Privacy Policy

Effective date: March 20, 2026 · Last updated: March 20, 2026

Dacard.ai is operated by Darren Card ("we", "us", "our"), based in Vancouver, British Columbia, Canada. This Privacy Policy explains how we collect, use, share, and protect information when you use our platform at app.dacard.ai and our website at dacard.ai.

By using Dacard.ai, you agree to this policy. If you do not agree, please do not use the service.

1. Information We Collect

Account data. When you sign up, we collect your name, email address, and authentication credentials. Authentication is handled by Clerk. We store your Clerk user ID, account name, and role in our database.

Product URLs you submit. When you score a product, you provide a URL. We crawl that URL to extract publicly accessible content for AI analysis. Crawled content is used to generate your scoring report and is stored alongside the result.

Scoring results and reports. We store the AI-generated maturity scores, dimension scores, recommendations, and associated metadata (company name, score date, stage) in our database, linked to your account.

Integration data. If you connect GitHub or Linear, we receive OAuth tokens and pull operational signals (PR activity, issue velocity, deployment frequency). Credentials are encrypted at rest using AES-256-GCM. Signal data is stored and used to enrich scoring and coaching responses.

Usage data. We track feature usage, credit consumption, page views, and events using PostHog analytics (only with your consent). Server-side events (subscription changes, score completions) are captured regardless of cookie consent as they are necessary for service operation.

Payment data. Billing is handled entirely by Stripe. We do not store credit card numbers or full payment details. We store your Stripe customer ID and subscription status in our database.

Communications. If you contact us by email or through support channels, we retain those communications.

2. How We Use Your Information

To provide, operate, and improve the Dacard.ai platform
To generate AI maturity scores and coaching recommendations
To process payments and manage your subscription
To send transactional emails (receipts, alerts, account notices)
To analyze platform usage and improve product features
To detect and prevent fraud, abuse, or security threats
To comply with legal obligations

We do not sell your personal data to third parties. We do not use your scoring data to train AI models without explicit consent.

3. Sub-processors

We share data with the following third-party service providers as necessary to operate the platform:

Provider	Purpose	Data shared	Location
Clerk	Authentication and user management	Name, email, user ID	United States
Stripe	Payment processing and billing	Name, email, billing info	United States
Turso (ChiselStrike)	Database hosting	All platform data	United States
Anthropic (Claude API)	AI scoring and coaching	Product URLs, crawled content, messages	United States
PostHog	Product analytics (with consent)	Usage events, user ID	United States
Vercel	Hosting and deployment	Request logs, IP addresses	United States

4. Cookies and Tracking

We use cookies for authentication (managed by Clerk, necessary for the service) and analytics (PostHog, only with your consent). You can accept or decline analytics cookies using the consent banner when you first visit the app.

We do not use advertising cookies or share cookie data with ad networks.

5. Data Retention

Account data: Retained until you delete your account.
Scoring results: Retained until you delete them or delete your account. Free plan results older than 30 days are automatically purged.
Integration signals: Retained while your integration is connected. Deleted when you disconnect.
Usage logs: Retained for 12 months for operational and security purposes.
Payment records: Retained as required by applicable law (typically 7 years for financial records).

6. Your Rights

Depending on your location, you may have the following rights under GDPR (if you are in the EEA or UK), PIPEDA (Canada), or CCPA (California):

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate data.
Deletion: Request deletion of your account and associated personal data. You can do this directly in Settings > Account > Delete Account, or by emailing privacy@dacard.ai.
Portability: Request your data in a machine-readable format.
Objection: Object to processing based on legitimate interests.
Withdrawal of consent: Withdraw analytics consent at any time via the cookie banner.

To exercise any of these rights, email privacy@dacard.ai. We will respond within 30 days.

7. Data Security

We implement industry-standard security measures including:

Encryption of integration credentials at rest (AES-256-GCM)
HTTPS/TLS for all data in transit
HTTP security headers (HSTS, X-Frame-Options, CSP)
Authentication via Clerk with email verification
Role-based access controls on all data endpoints

No system is 100% secure. In the event of a data breach that affects your personal data, we will notify you as required by applicable law.

8. International Data Transfers

Dacard.ai is operated from Canada. Our sub-processors (listed above) are primarily located in the United States. If you are in the EEA or UK, transfers to the US are made under Standard Contractual Clauses (SCCs) or other appropriate safeguards provided by each sub-processor.

9. Children's Privacy

Dacard.ai is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy with an updated effective date. Continued use of the platform after changes constitutes acceptance of the revised policy.

11. Contact

For privacy questions, requests, or concerns:

Email: privacy@dacard.ai
Mailing address: Darren Card, Vancouver, BC, Canada

For enterprise Data Processing Agreement (DPA) requests, see our DPA page.