Privacy Policy

Last updated: April 21, 2026

This Privacy Policy explains how Carded ("we", "us", or "our") collects, uses, discloses, and protects personal information in connection with our ID verification platform. We are committed to compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

1. Who This Policy Applies To

This policy applies to:

• Venue owners — companies and individuals who register and manage venues on the platform
• Staff members — employees or contractors added by venue owners to use the scanning app
• Waitlist applicants — individuals who submit their email at carded.to
• Patrons — individuals whose identification is scanned at a venue using Carded

2. Information We Collect

From venue owners and staff:

• Name, email address, and company name at registration
• Hashed passwords (bcrypt — never stored in plaintext)
• Venue details (name, location, minimum age setting)
• Account activity logs

From ID scans (patron data):

• Name, date of birth, and expiry date parsed from the scanned document
• Document type (driver's licence or passport)
• Province/country of issuance
• A cryptographic hash of the document number (see Section 4) — the raw document number is never stored

From waitlist signups:

• Email address only

3. How We Use Personal Information

• To provide age verification and ban list checking services to venues
• To authenticate venue owners and staff
• To send transactional emails (account verification, password reset)
• To contact waitlist applicants about platform availability
• To detect and prevent fraud or abuse of the platform
• To comply with legal obligations

We do not use patron ID data for marketing, profiling, or any purpose beyond the immediate verification request made by the venue.

4. How We Protect Document Numbers

Carded never stores raw identification document numbers. When a document is scanned, its document number is immediately converted to a one-way cryptographic hash (HMAC-SHA256) using a unique secret salt assigned to each venue. This hash is used solely to check whether the document appears on that venue's ban list.

Because each venue uses a different salt, hashes cannot be compared across venues. This means Carded cannot build a cross-venue tracking profile of any individual patron by document number.

5. Data Sharing and Third Parties

We do not sell personal information. We share data only with:

• Railway — cloud infrastructure provider hosting our backend and database
• Resend — transactional email delivery (receives email addresses only)

All third-party providers are contractually required to protect personal information and are prohibited from using it for their own purposes.

We may disclose personal information to law enforcement or regulatory authorities when required by law or valid legal process.

6. Data Retention

• Venue owner and staff accounts — retained for the duration of the subscription and deleted within 90 days of account closure upon request
• Scan records — patron name and DOB from verification requests are not persistently stored; only the ban hash is retained if a ban is added by the venue
• Ban records — retained until removed by the venue owner or until the venue account is closed
• Waitlist emails — retained until the applicant is onboarded or requests removal

7. Your Rights Under PIPEDA

You have the right to:

• Request access to personal information we hold about you
• Request correction of inaccurate information
• Withdraw consent to certain uses of your information (subject to legal or contractual limitations)
• Request deletion of your personal information, subject to our legal retention obligations
• File a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca

To exercise any of these rights, contact us at braeden@carded.to. We will respond within 30 days.

8. Security

We implement industry-standard security measures including encrypted data transmission (HTTPS/TLS), bcrypt password hashing, JWT-based authentication with 30-day expiry, per-venue cryptographic salts, and rate limiting on all sensitive endpoints. We conduct periodic security reviews of the platform.

No system is perfectly secure. In the event of a data breach that poses a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada as required under PIPEDA.

9. Cookies and Analytics

The Carded website (carded.to) may use minimal cookies for session management. We do not use third-party advertising or behavioural tracking cookies. We do not currently use analytics services that collect personal information.

10. Children's Privacy

Carded is not directed at individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected such information, contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users by email at least 14 days before material changes take effect. The updated policy will be posted at carded.to/privacy with a revised effective date.

12. Contact

For privacy-related questions, requests, or complaints:

• Email: braeden@carded.to
• Website: carded.to

© 2026 Carded. All rights reserved.