Privacy Policy
Last updated: May 20, 2026
Who we are
Cardinate is operated by Nasr Almansoob ("we", "us"), acting as the data controller for personal data processed through the service. Contact: cardinatesupport@gmail.com.
What we collect
When you sign up, we collect your email address and (optionally) a display name. When you connect a bank, we receive account balances, transactions, and credit-card metadata (APR, statement balance, minimum payment, due date) from Plaid on your behalf.
How we use it
We use this data exclusively to power features you see in-app: categorising transactions, building payoff plans, and showing balance trends. We do not sell your data, do not share it with advertisers, and do not use it to train AI models.
Third-party processors
- Plaid Inc. — bank connectivity. Plaid's privacy notice: plaid.com/legal.
- Supabase / AWS — encrypted Postgres storage and authentication.
- Paddle.com Market Ltd — our Merchant of Record. Paddle handles payments, subscription management, billing, tax compliance, invoicing, and refunds for Pro subscriptions. We never see your card number. See Paddle's privacy notice.
- Professional advisers and authorities — legal/accounting advisers, or authorities where required by law.
Data retention
- Transactions and balances are kept for up to 7 years for tax / record-keeping purposes.
- Archived accounts inactive for 24 months are purged from active storage.
- Deleted accounts are hard-purged within 30 days, including backups.
Your rights
You can export your data, disconnect any bank, or delete your account entirely at any time from Settings → Danger Zone. Deletion immediately revokes Plaid access tokens and erases your rows from our database. Email cardinatesupport@gmail.com for any other request under GDPR / CCPA (access, rectification, erasure, restriction, portability, objection, withdraw consent, or complain to your supervisory authority).
Security
All traffic is TLS 1.2+. Plaid access tokens are stored encrypted at rest and only readable by server-side code. Row-level security ensures one user can never read another's data. We support optional two-factor authentication (TOTP) — turn it on at Settings → Security.
Contact
Questions? cardinatesupport@gmail.com