Privacy Policy
Last Updated: June 14, 2026
This Privacy Policy explains how CardMatchly ("we," "us," or the "Service") collects, uses, discloses, and protects your personal data when you use our website and AI features.
This policy is governed by the Personal Data Protection Act 2012 (PDPA) of Singapore. By using the Service, you consent to the collection and use of your personal data as described herein.
1. Personal Data We Collect
We collect only personal data that is necessary for the purposes described in this policy:
- Identity & Login: We use Kinde for authentication. Access to the AI agent requires a registered account. When you sign up, we receive your email address and name for the purpose of account creation and identity verification.
- Telegram Integration: If you interact with the AI agent via our Telegram bot, your Telegram chat ID is stored in Upstash to link your Telegram account to your CardMatchly account. Messages you send via the bot are transmitted to our Service for processing. If you choose to share your location via Telegram, your GPS coordinates are temporarily cached in Upstash for up to one hour solely to provide location-aware card recommendations, and are deleted automatically after use. We do not store your Telegram username or profile information.
- Billing: Payments are processed by Stripe. We do not store your credit card details on our servers; Stripe handles all sensitive financial data solely for the purpose of transaction processing and fraud prevention.
- Usage & AI Interaction Data: We store the last 10 messages of your AI interactions in Upstash to provide conversational context to the AI agent. This data is retained only as long as needed for this purpose and is accessible solely via your authenticated account. Usage is subject to per-tier prompt limits. Free accounts receive a one-time allowance of 5 prompts with no time limit, tracked via a prompt counter stored in Upstash. Individual prompts are capped at 2,000 characters. Aggregated usage data, including prompt count, plan tier, and prompt length, is tracked via PostHog for product analytics purposes. No prompt content is sent to PostHog.
- Saved Cards: Your saved credit card selections are stored server-side in Upstash, linked to your authenticated account. This allows your saved cards to persist and sync across devices and sessions.
- Communications: If you opt in to our newsletter, your name and email address are managed by Kit solely for the purpose of distributing product updates and marketing communications. You may opt out at any time.
2. Purposes of Collection and Use
Under the PDPA, we collect, use, and disclose your personal data only for purposes that a reasonable person would consider appropriate in the circumstances. Your data is used strictly to:
- Facilitate secure user authentication and account management via Kinde.
- Process AI agent requests submitted via Telegram and deliver location-aware recommendations where you choose to share your location.
- Process payments and prevent fraudulent transactions via Stripe.
- Power the AI agent's conversational memory and logic via Upstash.
- Store and sync your saved credit card selections across devices via Upstash.
- Analyse aggregated AI agent usage patterns to improve the Service via PostHog.
- Distribute optional product updates or marketing communications via Kit.
- Protect our Service from malicious traffic and ensure platform stability via Cloudflare.
- Host and serve the application securely via Vercel.
We will not use your personal data for any purpose beyond those stated above without first notifying you and, where required, obtaining your consent.
3. AI Data Processing (Google Gemini)
We use the Google Gemini API to power our AI features. The Service uses a third-party merchant classification service (Tavily) to identify merchant categories and improve recommendation accuracy. Your prompts are transmitted to Google for processing. Merchant names derived from your queries, photos, or location may be transmitted to Tavily solely for classification purposes. When using the Telegram bot, your messages pass through Telegram's infrastructure before reaching our Service and Google's API.
- Data Handling: Your prompts are transmitted to Google for processing. As we use the Paid Tier of the Gemini API, Google does not use your data to train its foundational models.
- Storage: Conversation history (last 10 messages) is cached in Upstash and is only accessible via your authenticated account.
- Merchant Classification: When you query a merchant by name, photo, or location, the merchant name may be transmitted to Tavily (a third-party search service) solely to identify the merchant's spending category. No payment information, card details, or account data is transmitted. AI-generated outputs may still be inaccurate, incomplete, or misinterpreted by the model.
- Overseas Transfer: By using the AI features, your prompts are transferred to Google's servers, which may be located outside Singapore. We have ensured comparable protection through Google's Data Processing Addendum. See Section 5 for more details.
4. Data Retention
In accordance with the PDPA's retention limitation obligation, we retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required or permitted by applicable law.
- Account data (name, email) is retained for as long as your account remains active, and deleted within 30 days of a verified account deletion request.
- AI conversation history is a rolling cache of your last 10 messages and is automatically overwritten as new interactions occur.
- Saved Cards are retained in Upstash for as long as your account is active and deleted within 30 days of a verified account deletion request.
- Telegram account links (chat ID to account mapping) are retained for as long as your account is active and deleted within 30 days of a verified account deletion request. Your account deletion also removes all associated Telegram keys from our systems.
- Telegram location data is cached temporarily for up to one hour and deleted automatically after your question is answered or the cache expires, whichever comes first.
- Billing records may be retained by Stripe for longer periods as required by financial regulations; we retain only non-sensitive transaction references.
5. Overseas Transfer of Personal Data
Our service providers are located outside Singapore. Under the PDPA's transfer limitation obligation, we take steps to ensure that your personal data transferred overseas is protected to a standard comparable to the PDPA. We achieve this through:
- Contractual data processing agreements (DPAs) with each sub-processor.
- Using processors who are certified under internationally recognised frameworks (e.g. Google, Stripe, Cloudflare, and Vercel maintain ISO 27001 or SOC 2 certifications).
The countries or regions where your data may be processed include the United States and the European Union, depending on the sub-processor.
6. Third-Party Processors
We disclose personal data to the following infrastructure providers solely to facilitate our Service. Each processor is bound by contractual obligations to protect your data:
- Cloudflare: Content delivery, DDoS protection, and WAF security.
- Vercel: Application hosting and serving.
- GitHub: Source code management (no user personal data stored).
- Kinde: User identity and authentication management.
- Stripe: Financial transaction processing.
- Upstash: AI conversation caching and saved card storage, linked to your authenticated account.
- Google: AI processing via Gemini API.
- Tavily: Third-party merchant classification service used to identify the spending category of merchants you query. Only merchant names are transmitted; no personal account or payment data is shared.
- Telegram: Messaging platform used to deliver AI agent access via bot interface. Messages sent via Telegram are transmitted to Telegram's servers before reaching our Service. Telegram's own Privacy Policy applies to data processed on their platform.
- PostHog: Product analytics and AI agent usage tracking.
- Kit: Optional email marketing and communications.
7. Your Rights Under the PDPA
Under the Personal Data Protection Act 2012 (Singapore), you have the right to:
- Access your personal data: Request a copy of the personal data we hold about you.
- Correct your personal data: Request that we correct any inaccurate or incomplete personal data we hold about you.
- Withdraw consent: Withdraw consent for collection, use, or disclosure of your personal data at any time, subject to legal and contractual restrictions. Note that withdrawal may affect our ability to provide the Service to you.
- Data portability: Where technically feasible, request that we transmit your personal data to another organisation in a commonly used machine-readable format (applicable under PDPA Amendment 2021).
To exercise any of the above rights, email our Data Protection Officer at hello@cardmatchly.com. We will acknowledge your request within 5 business days and respond substantively within 30 calendar days in accordance with the PDPA.
Account & Data Deletion: While erasure is not an absolute right under the PDPA (unlike GDPR), we offer full account and data deletion as a courtesy. Email
hello@cardmatchly.com to request deletion. We will process your request within 30 days across all sub-processors where technically feasible.
8. Rights of International Users
In addition to your rights under the PDPA (Section 7), users in certain jurisdictions have additional rights under their local laws. We honour these rights for all eligible users regardless of where our business is based.
Canada (PIPEDA & Quebec Law 25)
If you are located in Canada, your personal data is handled in accordance with the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25). You have the right to:
- Access and correct personal data we hold about you.
- Withdraw consent at any time, subject to legal or contractual restrictions.
- Quebec users: Request deletion of your personal data and request that we cease disseminating it, in accordance with Law 25.
- Lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca, or with the Quebec Commission d'accès à l'information (CAI) for Quebec-specific matters.
United States (CCPA, California)
If you are a California resident, you may have rights under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA). Note that these rights typically apply to businesses above certain revenue or data-volume thresholds; as a small operator, we may not currently meet those thresholds. However, we extend these rights to California users as a matter of good practice:
- Right to know: Request disclosure of the categories and specific pieces of personal data we have collected about you.
- Right to delete: Request deletion of personal data we have collected, subject to certain exceptions.
- Right to opt out of sale: We do not sell or share your personal data with third parties for their own marketing purposes.
- Right to non-discrimination: We will not discriminate against you for exercising any of these rights.
Residents of other US states with active privacy laws (Virginia, Colorado, Connecticut, Texas, etc.) may have similar rights. We will endeavour to honour equivalent requests on a good-faith basis.
To exercise any of the rights listed in this section, contact us at
hello@cardmatchly.com with the subject line "Privacy Rights Request: [Your Jurisdiction]". We will respond within 30 calendar days.
9. Data Protection Officer
In accordance with the PDPA, CardMatchly has designated a Data Protection Officer (DPO) responsible for ensuring compliance with our data protection obligations. You may contact our DPO for any queries or concerns regarding the handling of your personal data:
If you are not satisfied with our response, you may contact the Personal Data Protection Commission (PDPC) of Singapore at www.pdpc.gov.sg.
10. Security Practices
We implement industry-standard security measures to protect your personal data, including SSL/TLS encryption for all data in transit, secure environment variables for all third-party API credentials, and access controls limiting data access to authorised personnel only. We do not store sensitive payment information on our own infrastructure.
11. Cookies and Session Storage
We use the following tracking and storage technologies. As Singapore does not have a prescriptive cookie consent regime equivalent to the EU's ePrivacy Directive, we disclose these technologies transparently for your awareness:
- Strictly Necessary Cookies (Cloudflare): Used to protect our Service from malicious traffic and ensure platform stability. These do not store personal identification.
- Session Cookies (Kinde & Stripe): Used to maintain your secure login session and facilitate payment processing.
We do not use local storage for personal data or saved card selections. All such data is stored server-side in Upstash, linked to your authenticated account.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last Updated" date. Your continued use of the Service after such changes constitutes your acknowledgement of the updated policy.