AccessObtain a copy of the data concerning youArt. 15
RectificationCorrect inaccurate or incomplete dataArt. 16
ErasureRequest the deletion of your dataArt. 17
RestrictionRequest restriction of processingArt. 18
PortabilityReceive your data in a structured formatArt. 20
ObjectionObject to processing (legitimate interest or marketing)Art. 21
Withdrawal of consentAt any time, without affecting the lawfulness of past processingArt. 7.3
Automated decisionsRequest human intervention, contestArt. 22
ComplaintLodge a complaint with the CNIL or any other competent EU supervisory authorityArt. 77

For users residing outside the EU/EEA/United Kingdom, the applicable rights are those provided for by your local legislation; Cardonaut undertakes to handle your request in good faith.

12. How to exercise your rights

12.1 From the application

You can:

  • Edit your profile: Settings > My account
  • Change your consents (analytics, push, ATT): Settings > Privacy
  • Download your data: Settings > Privacy > Export my data (JSON format)
  • Delete your account: Settings > My account > Delete my account

12.2 By email

For any other request (restriction, objection, advanced portability, contesting an automated decision), write to:

📧 [email protected]

Please specify the subject of your request and, if possible, attach proof of identity (e.g. a screenshot of your app profile). Cardonaut undertakes to respond to you within a maximum of one (1) month from receipt (art. 12.3 GDPR), extendable by two months in the case of a complex request (you will be informed of the extended deadline within one month).

12.3 Free of charge

The exercise of your rights is free. Cardonaut may, however, refuse or charge for manifestly unfounded or excessive requests, in particular in case of repetition (art. 12.5 GDPR).

13. Complaint to a supervisory authority

If you consider that the processing of your data does not comply with the regulations, you may lodge a complaint with the competent supervisory authority.

In France

Commission Nationale de l'Informatique et des Libertés (CNIL) 3 place de Fontenoy TSA 80715 75334 Paris CEDEX 07, France Phone: +33 1 53 73 22 22 Website: www.cnil.fr Online complaint: cnil.fr/fr/plaintes

Other EU countries

You may contact the supervisory authority of your country of residence. The full list is available on the website of the European Data Protection Board: edpb.europa.eu.

14. Changes to the Policy

Cardonaut may need to modify this Policy to take into account legal, technical or commercial developments.

In the event of a substantial change (addition of a new purpose, new major processor, change of retention period), you will be informed:

  • By notification within the application at least 30 days before it takes effect
  • By email if you have enabled email notifications

You may at any time withdraw your consent to the new processing or delete your account.

Previous versions of the Policy are kept and available on request at [email protected], in particular to allow consultation of the version that applied at the time your account was created.

15. Contact

For any question relating to this Policy or the processing of your personal data:

📧 Email: [email protected] 📮 Postal address: CARDONAUT SAS — 61 Avenue de Toulouse, 31750 Escalquens, France

Related documents:

← See all legal documents