← Back

Privacy Policy

Last updated: March 5, 2026

1. Introduction

This Privacy Policy describes how Card Bloom ("we", "us", or "our") collects, uses, and protects your information when you use our iOS app, Card Bloom / Pokemon Card Maker, and our web application (collectively, the "Service"). By using the Service, you agree to the collection and use of information as described in this policy.

2. Information We Collect

2.1 Account Information (Web)

When you create an account on the web app, we collect your email address, name, and password (stored as a secure hash). If you sign in with Google, we receive your name and email from Google OAuth.

2.2 Device Information (iOS)

The iOS app does not require login. We generate and store a random device identifier (UUID) in your device's Keychain to identify your device for API requests. If you enable iCloud syncing, your iCloud user ID is used to link multiple devices for credit pooling.

2.3 Photos and Card Content

When you create a card, you upload a photo and optionally provide personal details such as names, ages, and messages for card themes (e.g., birthday cards, pet cards). These photos and details are sent to OpenAI's API to generate card artwork and stats. We do not control how OpenAI processes this data; please refer to OpenAI's Privacy Policy for details.

On the web, generated card images are stored on our servers (Vercel Blob Storage). On iOS, card images and original photos are stored in your private iCloud container and are not accessible to us.

2.4 Payment Information

Web subscriptions are processed by Stripe. We store your Stripe customer ID and subscription status but never see or store your full credit card number. For iOS in-app purchases, transactions are processed by Apple. We store transaction IDs and purchase dates for validation purposes.

2.5 Cookies

We use essential session cookies (via NextAuth) to keep you logged in on the web app. We do not use any third-party tracking cookies or advertising cookies.

3. How We Use Your Information

4. Third-Party Services

We share data with the following third-party services as necessary to operate:

We do not sell your personal data to any third party. We do not use any analytics or advertising services.

5. Data Retention

Your account data and generated cards are retained for as long as your account is active. Pending cards that fail to generate are automatically deleted after 10 minutes. If you delete your account, we will delete your personal data and card images from our servers within 30 days.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

To exercise these rights, contact us at the email address below.

7. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected data from a child under 13, please contact us and we will delete it promptly.

8. Security

We take reasonable measures to protect your data, including encrypted password storage (bcrypt), HTTPS encryption for all data in transit, and secure session management. However, no method of transmission over the Internet is 100% secure.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date.

10. Contact Us

If you have questions about this Privacy Policy, please contact us at peteryeung0530@gmail.com.