Privacy Policy

Effective date: June 16, 2026
Last updated: June 16, 2026

This Privacy Policy explains how Comprafy SAS ("Comprafy", "we", "us", or "our") collects, uses, shares, and protects personal information in connection with the Card Club loyalty platform (the "Service"). Comprafy is the company that operates Card Club; you can learn more about us at https://comprafyapp.com.

This Policy applies to two groups of people:

• Merchants: business owners and their team members (Owners, Managers, and Collaborators) who use Card Club to run loyalty programs.
• Customers: end consumers who enroll in a Store's loyalty program and add a loyalty card to a digital wallet.

By using the Service, you acknowledge the practices described in this Policy.

1. Our Role: Controller and Processor

Card Club is a platform that lets businesses run their own loyalty programs. Our role depends on whose data is involved:

• For Merchant account data (the information businesses and their team members provide to use Card Club), Comprafy acts as the data controller.
• For Customer data (information about the end consumers who enroll in a Store's program), the Store / Merchant is the data controller and decides how that information is used. Comprafy acts as a processor / service provider, hosting the loyalty program and issuing digital wallet passes on the Store's behalf.

If you are a Customer and wish to exercise rights over your data, you may contact us, and we will also help route your request to the relevant Store where appropriate.

2. Information We Collect

We collect only the information needed to operate the Service. We do not collect government IDs, payment-card numbers, precise location, or contacts.

2.1 Merchant and team information

• Email address and display name.
• Profile photo / avatar (optional).
• The sign-in method used (for example, email, Apple, or Google).
• Account status and the role assigned (Owner, Manager, or Collaborator).

Authentication and password management are handled by a trusted third-party identity provider. We do not store your password.

2.2 Store information

Information Merchants provide to set up their Stores, such as: store name, business type, logo and card background images, brand color, time zone, currency, and optional details like address, website, social handle, phone number, and description.

2.3 Customer information

• Email address: only if the Customer provides it during enrollment (which may be optional or required depending on the Store's settings), together with whether it has been verified.
• Marketing consent: whether the Customer opted in to receive communications, and when and under which consent text version.
• Loyalty membership data: a customer number, point balance, and membership status within a specific Store's program.

Customers do not create a password-protected account and are otherwise treated as anonymous; we do not collect a Customer's name, phone number, address, or device identifiers.

2.4 Loyalty activity

Records of point transactions (points earned, removed, redeemed, or expired), including the time, the amount, the reason or note, and which team member performed the action. These records form a ledger used to keep program balances accurate.

2.5 Digital wallet pass data

Technical information needed to issue and update loyalty passes in Apple Wallet and Google Wallet, such as pass identifiers, the wallet platform, and device push tokens used to send balance updates to the Customer's wallet. This data does not include Customer contact details.

2.6 Communications and campaigns

Where a Merchant sends loyalty messages to Customers' wallet passes, we process delivery records (such as which message was sent and whether delivery succeeded). For account-related emails (such as wallet-card recovery links or team invitations), we process the recipient email address and delivery status.

2.7 Subscription and billing data

When subscriptions are active, we process subscription status and related identifiers (such as the plan, store capacity, and billing period). Payments are processed by third-party payment providers (Apple, Google, or Stripe); we do not store full payment-card details.

2.8 Technical and log data

To operate and secure the Service, we automatically process limited technical data such as request logs, timestamps, and security-related events (for example, audit logs of administrative actions taken by Merchant team members).

3. How We Use Information

We use personal information to:

• Provide, operate, and maintain the Service, including creating Stores, issuing and updating loyalty cards, and recording point transactions.
• Authenticate users and secure accounts.
• Enable Merchants to communicate with their Customers as permitted (for example, wallet messages and, where applicable, recovery emails).
• Manage subscriptions, billing, and entitlements.
• Detect, prevent, and address fraud, abuse, security incidents, and technical problems.
• Comply with legal obligations and enforce our Terms.

Where the law requires a legal basis, we rely on: performance of a contract (to provide the Service), legitimate interests (to operate, secure, and improve the Service), consent (for example, Customer opt-in to marketing), and compliance with legal obligations.

4. How We Share Information

We share information only as needed to run the Service:

• With the enrolled Store. Customer enrollment and loyalty data is made available to the Store the Customer joined, which acts as controller of that data.
• With digital wallet providers. We share the limited data needed to create and update passes with Apple Wallet and Google Wallet, so the loyalty card works on the Customer's device.
• With payment processors. Subscription and payment data is shared with Apple, Google, or Stripe, depending on how the subscription was purchased.
• With service providers. We use reputable third-party providers for cloud infrastructure and hosting, identity and authentication, email delivery, and analytics. These providers process data on our behalf under appropriate confidentiality and data-protection obligations, and only as needed to provide their services to us.
• For legal reasons. We may disclose information where required by law, regulation, legal process, or to protect the rights, safety, and security of Comprafy, our users, or the public.
• In a business transfer. If Comprafy is involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction, subject to this Policy.

We do not sell your personal data, and we do not share it for third-party advertising.

5. Cookies and Similar Technologies

Our public enrollment and recovery web pages use a small number of cookies and similar technologies:

• Essential technologies that are necessary for the pages to function and to keep the Service secure (for example, maintaining an enrollment session).
• Analytics technologies that help us understand, in aggregate, how the Service is used so we can improve it. Where required by law, we ask for your consent before using non-essential analytics technologies.

The Card Club mobile app does not use advertising cookies or third-party advertising trackers. You can control or block cookies through your browser settings; note that blocking essential cookies may prevent enrollment pages from working correctly.

6. Communications and Marketing

• Account and service messages (such as wallet-card recovery links and team invitations) are sent as part of operating the Service.
• Marketing and loyalty communications to Customers are controlled by the Store. Where a Customer's email is optional, marketing requires the Customer's opt-in consent. Where a Store requires an email to enroll, enrollment may be used for program-related communication and card recovery, as configured by the Store.
• Customers can opt out of a Store's marketing communications at any time and can remove a loyalty card from their wallet at any time through their device.

7. Data Security

We take the security of your information seriously. Communications with the Service are encrypted in transit using industry-standard transport encryption (TLS/HTTPS), and personal data is stored on secured infrastructure with encryption at rest. We apply role-based access controls, store sensitive tokens only in hashed form, and keep secrets in protected key-management systems. QR codes used in store contain only an opaque membership reference and a cryptographic signature, they do not contain personal data.

No method of transmission or storage is ever completely secure, so we cannot guarantee absolute security; however, we work continuously to protect your information.

8. Data Retention and Deletion

We retain personal information for as long as it is needed to provide the Service and for legitimate business or legal purposes.

• Active accounts. Merchant and Customer data is retained while the related account or membership is active.
• Deletion. If you delete your data or your account, it is permanently deleted from our active systems and cannot be recovered. Residual copies may remain in routine backups for a limited period before being overwritten.
• Legal retention. We may retain certain records where required or permitted by law (for example, for tax, accounting, security, or legal-compliance purposes).
• Wallet cards. Deleting an account, membership, or Store will cause the related loyalty cards to stop functioning.

9. Your Rights

Depending on where you live, you may have rights over your personal information, including the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your data.
• Export / receive a copy of your data in a portable format.
• Restrict or object to certain processing.
• Withdraw consent where processing is based on consent.

To exercise these rights, contact us using the details in Section 13. We will respond within the timeframe required by applicable law.

In Argentina, the protection of personal data is governed by Law No. 25.326 on the Protection of Personal Data and its implementing regulations. The Agencia de Acceso a la Información Pública (AAIP) is the supervisory authority, and you have the right to lodge a complaint with it. If you are located elsewhere, you may also have the right to lodge a complaint with your local data-protection authority.

If you are a Customer, note that for data controlled by a Store, the Store is primarily responsible for fulfilling your request; we will assist and route your request to the relevant Store as needed.

10. International Data Transfers

The Service is operated using cloud infrastructure that may be located in countries other than the one in which you reside. Where we transfer personal data across borders, we use appropriate safeguards (such as standard contractual clauses or equivalent mechanisms) as required by applicable law to protect your information.

11. Children's Privacy

Card Club is a business tool intended for use by adults (18 years or older) and is not directed to children. We do not knowingly collect personal data directly from children. Loyalty programs are operated by Merchants, who are responsible for the lawfulness of any participation by minors and for any applicable parental-consent requirements. If we become aware that we have collected personal data from a child without appropriate consent, we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, provide additional notice. Your continued use of the Service after the changes take effect constitutes acknowledgment of the updated Policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

Comprafy SAS
Website: https://comprafyapp.com
Card Club: https://getcardclub.com
Email: contact@airbytesllc.com

← Back to home