Privacy Policy
This is a placeholder. Replace with legal-reviewed language before production launch.
What we collect
Operators: account email, business profile (name, vertical, address). Stripe customer id once an operator starts a subscription.
Cardholders: phone number (stored as HMAC-SHA256 fingerprint with a server-side pepper, plus AES-256-GCM ciphertext for retrieval), optional name, optional birthday (month/day used for sequence triggers), timezone (captured at pass install), the cards they've installed, and the stamps awarded on those cards.
What we don't sell
Cardholder data is never sold to third parties or used for cross-business marketing. Operators see only their own cardholders.
Opt out
Cardholders can pause all push notifications across every Karam Kards program they're enrolled in by visiting /unsubscribe with their phone number. The opt-out is reversible from the same page.
POS integrations
When an operator connects Square, Toast, or Clover, payment-event metadata flows into our system (payment id, location, refund id). No line items, no card-on-file data, no customer credit-card info.