Privacy Policy

Last updated: April 27, 2026

This Privacy Policy explains what data Cardivate ("we", "us") collects when you use the Cardivate Anki add-on or this website, why we collect it, and the choices you have. We aim to collect as little personal data as possible.

1. Data we collect

Account data. When you receive a license, we store the email address you provided, a hash of the license key, the credit balance, and basic metadata such as creation timestamp.

Device data. To enforce per-license device limits, the add-on sends a short anonymous device fingerprint to our server when you activate. This fingerprint is derived locally from your operating system and machine name — it is not a personal identifier and cannot be reversed into one.

Usage data. Each generation request logs the license id, request type, card count, processing time, and approximate AI cost. We use this to enforce credits, detect abuse, and improve the product. We do not store the contents of your PDFs.

Feedback. If you submit feedback through the add-on, we store the message you typed plus optional contact details and basic diagnostics (Anki version, OS, add-on version) to reproduce bugs.

Logs & errors. Standard web-server logs (IP address, user agent, timestamps) and crash reports via Sentry are retained for up to 30 days for security and debugging.

2. Data we do NOT collect

• The contents of your PDFs are processed in memory and discarded immediately after the cards are returned. They are never written to disk on our server.
• We do not collect, sell, or share marketing identifiers, advertising IDs, or social-media tokens.
• We do not use third-party advertising or tracking pixels on this website.

3. How we use third parties

To deliver the service, the following processors handle limited data on our behalf:

• OpenAI — pages you submit for generation are sent to OpenAI's API to produce flashcard content. OpenAI does not retain this data for model training when accessed through the API. See OpenAI's API data policy.
• Fly.io — application hosting, located in Frankfurt (Germany).
• Resend — transactional email delivery (license keys, support replies).
• Sentry — error monitoring (no PII is sent; request bodies are excluded).
• Cloudflare — CDN / DDoS protection for this website.
• NOWPayments — handles cryptocurrency payment processing. We never see your wallet seed or private keys; only the public transaction data needed to confirm your purchase.

4. Data retention

License records are retained for as long as the license is active and for up to 24 months after expiry, for accounting and support. You may request earlier deletion (see Section 6). Server logs and Sentry events are retained for at most 30 days.

5. Cookies

This marketing website does not set tracking cookies. Cloudflare may set a short-lived security cookie (__cf_bm) to detect bots; it expires within 30 minutes of inactivity.

6. Your rights

You can ask us to:

• Tell you what data we hold about you.
• Correct inaccurate data.
• Delete your data (we will retain only what is required by law).
• Export your data in a machine-readable format.

To exercise any of these rights, email us via the contact page. We respond within 30 days.

7. Children

Cardivate is not directed at children under 16. We do not knowingly collect personal data from children.

8. International transfers

Our servers are located in the European Union (Frankfurt). Some processors (OpenAI, Sentry, Cloudflare) may process data in the United States under appropriate safeguards (Standard Contractual Clauses).

9. Changes

If we materially change this policy, we will update the date at the top and, where appropriate, notify license holders by email.

10. Contact

For privacy questions, use the contact page.