Privacy Policy

Effective Date: November 10, 2024 Last Updated: October 25, 2025 Version: 2.0

1. Introduction

This Privacy Policy explains how Card-Y Holdings Inc. ("Card-Y", "we", "us", "our") collects, uses, stores, and protects your personal information when you use our services.

Card-Y Holdings Inc. operates this service through its affiliates and authorized partners.

Arabic Translation: An Arabic translation of this policy may be provided for convenience; however, the English version shall prevail in case of any conflict.

By using Card-Y, you consent to the practices described in this policy.

Beta Platform Notice

Because the platform is in a testing (beta) phase, users acknowledge that occasional downtime, data inaccuracies, or temporary data-processing issues may occur. We implement safeguards to protect your data, but beta features may have reduced reliability compared to production systems.

2. Information We Collect

Personal Identification Information

We collect personal information during registration and KYC (Know Your Customer) onboarding, including but not limited to:

Full Name: Legal first and last name
Date of Birth: For age verification and compliance
Email Address: For account communications
Phone Number: For SMS verification and notifications
Physical Address: Current residential address
Government-Issued ID: Passport, national ID, or driver's license
Identification Documents: Copies uploaded during KYC verification
Selfie/Biometric Data: Facial recognition for identity verification
IP Address: For security and fraud prevention
Device Information: Device type, operating system, browser

Financial Information

Bank Account Details: For withdrawals and deposits (Egypt)
Transaction History: All deposits, withdrawals, transfers, and card transactions
Card Details: Virtual/physical card numbers, expiration dates, CVV
Cryptocurrency Wallet Addresses: USDC wallet on Solana blockchain
Payment Method Information: Paymob payment details
Balance Information: Real-time account and wallet balances

Global Accounts Additional Information

For users with Global Accounts, we collect:

Bridge Customer ID: Unique identifier from Bridge
Routing and Account Numbers: For USD/EUR virtual accounts
ACH/Wire Transfer Details: Sender information, amounts, dates
USDC Wallet Data: Public addresses, transaction hashes
KYC Status with Bridge: Verification level and endorsements

Referral Program Information

Referral Code: Your unique referral identifier
Referral Network: Users who signed up using your code
Referral Earnings: Reward amounts and payment history
Tier Status: Current referral tier and progression

Automatically Collected Information

Usage Data: Pages visited, features used, time spent
Location Data: Approximate location based on IP address
Cookies and Tracking: Session cookies, analytics cookies
Login History: Timestamps, locations, devices
Error Logs: Technical errors and debugging information

This information helps us verify identity, manage accounts, ensure service security, and comply with regulatory requirements.

3. How We Use Your Information

Primary Uses

Your information is used to provide our services, including:

Account Management: Creating and maintaining your CARD-Y account
Issuing Virtual Cards: Processing card applications and issuance
Global Account Setup: Creating USD/EUR virtual accounts via Bridge
USDC Wallet Management: Cryptocurrency custody and transactions
Processing Transactions: Handling deposits, withdrawals, transfers
Performing Currency Conversions: EGP to USD exchanges
Referral Rewards: Tracking and distributing referral earnings
Customer Support: Responding to inquiries and resolving issues

Compliance and Security Uses

Identity Verification: KYC and anti-money laundering (AML) compliance
Fraud Prevention: Detecting and preventing fraudulent activity
Regulatory Compliance: Meeting legal obligations (FinCEN, OFAC, etc.)
Risk Management: Assessing and managing financial risks
Tax Reporting: Issuing 1099 forms and other tax documents
Legal Requirements: Responding to court orders and government requests

Communications

Transactional Emails: Account notifications, transaction confirmations
Security Alerts: Suspicious activity, password changes, login attempts
Service Updates: Feature launches, maintenance notifications
Marketing Communications: Promotional offers, referral program updates (opt-out available)
Regulatory Notices: Terms of Service changes, policy updates

Analytics and Improvement

Service Enhancement: Improving features and user experience
Usage Analytics: Understanding how users interact with platform
Performance Monitoring: System uptime and reliability tracking
A/B Testing: Testing new features with user subsets
Customer Insights: Aggregated data for business decisions

4. Information Sharing and Third-Party Disclosure

Our Service Providers

Card-Y shares information with regulated third-party service providers necessary to deliver our services:

Bridge and BridgeCard (U.S. Banking and Card Partners)

Our U.S. banking partner and card-issuing provider (Bridge and BridgeCard) jointly handle your virtual account and card data.

Bridge (bridge.xyz)

Purpose: Global Accounts, USDC wallets, banking infrastructure
Information Shared: Complete KYC information, transaction history, account balances
Data Location: United States
Regulation: Licensed money transmitter
Their Privacy Policy: https://bridge.xyz/privacy
User Agreement: By using Global Accounts, you agree to Bridge's Terms and Privacy Policy

BridgeCard

Purpose: Virtual and physical card issuance
Information Shared: KYC information, transaction data, spending activity
Data Location: United States
Regulation: Payment card industry certified
Card Network: Mastercard network

Paymob

Purpose: Egyptian payment gateway for EGP deposits
Information Shared:
- Name and email for transaction processing
- Payment method details
- Transaction amounts and timestamps
Data Location: Egypt
Regulation: Central Bank of Egypt licensed
Their Privacy Policy: Available at paymob.com

Banking Partners

Your USD/EUR funds may be held at FDIC-insured banks partnered with Bridge:

Information shared per banking regulations
Subject to each bank's privacy policies
May include KYC information and transaction data
Data processed for compliance and account management

Blockchain Disclosure

USDC transactions occur on Solana public blockchain:

Wallet addresses are public and permanently recorded
Transaction amounts and timestamps are public
Blockchain data cannot be deleted or modified
Anyone can view transactions associated with your wallet address
We do not control blockchain data retention

Regulatory and Legal Sharing

We may share information with:

Government Agencies: FinCEN, IRS, OFAC, CBE (Central Bank of Egypt)
Law Enforcement: Police, FBI, Interpol (with valid legal process)
Courts: In response to subpoenas, court orders, legal proceedings
Regulators: Financial services regulators as required
Tax Authorities: For 1099 reporting and tax compliance

Business Transfers

In event of merger, acquisition, or sale of assets:

Your information may be transferred to acquiring entity
You will be notified 30 days before transfer
New entity must honor this Privacy Policy
You may close account before transfer

Aggregated Data Sharing

We may share anonymized, aggregated data for:

Industry research and benchmarking
Public reporting (e.g., "X users in Egypt")
Partnership discussions
Marketing purposes

Important: Aggregated data cannot identify individual users.

What We Never Share

CARD-Y will never:

Sell your personal information to third parties
Share data for third-party marketing without consent
Provide access to competitors
Share more data than necessary for stated purpose

5. International Data Transfers

Cross-Border Data Flows

CARD-Y operates internationally, resulting in data transfers:

Egypt → United States

For Egyptian Users: If you are located in Egypt, your data will be transferred to and processed in the United States where different data-protection laws may apply. This transfer is necessary to provide our services through our U.S. partners.

Data transferred to Bridge and BridgeCard (U.S.-based)
Data stored on U.S. cloud infrastructure
Subject to U.S. legal framework and government access requests

Egypt → Europe

EUR Global Account data may be processed in EU
Subject to GDPR where applicable
Adequacy determinations or standard contractual clauses used

Egypt → Other Countries

Transaction routing may involve other jurisdictions
Currency conversion partners in various countries
Banking network intermediaries

Transfer Mechanisms

We use legally approved data transfer mechanisms:

Standard Contractual Clauses (EU-approved)
Privacy Shield (if applicable and certified)
Adequate Protections per local law requirements
Your Consent to international transfers

Data Subject Rights

Regardless of location, you have rights to:

Access your personal information
Correct inaccurate information
Request deletion (subject to legal retention)
Object to processing in certain circumstances
Data portability (receive copy of your data)

Contact [email protected] to exercise these rights.

6. Data Security

Security Measures

We implement reasonable security measures to protect user data:

Technical Safeguards

Encryption at Rest: Military-grade encryption for stored data
Encryption in Transit: Secure HTTPS connections for all communications
Encrypted Fields: Routing numbers, account numbers, passwords
Password Protection: Industry-standard password hashing
Key Management: Secure key storage and rotation

Access Controls

Role-Based Access: Employees access only necessary data
Two-Factor Authentication: Required for admin access
Audit Logging: All data access logged and monitored
Background Checks: Employee screening and vetting
NDA Requirements: Confidentiality agreements for staff

Infrastructure Security

Firewalls: Network-level protection
DDoS Protection: Enterprise-grade attack prevention
Intrusion Detection: Real-time threat monitoring
Vulnerability Scanning: Regular security assessments
Penetration Testing: Annual third-party security audits
Secure Hosting: Enterprise cloud infrastructure with security compliance

Application Security

Input Validation: Protection against injection attacks
Cross-Site Protection: Security tokens prevent unauthorized requests
Script Prevention: Output encoding and sanitization
Rate Limiting: API and login attempt restrictions
Session Management: Secure session handling and expiry

Data Breach Response

In event of security breach:

72-Hour Notification: Email notification within 72 hours
Regulatory Reporting: Notification to applicable authorities
Remediation Actions: Immediate steps to contain breach
User Guidance: Instructions to protect your account
Free Credit Monitoring: For significant breaches (if applicable)

Limitations

However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security. You are responsible for:

Maintaining password confidentiality
Securing your devices
Monitoring account activity
Reporting suspicious activity promptly

7. Data Retention

Retention Periods

We retain your information for varying periods based on legal and business needs:

Active Accounts

Account Data: Retained while account is active
Transaction Records: Retained for 7 years (financial record requirements)
KYC Documents: Retained for 7 years after account closure (AML requirements)
Communication Logs: Retained for 3 years
Login History: Retained for 2 years

Closed Accounts

Financial Records: 7 years post-closure (IRS, FinCEN requirements)
KYC Information: 7 years post-closure (AML/CFT requirements)
Tax Documents: Indefinitely (or per local tax law)
Dispute Records: Until resolution + 7 years
Fraud Investigations: Indefinitely if fraud suspected

Specific Data Types

Referral Data: 7 years for tax reporting purposes
Global Account Transactions: 7 years (banking regulations)
Chat/Support Logs: 3 years
Marketing Opt-Outs: Indefinitely (to honor preference)
Blockchain Transactions: Permanent (cannot be deleted from blockchain)

Deletion Procedures

Upon account closure or retention expiration:

Personal data securely deleted or anonymized
Encrypted data keys destroyed (rendering data unreadable)
Physical document destruction per data destruction policy
Aggregated/anonymized data may be retained indefinitely

Legal Holds

Retention periods extended if:

Ongoing investigation or litigation
Regulatory request or audit
Suspected fraud or violation
Dispute with user

You will be notified if your data is subject to legal hold.

8. Your Rights and Choices

Access and Correction

You have the right to:

Access: Request copy of your personal information
Correct: Update inaccurate or incomplete information
Export: Download transaction history and account data

How to Exercise: Log into your account or contact [email protected]

Data Deletion

You may request deletion of your personal information, subject to:

Legal Retention: Cannot delete data required by law (7-year retention)
Account Closure: Must close account before deletion request
Pending Transactions: Complete all transactions first
Blockchain Data: Cannot delete public blockchain records
Fraud Investigations: Cannot delete data subject to investigation

Deletion Timeline: Within 30 days of verification of your request

How to Request: Email [email protected] with subject "Data Deletion Request"

Marketing Communications

You can opt out of marketing emails:

Unsubscribe Link: Click link in any marketing email
Account Settings: Manage preferences in app
Email Request: Send to [email protected]

Important: You cannot opt out of:

Transactional emails (receipts, security alerts)
Legal notices (Terms updates, policy changes)
Service communications (downtime, maintenance)

Do Not Track

Our website does not respond to browser Do Not Track signals. We use cookies for essential functionality and analytics.

Cookie Management

You can control cookies through:

Browser Settings: Block or delete cookies
Essential Cookies: Cannot be disabled (required for service)
Analytics Cookies: Can be disabled (affects our insights)
Third-Party Cookies: Managed by third parties (e.g., Google Analytics)

California Privacy Rights (CCPA)

California residents have additional rights:

Right to Know: What information we collect and why
Right to Delete: Request deletion of your information
Right to Opt-Out: Of sale of personal information (we don't sell)
Non-Discrimination: No penalty for exercising rights

California Requests: Email [email protected] with subject "CCPA Request"

European Privacy Rights (GDPR)

EU/EEA residents have additional rights:

Right to Access: Receive copy of your data
Right to Rectification: Correct inaccurate data
Right to Erasure: Request deletion ("right to be forgotten")
Right to Restrict Processing: Limit how we use your data
Right to Data Portability: Receive data in machine-readable format
Right to Object: Object to processing based on legitimate interests
Right to Withdraw Consent: Where processing is based on consent

GDPR Requests: Email [email protected] with subject "GDPR Request"

Response Timeline

Identity Verification: We may request proof of identity (1-3 days)
Request Processing: 30 days from verification (may extend to 60 days if complex)
Fee: Generally free, but may charge for excessive/repetitive requests

9. Children's Privacy (COPPA Compliance)

Age Requirement

CARD-Y services are not intended for anyone under 18 years of age.

Minimum Age: Users must be 18+ years old
No Collection from Minors: We do not knowingly collect data from persons under 18
Parental Consent: Not applicable (service restricted to adults)

If We Discover Minor's Data

If we learn we have collected information from someone under 18:

Immediate Deletion: Data deleted within 24 hours
Account Closure: Account permanently closed
Parent Notification: Notification sent if contact information available
Refund: Unused balances refunded to parent/guardian

Report Underage User: Email [email protected] with subject "Underage User Report"

10. Cookies and Tracking Technologies

Types of Cookies We Use

Essential Cookies (Cannot Disable)

Session Cookies: Maintain login session
Security Cookies: CSRF protection, authentication
Load Balancing: Route requests to servers

Functional Cookies (Can Disable)

Preferences: Language, currency, display settings
Remember Me: Keep you logged in across sessions

Analytics Cookies (Can Disable)

Google Analytics: Track usage patterns and page views
Mixpanel: User behavior analytics
Custom Analytics: Internal usage tracking

Third-Party Tracking

We use third-party services that may track you:

Google Analytics: Subject to Google Privacy Policy
Cloudflare: DDoS protection and CDN
AWS CloudFront: Content delivery

Cookie Lifespan

Session Cookies: Deleted when you close browser
Persistent Cookies: 1 year maximum
Analytics Cookies: Up to 2 years

Managing Cookies

You can control cookies via:

Browser Settings: Chrome, Firefox, Safari all allow cookie management
Opt-Out Tools: Browser plugins like Privacy Badger
Analytics Opt-Out: Google Analytics Opt-Out

Warning: Disabling essential cookies will prevent you from using CARD-Y services.

11. Changes to Privacy Policy

Right to Modify

We reserve the right to modify this Privacy Policy at any time. Continued use of our services following any modifications indicates acceptance of the updated Privacy Policy.

Notification of Changes

We will notify you of material changes through:

Email Notification: Sent to registered email (30 days advance notice)
In-App Notification: Alert displayed upon login
Website Banner: Notice on homepage
Updated Date: "Last Updated" date at top of policy

Material Changes

Changes considered material include:

New categories of personal information collected
New third-party data sharing
Changes to data retention periods
Reduction in user rights
Changes to international transfers

User Options

Upon notification of material changes:

Accept: Continue using services
Reject: Close account within 30 days
No Penalty: Account closure before effective date avoids new policy

Non-Material Changes

Minor updates (corrections, clarifications) become effective immediately upon posting.

12. Contact Us

12.1 Privacy Inquiries

For questions or concerns about this Privacy Policy:

Email: [email protected]
Subject Line: Include "Privacy Inquiry" for faster routing
Response Time: 48-72 business hours

12.2 Data Subject Requests

To exercise your rights (access, deletion, correction):

Email: [email protected]
Subject Line: Include request type (e.g., "Data Access Request", "GDPR Request", "CCPA Request")
Include: Full name, email address, account ID (if available)
Verification: We may request proof of identity

12.3 Data Protection Officer

For GDPR-related inquiries:

Email: [email protected]
EU Representative: (If applicable, to be designated)

12.4 Security Incident Reports

To report security vulnerabilities or breaches:

Email: [email protected]
Subject Line: "Security Report"
Response: Acknowledged within 24 hours

12.5 Mailing Address

Card-Y Holdings Inc. 254 Chapman Rd, Ste 208 #17786 Newark, DE 19702 United States

12.6 Regulatory Complaints and Escalation

If unsatisfied with our response, you may file complaints with:

Data Protection Officer: [email protected] (first level escalation)
Central Bank of Egypt: For financial services complaints (Egyptian users)
Delaware Attorney General: Consumer Protection Division
Federal Trade Commission (FTC): For U.S. privacy issues
EU Data Protection Authorities: For GDPR issues (EU residents)

Egyptian Users - Escalation Path: If you believe your data has been misused, you may escalate to our Data Protection Officer or directly to the Central Bank of Egypt's consumer protection division.

BY USING CARD-Y SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THIS PRIVACY POLICY.

Document Information:

Policy ID: PRIVACY-2.0
Version: 2.0
Effective Date: November 10, 2024
Last Updated: October 25, 2025