Privacy Policy

Last updated: April 15, 2026

Dacard, Inc. ("Dacard", "we", "us", "our") operates the Dacard product operations diagnostic at dacard.ai and app.dacard.ai (the "Service"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have over your data. It applies whether you access the Service as a visitor, a trial user, a paid customer, or a member of a customer account.

We designed the Service to minimize the personal data we need. We score publicly available product and team signals. Most of what we process is either public information about your company or operational metadata you choose to connect. We aim to meet the General Data Protection Regulation (GDPR, EU and UK), the California Consumer Privacy Act as amended by the CPRA (CCPA), and Canada's Anti-Spam Legislation (CASL) and Personal Information Protection and Electronic Documents Act (PIPEDA).

1. Data controller and contact

Dacard, Inc. is the data controller for information processed through the Service. Our office is in Vancouver, British Columbia, Canada. You can reach us at privacy@dacard.ai. For EU or UK matters, the same address serves as our point of contact. We do not currently have a designated Data Protection Officer; privacy questions go directly to the team that handles them.

2. Information we collect

Account information. When you sign up, we collect your name, email address, and (optionally) your role and company. If you pay for the Service, we also collect billing information processed by Stripe; we do not see or store your full card number.

Product data you submit. URLs you ask us to score, context you add to a scoring session, comments and notes you leave on reports, and any integrations you connect (for example GitHub, Linear, Figma, Attio). For connected integrations, we receive the data the integration is configured to share.

Publicly available information. For scoring, we fetch the public pages at the URL you submit and may perform supplementary web searches (up to 15 cited sources per score). We do not access login-gated, paywalled, or private content.

Usage information. If you accept analytics cookies, we collect product usage events such as pages viewed, features clicked, and funnel progression. If you decline, we do not collect these events.

Device and log information. Our servers automatically record IP address, browser type, referring URL, and request timestamps. We use this for security, rate limiting, and debugging.

3. How we use your information

We use the information we collect to:

  • Provide, operate, and maintain the Service.
  • Generate product operations diagnostics and coaching content for your account.
  • Process payments and administer subscriptions.
  • Send transactional email (sign-in, receipts, score-ready notifications, security alerts).
  • Send product update email to account owners. You can opt out at any time by the unsubscribe link in every email.
  • Improve the Service through aggregated, de-identified analytics.
  • Detect, investigate, and prevent fraudulent, unauthorized, or illegal activity.
  • Comply with legal obligations and enforce our Terms of Service.

4. Legal bases (GDPR and UK GDPR)

We process personal data under the following legal bases:

  • Contract. To provide the Service you have asked for.
  • Legitimate interests. To secure the Service, prevent abuse, improve quality, and communicate about features.
  • Consent. For analytics and error-tracking cookies and for marketing email to non-customers.
  • Legal obligation. To respond to lawful requests and keep required records.

5. Subprocessors we share data with

We rely on the following third parties to operate the Service. Each processes personal data on our behalf under a data processing agreement.

  • Clerk (user authentication)
  • Stripe (payments and billing)
  • Turso (database hosting)
  • Vercel (web hosting and CDN)
  • Resend (transactional email)
  • Anthropic (LLM inference for scoring and coaching)
  • PostHog (product analytics, consent required)
  • Sentry (error tracking, consent required)

If you connect an integration (GitHub, Linear, Figma, Attio, and others), that vendor is a separate data controller for the data you choose to share with us. We use their data only to score the account you connect it to.

We do not sell personal information and have not done so in the prior 12 months.

6. International data transfers

We are based in Canada. Several subprocessors process data in the United States. Where we move personal data out of the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses or equivalent mechanisms.

7. Data retention

We keep personal data only as long as we need it for the purposes described above. Defaults:

  • Raw scoring inputs and results. 24 months from the date of the scoring event.
  • Account data after deletion request. 30 days, after which we purge it from production systems. Backups roll off within 60 days.
  • Billing records. As long as required by Canadian and applicable tax law (typically 6 to 7 years).
  • Aggregated, de-identified telemetry. Retained indefinitely to inform product improvement; contains no information that can be traced back to an individual.

8. Your rights

Depending on where you live, you may have the following rights over your personal data. We honor these rights regardless of your location, subject to verification.

  • Access. Request a copy of the personal data we hold about you.
  • Correction. Ask us to fix inaccurate or incomplete information.
  • Deletion. Ask us to erase your personal data. We may retain limited data where we have a legal obligation or legitimate interest (for example, tax records).
  • Portability. Receive your data in a structured, machine-readable format.
  • Objection and restriction. Ask us to stop or limit specific processing.
  • Opt out of sale or sharing (CCPA). We do not sell or share personal information for cross-context behavioral advertising.
  • Withdraw consent. If we rely on consent, you can withdraw it at any time.
  • Lodge a complaint. You can complain to your local data protection authority. For Canadians, that is the Office of the Privacy Commissioner of Canada. For the EU, it is the supervisory authority in your country of residence.

To exercise any of these rights, email privacy@dacard.ai. We will respond within 30 days (45 for CCPA requests with notice).

9. CASL and marketing email

Under Canadian anti-spam law, we only send commercial email with your express or implied consent. Every marketing email includes an unsubscribe link and our mailing address. Transactional email (receipts, security alerts, score-ready notifications) is sent regardless of marketing consent because it is necessary to operate your account.

10. Security

We protect personal data with TLS in transit, encryption at rest on all production databases, principle-of-least-privilege access controls, multi-factor authentication for administrators, and continuous vulnerability monitoring. No system is perfectly secure; we will notify affected users and regulators as required if we learn of a data breach that is likely to result in harm.

11. Children

The Service is not directed to anyone under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact privacy@dacard.ai and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the current version. If we make material changes, we will notify you by email or in-product notice before they take effect.

13. Contact

Dacard, Inc., Vancouver, BC, Canada.

Email: privacy@dacard.ai