Privacy Policy

    We built Universal SmartCard with a simple principle: your financial data is yours. We collect only what we need to make the Service work, we never sell your data, and we never store raw card numbers or CVVs — ever.
  

Who We Are
What We Collect
What We Do NOT Collect
How We Use Your Data
Who We Share With
Data Retention
Your Rights
Cookies & Tracking
Security
Children's Privacy
Changes to This Policy
Contact

1. Who We Are

Universal SmartCard ("we," "us," or "our") operates the Universal SmartCard platform, a free financial technology service that helps you maximize rewards across your credit cards and provides Stripe-powered Visa payment cards.

This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our website and application (collectively, the "Service"). It applies to all users of the Service, including residents of California (CCPA) and the European Economic Area (GDPR).

For privacy inquiries: privacy@universalsmartcard.com

2. What We Collect

We collect information in the following categories:

Account Information

Full name
Email address
Phone number
Password (stored as a bcrypt hash — we never store your password in plain text)

Card Preferences & Profile

Which credit card products you tell us you own (e.g., "I have the Chase Sapphire Preferred" and "I have the Amex Gold"). We store the card product name only — not any card numbers, account numbers, or CVVs.
Spending category preferences you set to refine recommendations.

Transaction Data (Smart Card only)

For Universal SmartCard-issued Visa cards, we receive transaction records from Stripe Issuing, including: merchant name, merchant category code (MCC), transaction amount, date and time, and authorization status.
We do not receive or store raw card numbers, full account numbers, or CVV/CVC codes from any source.

Rewards & Cashback Data

Confirmed cashback earned on Smart Card transactions (sourced directly from Stripe).
Estimated rewards for third-party cards, calculated by our recommendation engine based on publicly known rewards rates and your stated card holdings.

Technical & Usage Data

IP address (used for security and fraud prevention; not linked to your profile for advertising)
Browser type and operating system
Pages visited within the Service and timestamps
Session identifiers (see Cookies section)

Identity Verification Data (Smart Card applicants)

If you apply for an issued Smart Card, Stripe's Know Your Customer (KYC) process may require your date of birth, Social Security Number (last four digits or full, as required by law), and a government-issued ID. This information is transmitted directly to Stripe and is subject to Stripe's Privacy Policy — we do not store it on our servers beyond what is required for record-keeping under applicable law.

3. What We Do NOT Collect

We never collect, store, or transmit: full credit or debit card numbers, CVV/CVC security codes, card PINs, online banking usernames or passwords, or any credentials to your external financial accounts.

We also do not:

Sell your personal data to advertisers, data brokers, or any third parties.
Use your data to build advertising profiles or sell targeted advertising.
Share your data with employers, landlords, or any parties conducting background checks.
Use third-party tracking pixels from social media platforms on pages where you are logged in.

4. How We Use Your Data

We use the data we collect for the following purposes:

Providing the Service: Creating and maintaining your account, operating the card recommendation engine, displaying your transaction history and rewards, and issuing and managing your Smart Card.
Personalized Recommendations: Matching your stated card portfolio against purchase categories to recommend the highest-earning card for each transaction type.
Account Communications: Sending you account alerts, transaction confirmations, monthly statements, and important Service notices. These communications are necessary for the Service and cannot be opted out of while you maintain an account.
Security & Fraud Prevention: Monitoring for unauthorized access, unusual transaction patterns, and other security threats.
Legal Compliance: Meeting our obligations under applicable financial regulations, responding to lawful requests from authorities, and maintaining records as required by law.
Service Improvement: Analyzing aggregated, anonymized usage patterns to improve recommendations and platform features. We do not use individual-level data for this purpose without your consent.

Our legal basis for processing under GDPR is: (a) contract performance — for operating your account and the Service; (b) legitimate interests — for security and fraud prevention; and (c) legal obligation — for regulatory compliance. Where we rely on consent, you may withdraw it at any time.

5. Who We Share Your Data With

We share your data only with the following categories of service providers, strictly to operate the Service:

Partner	Role	Data Shared
Stripe	Card issuing, payment processing, KYC/identity verification	Name, email, address, identity verification data (for card applicants); transaction data flows from Stripe to us
MongoDB Atlas	Database hosting (encrypted at rest)	All account data stored in the Service is held on MongoDB Atlas infrastructure
Render	Application hosting and infrastructure	Application logs and session data processed on Render servers

Each of these partners is bound by data processing agreements that restrict their use of your data to providing services to us. None of them may use your data for their own advertising or sell it to third parties in connection with our service.

Beyond the partners above, we may disclose your information if:

Required by law, court order, or lawful government request.
Necessary to protect the rights, property, or safety of Universal SmartCard, our users, or the public.
In connection with a merger, acquisition, or sale of assets — in which case we will notify you and ensure the acquirer is bound by equivalent privacy protections.

      We do not sell, rent, or trade your personal data to any third party for their own commercial purposes.
    

6. Data Retention

We retain your data for as long as your account is active and for a reasonable period thereafter to enable account recovery and meet legal obligations. Specifically:

Account data: Retained for the duration of your account plus 90 days after deletion to allow for account recovery, then permanently deleted.
Transaction data: Retained for 7 years from the transaction date, as required by applicable financial regulations (e.g., Bank Secrecy Act record-keeping requirements).
Rewards data: Retained for the duration of your account plus 90 days after account deletion.
Security logs: Retained for up to 12 months for fraud investigation purposes.
Anonymized, aggregated data: May be retained indefinitely for product improvement purposes; this data cannot be linked back to you.

You may request deletion of your account and associated data at any time (see Your Rights below). Some data may be retained beyond deletion requests where required by law.

7. Your Rights

Depending on where you live, you have some or all of the following rights regarding your personal data:

All Users

Access: Request a copy of the personal data we hold about you.
Correction: Ask us to correct inaccurate or incomplete data.
Deletion: Request that we delete your account and personal data, subject to legal retention requirements.
Portability: Request your data in a structured, machine-readable format.

California Residents (CCPA/CPRA)

You have the right to know what personal information we collect, use, disclose, and sell (we do not sell).
You have the right to opt out of the sale of personal information — but as noted, we do not sell personal information.
You have the right to non-discrimination for exercising your privacy rights.
You may designate an authorized agent to make requests on your behalf.

EEA/UK Residents (GDPR/UK GDPR)

Right to object to processing based on legitimate interests.
Right to restrict processing in certain circumstances.
Right to withdraw consent where we rely on consent as a legal basis.
Right to lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at privacy@universalsmartcard.com. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

8. Cookies & Tracking

We use a minimal cookie approach. Specifically:

Session cookies: We use a single session cookie to keep you logged in during your browser session. This cookie is deleted when you close your browser or log out. It contains only a session identifier — no personal data.
No advertising or tracking cookies: We do not use advertising pixels, cross-site tracking cookies, or analytics cookies from third-party platforms (such as Google Analytics, Facebook Pixel, or similar services).

You can disable cookies in your browser settings, but doing so will prevent you from logging in to the Service.

We do not use fingerprinting, supercookies, or other tracking mechanisms beyond the session cookie described above.

9. Security

We take the security of your data seriously and implement industry-standard safeguards, including:

Password hashing: Passwords are hashed using bcrypt with an appropriate cost factor before storage. We never store passwords in plain text.
Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
Encryption at rest: Data stored in MongoDB Atlas is encrypted at rest using AES-256.
No raw card storage: We never store full card numbers, CVV/CVC codes, or PINs. All card-sensitive data is managed by Stripe in their PCI-DSS Level 1 compliant environment.
Access controls: Access to production data is restricted to authorized personnel on a need-to-know basis, with audit logging.
Vulnerability management: We conduct regular dependency audits and apply security patches promptly.

No security system is impenetrable. In the event of a data breach that affects your rights and freedoms, we will notify you and the relevant authorities as required by applicable law, without undue delay.

10. Children's Privacy

The Service is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a minor without appropriate parental consent, we will take steps to delete that information promptly.

If you believe we may have inadvertently collected information from a minor, please contact us at privacy@universalsmartcard.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Send a notification email to the address associated with your account.
Display an in-app notice on your dashboard.

We encourage you to review this policy periodically. Your continued use of the Service after the effective date of changes constitutes your acknowledgment of the updated policy.

12. Contact

For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact our privacy team:

Privacy email: privacy@universalsmartcard.com
General support: support@universalsmartcard.com
Company: Universal SmartCard

We aim to respond to all privacy-related requests within 30 days.

If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national data protection authority in the EU).

Contents