01Who We Are
Card Assist is published by Dedalva LLC ("we", "us", or "our"). This Privacy Policy explains how we collect, use, store, and protect information when you use the Card Assist mobile application ("App") on iOS or Android.
Card Assist is a private, on-device vault for the cards you carry — payment cards, identity documents, insurance and health cards, loyalty and rewards cards, and more. It works without an account, without the cloud, and without us ever receiving your card data.
If you have any questions or concerns about this Privacy Policy or your personal data, please contact us at the address above.
02Scope
This Policy applies to all users of Card Assist regardless of where you are located. We have written it to comply with:
- The EU General Data Protection Regulation (GDPR — Regulation 2016/679)
- The UK General Data Protection Regulation (UK GDPR) and UK Data Protection Act 2018
- The Australian Privacy Act 1988 and Australian Privacy Principles (APPs)
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws
- The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable US state privacy laws
03Information We Collect
3a. Information You Provide Directly
When you use Card Assist, you enter information that is stored locally on your device only. This includes:
| Category | Examples | Sensitivity |
|---|---|---|
| Payment card data | Card number (PAN), expiry date, cardholder name, network, card nickname | Sensitive / financial |
| Identity documents | Driver's license, passport, and other ID details you choose to store | Sensitive personal |
| Other cards | Insurance, health, loyalty, gift, and membership card details | Personal |
| Photos | Front/back images of cards you optionally capture | Personal |
3b. Information We Do Not Collect
We do not operate servers or cloud storage for your card data, and we do not receive it. Specifically, we do not:
- maintain any servers or cloud storage for your cards or documents
- collect your email address, phone number, or other contact details
- require or create a user account
- request access to your device's location
- use your card or document data to target, personalize, or measure advertising
- perform any analytics on the content of your cards
Two limited exceptions involve information leaving your device: advertising (described just below), which serves the banner ad that keeps the App free, and a problem report (the next section) that is sent only if you choose to email it to us. Neither ever includes your card data.
3c. Advertising (Google AdMob)
Card Assist is free and supported by a single banner advertisement displayed at the top of the screen. Ads are served by Google AdMob. To request, show, and measure ads, the Google Mobile Ads SDK and its partners may collect:
- A mobile advertising identifier (the Android Advertising ID, or the iOS IDFA where you permit tracking)
- Device and technical information — device model, operating system version, language, and similar
- Your IP address, from which an approximate (e.g. city-level) location may be inferred
- Ad-interaction and measurement data — which ads were requested, shown, viewed, or clicked, and basic fraud-prevention signals
This advertising data is collected and processed by Google as an independent controller under its own policies, to serve and measure ads and to cap how often you see the same ad.
Where required by law (for example in the EEA, UK, and Switzerland), a Google-certified consent message is shown on first launch where you can accept or decline personalized ads; if you decline, non-personalized (contextual) ads are shown instead. You can reset or limit ad tracking at any time in your device settings — on iOS via Settings → Privacy & Security → Tracking, and on Android via Settings → Privacy → Ads.
04Reporting a Problem — You Decide What to Send
Card Assist has no automatic crash reporting and no analytics SDK. Nothing about how you use the App is collected or transmitted in the background. The only way technical information reaches us is if you choose to send a problem report.
Settings → Feedback → Report a Problem, the App opens your device's own email app with a message pre-filled to [email protected]. The report is sent only when you press Send in your mail app — and you can review or delete anything first.
A problem report you choose to send contains:
- The description you type, and any screenshot you choose to attach
- The app version
- Your device model and operating system version
- Card numbers (PAN), expiry dates, or cardholder names
- Identity document numbers, photos, or any card images
- Your PIN, biometric data, or 12-word recovery phrase
- Any advertising identifier or precise location
The app version and device model are added so we can reproduce the issue; no card data or vault contents are ever included. Because the report travels through your own email account, it is handled by your email provider and ours like any other email you send.
05How We Use Your Information
Data You Enter (All Users)
Your card, document, and photo data is used solely to operate the App on your device:
- Display your cards, reveal/mask card numbers on demand, and let you flip and copy fields
- Organize and search your vault
- Protect access with biometric unlock, a PIN, and auto-lock
- Generate your 12-word recovery phrase locally so you can regain access if you forget your PIN
Your card data never leaves your device. We never receive it, analyse it, or back it up to a server.
Advertising (All Users)
The advertising data described in §3c is used to display and measure the banner ad that keeps Card Assist free — showing ads, capping how often the same ad appears, measuring ad performance, and detecting invalid or fraudulent activity. Your card, document, and photo data is never used for advertising.
Problem Reports (Only If You Email Us)
If you choose to send a problem report (§4), we use the information in your email exclusively to:
- understand, reproduce, and fix the bug or issue you described, and
- reply to you if you ask us to.
We do not use problem reports for advertising, profiling, or any decision about you, and we do not attempt to re-identify you from them.
06Legal Basis for Processing (GDPR & UK GDPR)
For users in the European Economic Area (EEA) and United Kingdom, we rely on the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Storing and processing card, document, and photo data on your device | Performance of a contract / legitimate interests (Article 6(1)(b)/(f)) — processing is necessary to provide the core vault functionality you have requested. |
| Protecting access with PIN, biometrics, and the recovery phrase | Legitimate interests (Article 6(1)(f)) — securing the vault you have chosen to use. |
| Responding to a problem report you email us | Consent (Article 6(1)(a)) — you choose to compose and send the report from your own mail app; you control whether to send it at all. |
| Serving and measuring advertising via Google AdMob | Consent (Article 6(1)(a)) for personalized ads — collected through the consent message shown on first launch; where you decline, non-personalized ads are shown on the basis of legitimate interests (Article 6(1)(f)) in funding the free App. |
07Data Storage and Security
All card and document data you enter into Card Assist is stored exclusively on your device. We use the following security measures:
- Encryption at rest: Your vault is encrypted using AES-256.
- Secure key storage: Encryption keys are held in the platform's hardware-backed keystore — Apple's Keychain on iOS and the Android Keystore on Android.
- Biometric-first lock: Face ID / fingerprint is the primary unlock, with a 6-digit PIN as the fallback, and auto-lock after a configurable interval (default 15 seconds).
- Recovery phrase: A 12-word recovery phrase is generated on-device and shown once. It is the only recovery path for your account-less vault; it is never transmitted to or stored by us.
Because data is stored locally, the security of your information also depends on your device's own security features (screen lock, OS updates, etc.).
08Data Sharing and Third Parties
We do not sell, rent, or share your card or document data with any third party. The limited categories of data below are shared only as described here.
Google AdMob (Advertising)
Card Assist displays a banner ad through Google AdMob. As described in §3c, the Google Mobile Ads SDK collects device and advertising identifiers, IP-derived approximate location, and ad-interaction data, which Google processes as an independent controller to serve and measure ads. We never send Google any card, document, or identity data. In regions that require it, personalized ads are shown only if you consent through the on-device consent message; otherwise non-personalized ads are served.
- How Google uses data from apps that use its services: policies.google.com/technologies/partner-sites
- Google AdMob & advertising: support.google.com/admob/answer/6128543
Problem Reports You Email Us
If you choose to send a problem report (§4), it is delivered as an ordinary email from your account to [email protected] and handled by the email providers involved. We use it only to investigate and respond. We never receive any of this unless you press Send in your own mail app — there is no background crash-reporting service or analytics SDK.
Native In-App Review
If you tap "Rate Card Assist," the App uses your platform's native review flow (Apple StoreKit on iOS, Google Play In-App Review on Android). Any rating or review you submit is handled by Apple or Google under their own policies; we do not receive identifying information from this flow.
Legal Disclosures
We may disclose information if required to do so by law, regulation, court order, or other legal process, or if we reasonably believe disclosure is necessary to protect the rights, property, or safety of Dedalva LLC, our users, or the public. Because your card data is stored on your device rather than our servers, we are not able to produce it.
Business Transfers
In the event of a merger, acquisition, or sale of all or substantially all of our assets, user card data (which is stored on your device rather than our servers) would not be transferred, as we do not hold it.
09Data Retention
Because all card and document data is stored on your device:
- Your data persists until you delete the App or manually clear App data through your device settings.
- Uninstalling the App deletes the encrypted vault from your device.
- We do not retain any of your card data on our servers, because we never receive it.
- Problem reports you email us are kept only as long as needed to investigate and resolve the issue and to reply to you, then deleted from our support inbox. A copy also remains in your own email “Sent” folder under your control.
- Advertising data collected by Google AdMob is retained and processed by Google as an independent controller under its own retention policies; see the Google links in §8.
10International Data Transfers
Your card, document, and photo data does not leave your device and is therefore not subject to international transfer.
If you email us a problem report, it travels through your email provider and ours, which may process it in the United States or other countries depending on those providers. Advertising data collected by Google AdMob is processed by Google in the United States and other countries, under the categories of transfer mechanisms described in Google's Privacy & Terms.
11Your Rights
Regardless of where you are located, you may contact us at [email protected] with any privacy concerns. Because your card data is stored on your device, most rights can be exercised directly within the App — editing or deleting cards, or uninstalling the App to remove all locally stored information.
EU / EEA (GDPR) and United Kingdom (UK GDPR)
You have the right to:
- Access — obtain a copy of the personal data we hold about you (note: card data is held on your device, not by us)
- Rectification — have inaccurate data corrected
- Erasure ("right to be forgotten") — request deletion of your data
- Restriction — ask us to restrict processing in certain circumstances
- Data portability — receive your data in a structured, commonly used format
- Object — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent (e.g. personalized ads), withdraw it at any time without affecting the lawfulness of prior processing
- Lodge a complaint — with your national supervisory authority (e.g. the ICO in the UK, or your EU Member State's data protection authority)
California (CCPA / CPRA)
California residents have the right to:
- Know what personal information we collect, use, or disclose
- Delete personal information we have collected (note: we hold none on our servers)
- Correct inaccurate personal information
- Opt out of the sale or sharing of personal information — we do not sell your card or document data. Serving personalized ads through Google AdMob may be considered “sharing” for cross-context behavioural advertising under the CPRA; you can opt out by declining personalized ads in the consent message, or by enabling Limit Ad Tracking / resetting your advertising ID in your device settings
- Limit use of sensitive personal information — your card and document data is used only to operate the App on your device
- Non-discrimination for exercising your rights
To exercise these rights, contact us at [email protected]. We will respond within 45 days.
Canada (PIPEDA)
We collect only the minimum personal information needed to operate the App. You have the right to access your personal information, withdraw consent to optional collection (such as personalized advertising) at any time, and challenge our compliance by contacting us or, if unresolved, the Office of the Privacy Commissioner of Canada (www.priv.gc.ca).
Australia (Privacy Act 1988 / Australian Privacy Principles)
Under the APPs you may access the personal information we hold about you (APP 12) and request correction (APP 13). Because we hold no card data on our servers, these rights are most practically exercised directly on your device. You may also contact the Office of the Australian Information Commissioner (www.oaic.gov.au).
12Children's Privacy
Card Assist is not directed at children under the age of 13 (or under 16 where required by local law, including in the EU and UK). We do not knowingly collect personal information from children under these ages. If you are a parent or guardian and believe your child has entered information into the App, you can delete the App or clear its data to remove all locally stored information. Please also contact us at [email protected].
13Card & Financial Data — Additional Disclosures
We recognise that payment cards and identity documents are among the most sensitive personal data that exists. We want to be clear:
- Your card and document data is used only to operate the App on your device
- It is never analysed, sold, or shared with advertisers, banks, insurers, or any other party
- It is never transmitted to us or any third party — including in any problem report you choose to send us, which by design contains no card content
- It is never used to target, personalize, or measure advertising, and is never shared with Google AdMob or any advertising partner
- We do not store your card's CVV / security code at all
- The AES-256 encrypted vault means that even if your device is accessed without your permission, your data remains protected
14Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes that affect how we handle your data — such as a change to how advertising works — we will provide notice within the App.
Your continued use of Card Assist after changes become effective constitutes your acceptance of the revised Policy.
15Contact Us
If you have questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact:
We aim to respond to all privacy enquiries within 30 days. EU/UK users with unresolved concerns may also contact their national data protection authority.