Last updated: March 5, 2026
This Privacy Policy describes how Card Bloom ("we", "us", or "our") collects, uses, and protects your information when you use our iOS app, Card Bloom / Pokemon Card Maker, and our web application (collectively, the "Service"). By using the Service, you agree to the collection and use of information as described in this policy.
When you create an account on the web app, we collect your email address, name, and password (stored as a secure hash). If you sign in with Google, we receive your name and email from Google OAuth.
The iOS app does not require login. We generate and store a random device identifier (UUID) in your device's Keychain to identify your device for API requests. If you enable iCloud syncing, your iCloud user ID is used to link multiple devices for credit pooling.
When you create a card, you upload a photo and optionally provide personal details such as names, ages, and messages for card themes (e.g., birthday cards, pet cards). These photos and details are sent to OpenAI's API to generate card artwork and stats. We do not control how OpenAI processes this data; please refer to OpenAI's Privacy Policy for details.
On the web, generated card images are stored on our servers (Vercel Blob Storage). On iOS, card images and original photos are stored in your private iCloud container and are not accessible to us.
Web subscriptions are processed by Stripe. We store your Stripe customer ID and subscription status but never see or store your full credit card number. For iOS in-app purchases, transactions are processed by Apple. We store transaction IDs and purchase dates for validation purposes.
We use essential session cookies (via NextAuth) to keep you logged in on the web app. We do not use any third-party tracking cookies or advertising cookies.
We share data with the following third-party services as necessary to operate:
We do not sell your personal data to any third party. We do not use any analytics or advertising services.
Your account data and generated cards are retained for as long as your account is active. Pending cards that fail to generate are automatically deleted after 10 minutes. If you delete your account, we will delete your personal data and card images from our servers within 30 days.
Depending on your jurisdiction, you may have the right to:
To exercise these rights, contact us at the email address below.
The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected data from a child under 13, please contact us and we will delete it promptly.
We take reasonable measures to protect your data, including encrypted password storage (bcrypt), HTTPS encryption for all data in transit, and secure session management. However, no method of transmission over the Internet is 100% secure.
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date.
If you have questions about this Privacy Policy, please contact us at peteryeung0530@gmail.com.