Privacy Policy

Last Updated: June 14, 2026

This Privacy Policy explains how CardMatchly ("we," "us," or the "Service") collects, uses, discloses, and protects your personal data when you use our website and AI features.

This policy is governed by the Personal Data Protection Act 2012 (PDPA) of Singapore. By using the Service, you consent to the collection and use of your personal data as described herein.

1. Personal Data We Collect

We collect only personal data that is necessary for the purposes described in this policy:

2. Purposes of Collection and Use

Under the PDPA, we collect, use, and disclose your personal data only for purposes that a reasonable person would consider appropriate in the circumstances. Your data is used strictly to:

We will not use your personal data for any purpose beyond those stated above without first notifying you and, where required, obtaining your consent.

3. AI Data Processing (Google Gemini)

We use the Google Gemini API to power our AI features. The Service uses a third-party merchant classification service (Tavily) to identify merchant categories and improve recommendation accuracy. Your prompts are transmitted to Google for processing. Merchant names derived from your queries, photos, or location may be transmitted to Tavily solely for classification purposes. When using the Telegram bot, your messages pass through Telegram's infrastructure before reaching our Service and Google's API.

4. Data Retention

In accordance with the PDPA's retention limitation obligation, we retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required or permitted by applicable law.

5. Overseas Transfer of Personal Data

Our service providers are located outside Singapore. Under the PDPA's transfer limitation obligation, we take steps to ensure that your personal data transferred overseas is protected to a standard comparable to the PDPA. We achieve this through:

The countries or regions where your data may be processed include the United States and the European Union, depending on the sub-processor.

6. Third-Party Processors

We disclose personal data to the following infrastructure providers solely to facilitate our Service. Each processor is bound by contractual obligations to protect your data:

7. Your Rights Under the PDPA

Under the Personal Data Protection Act 2012 (Singapore), you have the right to:

To exercise any of the above rights, email our Data Protection Officer at hello@cardmatchly.com. We will acknowledge your request within 5 business days and respond substantively within 30 calendar days in accordance with the PDPA.

Account & Data Deletion: While erasure is not an absolute right under the PDPA (unlike GDPR), we offer full account and data deletion as a courtesy. Email hello@cardmatchly.com to request deletion. We will process your request within 30 days across all sub-processors where technically feasible.

8. Rights of International Users

In addition to your rights under the PDPA (Section 7), users in certain jurisdictions have additional rights under their local laws. We honour these rights for all eligible users regardless of where our business is based.

Canada (PIPEDA & Quebec Law 25)

If you are located in Canada, your personal data is handled in accordance with the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25). You have the right to:

United States (CCPA, California)

If you are a California resident, you may have rights under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA). Note that these rights typically apply to businesses above certain revenue or data-volume thresholds; as a small operator, we may not currently meet those thresholds. However, we extend these rights to California users as a matter of good practice:

Residents of other US states with active privacy laws (Virginia, Colorado, Connecticut, Texas, etc.) may have similar rights. We will endeavour to honour equivalent requests on a good-faith basis.

To exercise any of the rights listed in this section, contact us at hello@cardmatchly.com with the subject line "Privacy Rights Request: [Your Jurisdiction]". We will respond within 30 calendar days.

9. Data Protection Officer

In accordance with the PDPA, CardMatchly has designated a Data Protection Officer (DPO) responsible for ensuring compliance with our data protection obligations. You may contact our DPO for any queries or concerns regarding the handling of your personal data:

If you are not satisfied with our response, you may contact the Personal Data Protection Commission (PDPC) of Singapore at www.pdpc.gov.sg.

10. Security Practices

We implement industry-standard security measures to protect your personal data, including SSL/TLS encryption for all data in transit, secure environment variables for all third-party API credentials, and access controls limiting data access to authorised personnel only. We do not store sensitive payment information on our own infrastructure.

11. Cookies and Session Storage

We use the following tracking and storage technologies. As Singapore does not have a prescriptive cookie consent regime equivalent to the EU's ePrivacy Directive, we disclose these technologies transparently for your awareness:

We do not use local storage for personal data or saved card selections. All such data is stored server-side in Upstash, linked to your authenticated account.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last Updated" date. Your continued use of the Service after such changes constitutes your acknowledgement of the updated policy.