Privacy Policy
Effective Date: January 23, 2025 | Last Updated: January 23, 2025
1. Introduction
Card Hero Inc. ("Card Hero," "we," "our," or "us") operates a marketing analytics platform that helps businesses manage and optimize their advertising campaigns across multiple platforms including Meta (Facebook/Instagram), Google Ads, and TikTok Ads.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at cardhero.fun and related services (collectively, the "Service").
By using Card Hero, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our Service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address
- Name
- Password (stored in encrypted/hashed form only)
- Company/business name (optional)
2.2 Data from Meta (Facebook/Instagram)
When you connect your Meta Ads account, we request the following permissions and access the corresponding data:
| Permission |
Data Accessed |
Purpose |
| ads_read |
Campaign names, ad sets, ads, performance metrics (spend, impressions, clicks, conversions, ROAS) |
Display your advertising performance in dashboards |
| ads_management |
Ability to read and modify campaign settings |
Enable campaign optimization features (pause/resume, budget adjustments) |
| business_management |
Business account and ad account associations |
Identify and connect your ad accounts |
We do NOT access: Your personal Facebook profile, friends list, posts, messages, photos, or any data unrelated to advertising.
2.3 Data from Google Ads
When you connect Google Ads, we access campaign, ad group, ad, and performance data through the Google Ads API for the same purposes as above.
2.4 Data from TikTok Ads
When you connect TikTok Ads, we access campaign and performance data through the TikTok Marketing API for the same purposes as above.
2.5 Usage Data
We automatically collect:
- Log data (IP address, browser type, pages visited, timestamps)
- Device information (device type, operating system)
- Actions taken within our platform
3. How We Use Your Information
We use the collected information solely to:
- Provide, maintain, and improve our Service
- Display your advertising performance data in unified dashboards
- Generate analytics, insights, and optimization recommendations for YOUR campaigns
- Execute campaign changes you request (budget adjustments, pause/resume)
- Send service-related communications (alerts, updates)
- Respond to your support requests
- Detect and prevent fraud or abuse of our Service
- Comply with legal obligations
Important: We do NOT use your advertising data to:
- Build advertising profiles about you or your customers
- Sell or license your data to third parties
- Use your data for our own advertising purposes
- Share your data with data brokers
- Combine your data with other users' data for any purpose other than aggregated, anonymized analytics
4. Data Sharing and Disclosure
We do not sell, rent, or trade your personal information or advertising data.
We may share information only in these limited circumstances:
- Service Providers: With carefully selected vendors who assist in operating our platform (cloud hosting, infrastructure), who are bound by strict confidentiality agreements and prohibited from using your data for any other purpose
- Legal Requirements: When required by law, court order, or government request, or to protect our legal rights
- Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to you
- With Your Explicit Consent: When you specifically authorize sharing
We never share your Meta, Google, or TikTok advertising data with third parties for their own business purposes.
5. Meta Platform Data Use
Our use of information received from Meta APIs adheres to the Meta Platform Terms and Developer Policies, including:
- We only request permissions necessary to provide our Service
- We do not sell Meta data or use it for purposes unrelated to our Service
- We do not use Meta data to build or augment user profiles for advertising
- We do not transfer Meta data to any ad network, data broker, or other advertising service
- We delete Meta data when you disconnect your account or request deletion
- We maintain appropriate security measures to protect Meta data
6. Data Security
We implement industry-standard technical and organizational measures to protect your data:
- Encryption in Transit: All data transmitted using TLS 1.2 or higher (HTTPS)
- Encryption at Rest: Sensitive data encrypted in our databases
- Secure Token Storage: API access tokens stored encrypted, never in plain text
- Access Controls: Role-based access, principle of least privilege
- Authentication: Secure password hashing (bcrypt), JWT tokens
- Infrastructure: Hosted on secure, SOC 2 compliant cloud providers
- Monitoring: Security logging and anomaly detection
However, no method of transmission over the Internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
7. Data Retention
We retain your data as follows:
| Data Type |
Retention Period |
| Account information |
Until you delete your account |
| Advertising performance data |
Rolling 90 days, or until disconnection |
| API access tokens |
Until disconnection or expiration |
| Usage logs |
90 days |
8. Data Deletion
How to Delete Your Data
You can delete your data at any time through the following methods:
- In-App: Go to Settings → Account → Delete Account
- Disconnect Platform: Settings → Connected Accounts → Disconnect
- Email Request: Send deletion request to privacy@cardhero.fun
What Happens When You Delete/Disconnect:
- Immediate: API access tokens are revoked; we can no longer access your ad platform data
- Within 24 hours: Your cached advertising data is queued for deletion
- Within 30 days: All your data is permanently deleted from our systems and backups
Facebook Data Deletion Callback
When you remove Card Hero from your Facebook settings, we receive a deletion callback and automatically delete all data associated with your Meta ad accounts within 30 days.
Data Deletion Callback URL: https://cardhero.fun/api/auth/oauth/meta/deauthorize
9. Your Rights
Depending on your location, you have the following rights regarding your data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your data
- Portability: Request your data in a machine-readable format
- Withdraw Consent: Disconnect platforms or delete your account at any time
- Object: Object to certain processing activities
- Restrict: Request restriction of processing
To exercise these rights, contact us at privacy@cardhero.fun. We will respond within 30 days.
10. California Privacy Rights (CCPA/CPRA)
California residents have additional rights:
- Right to Know: What personal information is collected, used, and shared
- Right to Delete: Request deletion of personal information
- Right to Opt-Out: Opt-out of the sale of personal information (we do not sell your data)
- Right to Non-Discrimination: Equal service regardless of exercising privacy rights
- Right to Correct: Request correction of inaccurate information
To exercise these rights, email privacy@cardhero.fun with subject "CCPA Request".
11. European Privacy Rights (GDPR)
If you are in the European Economic Area (EEA), UK, or Switzerland:
- Legal Basis: We process data based on your consent (connecting ad accounts) and legitimate interests (providing the Service)
- Data Transfers: Data may be transferred to the United States where our servers are located, protected by standard contractual clauses
- Supervisory Authority: You have the right to lodge a complaint with your local data protection authority
12. Third-Party Links
Our Service integrates with and links to third-party platforms:
We are not responsible for the privacy practices of these third parties. We encourage you to review their policies.
13. Children's Privacy
Our Service is intended for business use and is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will delete it promptly. If you believe we have collected data from a child, please contact us immediately.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last Updated" date at the top
- We will notify you via email or in-app notification for significant changes
- We may require you to re-acknowledge the policy for major changes
Your continued use of the Service after changes constitutes acceptance of the updated policy.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:
We aim to respond to all inquiries within 30 days.