Effective Date: November 10, 2024
Last Updated: May 3, 2026
Version: 2.1
1. Introduction
This Privacy Policy explains how Card-Y Holdings Inc. ("Card-Y", "we", "us", "our") collects, uses, stores, and protects your personal information when you use our services.
Card-Y Holdings Inc. operates this service through its affiliates and authorized partners.
Arabic Translation: An Arabic translation of this policy may be provided for convenience; however, the English version shall prevail in case of any conflict.
By using Card-Y, you consent to the practices described in this policy.
Beta Platform Notice
During beta phases, certain features may experience reduced reliability. We continue to apply our security and data-protection standards to all data regardless of feature status
2. Information We Collect
Personal Identification Information
We collect personal information during registration and KYC (Know Your Customer) onboarding, including but not limited to:
Full Name: Legal first and last name
Date of Birth: For age verification and compliance
Email Address: For account communications
Phone Number: For SMS verification and notifications
Physical Address: Current residential address
Government-Issued ID: Passport, national ID, or driver's license
Identification Documents: Copies uploaded during KYC verification
Selfie/Biometric Data: Facial recognition for identity verification
IP Address: For security and fraud prevention
Device Information: Device type, operating system, browser
Financial Information
Bank Account Details: For withdrawals and deposits (Egypt)
Transaction History: All deposits, withdrawals, transfers, and card transactions
Card Details: Virtual/physical card numbers, expiration dates, CVV
Cryptocurrency Wallet Addresses: USDC wallet on Solana blockchain
Payment Method Information: Payment provider payment details
Balance Information: Real-time account and wallet balances
Global Accounts Additional Information
For users with Global Accounts, we collect:
Bridge Customer ID: Unique identifier from Bridge
Routing and Account Numbers: For USD/EUR virtual accounts
ACH/Wire Transfer Details: Sender information, amounts, dates
USDC Wallet Data: Public addresses, transaction hashes
KYC Status with Bridge: Verification level and endorsements
Referral Program Information
Referral Code: Your unique referral identifier
Referral Network: Users who signed up using your code
Referral Earnings: Reward amounts and payment history
Tier Status: Current referral tier and progression
Automatically Collected Information
Usage Data: Pages visited, features used, time spent
Location Data: Approximate location based on IP address
Cookies and Tracking: Session cookies, analytics cookies
Login History: Timestamps, locations, devices
Error Logs: Technical errors and debugging information
This information helps us verify identity, manage accounts, ensure service security, and comply with regulatory requirements.
3. How We Use Your Information
Primary Uses
Your information is used to provide our services, including:
Account Management: Creating and maintaining your CARD-Y account
Issuing Virtual Cards: Processing card applications and issuance
Global Account Setup: Creating USD/EUR virtual accounts via Bridge
USDC Wallet Management: Stablecoins custody and transactions
Processing Transactions: Handling deposits, withdrawals, transfers
Performing Currency Conversions: EGP to USD exchanges
Referral Rewards: Tracking and distributing referral earnings
Customer Support: Responding to inquiries and resolving issues
Compliance and Security Uses
Identity Verification: KYC and anti-money laundering (AML) compliance
Fraud Prevention: Detecting and preventing fraudulent activity
Regulatory Compliance: Meeting legal obligations (FinCEN, OFAC, etc.)
Risk Management: Assessing and managing financial risks
Tax Reporting: Issuing 1099 forms and other tax documents
Legal Requirements: Responding to court orders and government requests
Communications
Transactional Emails: Account notifications, transaction confirmations
Security Alerts: Suspicious activity, password changes, login attempts
Service Updates: Feature launches, maintenance notifications
Marketing Communications: Promotional offers, referral program updates (opt-out available)
Regulatory Notices: Terms of Service changes, policy updates
Analytics and Improvement
Service Enhancement: Improving features and user experience
Usage Analytics: Understanding how users interact with platform
Performance Monitoring: System uptime and reliability tracking
A/B Testing: Testing new features with user subsets
Customer Insights: Aggregated data for business decisions
4. Information Sharing and Third-Party Disclosure
Our Service Providers
Card-Y shares information with regulated third-party service providers necessary to deliver our services:
U.S. Banking and Card Partners
Our U.S. banking partner and card-issuing provider jointly handle your virtual account and card data.
Banking Provider
Purpose: Global Accounts, USDC wallets, banking infrastructure
Information Shared: Complete KYC information, transaction history, account balances
Data Location: United States
Regulation: Licensed money transmitter
Cards provider
Purpose: Virtual and physical card issuance
Information Shared: KYC information, transaction data, spending activity
Data Location: United States
Regulation: Payment card industry certified
Card Network: Mastercard and/or Visa network
Payment Gateway(s)
Purpose: To allow our customers to deposit funds and/or receive funds on their behalf
Information Shared:
Name and email for transaction processing
Payment method details
Transaction amounts and timestamps
Data Location: Egypt, US, Europe
Regulation: Regulatory bodies in each respective jurisdiction
Banking Partners
Your USD/EUR funds may be held at FDIC-insured banks partnered with our service provider:
Information shared per banking regulations
Subject to each bank's privacy policies
May include KYC information and transaction data
Data processed for compliance and account management
Blockchain Disclosure
USDC transactions occur on Solana public blockchain:
Wallet addresses are public and permanently recorded
Transaction amounts and timestamps are public
Blockchain data cannot be deleted or modified
Anyone can view transactions associated with your wallet address
We do not control blockchain data retention
Regulatory and Legal Sharing
We may share information with:
Government Agencies: FinCEN, IRS, OFAC, CBE (Central Bank of Egypt)
Law Enforcement: Police, FBI, Interpol (with valid legal process)
Courts: In response to subpoenas, court orders, legal proceedings
Regulators: Financial services regulators as required
Tax Authorities: For 1099 reporting and tax compliance
Business Transfers
In event of merger, acquisition, or sale of assets:
Your information may be transferred to acquiring entity
You will be notified 30 days before transfer
New entity must honor this Privacy Policy
You may close account before transfer
Aggregated Data Sharing
We may share anonymized, aggregated data for:
Industry research and benchmarking
Public reporting (e.g., "X users in Egypt")
Partnership discussions
Marketing purposes
Important: We take reasonable steps to ensure aggregated and de-identified data cannot reasonably be used to identify individuals.
What We Never Share
CARD-Y will never:
Sell your personal information to third parties for monetary consideration as 'sale' is defined under applicable law.
Share data for third-party marketing without consent
Share more data than necessary for stated purpose
5. International Data Transfers
Cross-Border Data Flows
CARD-Y operates internationally, resulting in data transfers:
Egypt → United States
For Egyptian Users: If you are located in Egypt, your data will be transferred to and processed in the United States where different data-protection laws may apply. This transfer is necessary to provide our services through our U.S. partners.
Data transferred to Banking and Cards service providers (U.S.-based)
Data stored on U.S. cloud infrastructure
Subject to U.S. legal framework and government access requests
Egypt → Europe
EUR Global Account data may be processed in EU
Subject to GDPR where applicable
Adequacy determinations or standard contractual clauses used
Egypt → Other Countries
Transaction routing may involve other jurisdictions
Currency conversion partners in various countries
Banking network intermediaries
Transfer Mechanisms
We use legally approved data transfer mechanisms:
Standard Contractual Clauses (EU-approved)
Adequate Protections per local law requirements
Your Consent to international transfers
Data Subject Rights
Regardless of location, you have rights to:
Access your personal information
Correct inaccurate information
Request deletion (subject to legal retention)
Object to processing in certain circumstances
Data portability (receive copy of your data)
Contact [email protected] to exercise these rights.
6. Data Security
Security Measures
We implement reasonable security measures to protect user data:
Technical Safeguards
Encryption at Rest: industry-standard encryption (AES-256 or equivalent) for stored data
Encryption in Transit: Secure HTTPS connections for all communications
Encrypted Fields: Routing numbers, account numbers, passwords
Password Protection: Industry-standard password hashing
Key Management: Secure key storage and rotation
Access Controls
Role-Based Access: Employees access only necessary data
Two-Factor Authentication: Required for admin access
Audit Logging: All data access logged and monitored
Background Checks: Employee screening and vetting
NDA Requirements: Confidentiality agreements for staff
Infrastructure Security
Firewalls: Network-level protection
DDoS Protection: Enterprise-grade attack prevention
Intrusion Detection: Real-time threat monitoring
Vulnerability Scanning: Regular security assessments
Penetration Testing: We engage independent third parties to assess our security controls on a periodic basis
Secure Hosting: Enterprise cloud infrastructure with security compliance
Application Security
Input Validation: Protection against injection attacks
Cross-Site Protection: Security tokens prevent unauthorized requests
Script Prevention: Output encoding and sanitization
Rate Limiting: API and login attempt restrictions
Session Management: Secure session handling and expiry
Data Breach Response
In event of security breach:
Regulatory Reporting: Notification to applicable authorities
Remediation Actions: Immediate steps to contain breach
User Guidance: Instructions to protect your account
Limitations
However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security. You are responsible for:
Maintaining password confidentiality
Securing your devices
Monitoring account activity
Reporting suspicious activity promptly
7. Data Retention
Retention Periods
We retain financial transaction records for the period required by applicable financial-services and tax laws, which is generally several years following the transaction or account closure. KYC and AML records are retained for the period required by anti-money-laundering laws applicable to our service providers and us. Other records are retained as long as necessary for the purposes described in this Policy or as required by law.
Deletion Procedures
Upon account closure or retention expiration:
Personal data securely deleted or anonymized
Encrypted data keys destroyed (rendering data unreadable)
Physical document destruction per data destruction policy
Aggregated/anonymized data may be retained indefinitely
Legal Holds
Retention periods extended if:
Ongoing investigation or litigation
Regulatory request or audit
Suspected fraud or violation
Dispute with user
You will be notified if your data is subject to legal hold.
8. Your Rights and Choices
Access and Correction
You have the right to:
Access: Request copy of your personal information
Correct: Update inaccurate or incomplete information
Export: Download transaction history and account data
How to Exercise: Log into your account or contact [email protected]
Data Deletion
You may request deletion of your personal information, subject to:
Legal Retention: Cannot delete data we are required to retain under applicable law.
Account Closure: Must close account before deletion request
Pending Transactions: Complete all transactions first
Blockchain Data: Cannot delete public blockchain records
Fraud Investigations: Cannot delete data subject to investigation
Deletion Timeline: Within 30 days of verification of your request
How to Request: Email [email protected] with subject "Data Deletion Request"
Marketing Communications
You can opt out of marketing emails:
Unsubscribe Link: Click link in any marketing email
Account Settings: Manage preferences in app
Email Request: Send to [email protected]
Important: You cannot opt out of:
Transactional emails (receipts, security alerts)
Legal notices (Terms updates, policy changes)
Service communications (downtime, maintenance)
Do Not Track
Our website does not respond to browser Do Not Track signals. We use cookies for essential functionality and analytics.
Cookie Management
You can control cookies through:
Browser Settings: Block or delete cookies
Essential Cookies: Cannot be disabled (required for service)
Analytics Cookies: Can be disabled (affects our insights)
Third-Party Cookies: Managed by third parties (e.g., Google Analytics)
California Privacy Rights (CCPA)
California residents have additional rights:
Right to Know: What information we collect and why
Right to Delete: Request deletion of your information
Right to Opt-Out: Of sale of personal information (we don't sell)
Non-Discrimination: No penalty for exercising rights
California Requests: Email [email protected] with subject "CCPA Request"
European Privacy Rights (GDPR)
EU/EEA residents have additional rights:
Right to Access: Receive copy of your data
Right to Rectification: Correct inaccurate data
Right to Erasure: Request deletion ("right to be forgotten")
Right to Restrict Processing: Limit how we use your data
Right to Data Portability: Receive data in machine-readable format
Right to Object: Object to processing based on legitimate interests
Right to Withdraw Consent: Where processing is based on consent
GDPR Requests: Email [email protected] with subject "GDPR Request"
Response Timeline
Identity Verification: We may request proof of identity (1-3 days)
Request Processing: 30 days from verification (may extend to 60 days if complex)
Fee: Generally free, but may charge for excessive/repetitive requests
9. Children's Privacy (COPPA Compliance)
Age Requirement
CARD-Y services are not intended for anyone under 18 years of age.
Minimum Age: Users must be 18+ years old
No Collection from Minors: We do not knowingly collect data from persons under 18
Parental Consent: Not applicable (service restricted to adults)
If We Discover Minor's Data
If we learn we have collected information from someone under 18:
Immediate Deletion: Data deleted promptly upon discovery
Account Closure: Account permanently closed
Parent Notification: Notification sent if contact information available
Refund: We will return any remaining balances in accordance with applicable law.
Report Underage User: Email [email protected] with subject "Underage User Report"
10. Cookies and Tracking Technologies
Types of Cookies We Use
Essential Cookies (Cannot Disable)
Session Cookies: Maintain login session
Security Cookies: CSRF protection, authentication
Load Balancing: Route requests to servers
Functional Cookies (Can Disable)
Preferences: Language, currency, display settings
Remember Me: Keep you logged in across sessions
Analytics Cookies (Can Disable)
Google Analytics: Track usage patterns and page views
Mixpanel: User behavior analytics
Custom Analytics: Internal usage tracking
Third-Party Tracking
We use third-party services that may track you:
Google Analytics: Subject to Google Privacy Policy
Cloudflare: DDoS protection and CDN
AWS CloudFront: Content delivery
Cookie Lifespan
Session Cookies: Deleted when you close browser
Persistent Cookies: 1 year maximum
Analytics Cookies: Up to 2 years
Managing Cookies
You can control cookies via:
Browser Settings: Chrome, Firefox, Safari all allow cookie management
Opt-Out Tools: Browser plugins like Privacy Badger
Analytics Opt-Out: Google Analytics Opt-Out
Warning: Disabling essential cookies will prevent you from using CARD-Y services.
11. Changes to Privacy Policy
Right to Modify
We reserve the right to modify this Privacy Policy at any time. Continued use of our services following any modifications indicates acceptance of the updated Privacy Policy.
Notification of Changes
We will notify you of material changes through:
Email Notification: Sent to registered email (30 days advance notice)
In-App Notification: Alert displayed upon login
Website Banner: Notice on homepage
Updated Date: "Last Updated" date at top of policy
Material Changes
Changes considered material include:
New categories of personal information collected
New third-party data sharing
Changes to data retention periods
Reduction in user rights
Changes to international transfers
User Options
Upon notification of material changes:
Accept: Continue using services
Reject: Close account within 30 days
No Penalty: Account closure before effective date avoids new policy
Non-Material Changes
Minor updates (corrections, clarifications) become effective immediately upon posting.
12. Contact Us
12.1 Privacy Inquiries
For questions or concerns about this Privacy Policy:
Email: [email protected]
Subject Line: Include "Privacy Inquiry" for faster routing
Response Time: 48-72 business hours
12.2 Data Subject Requests
To exercise your rights (access, deletion, correction):
Email: [email protected]
Subject Line: Include request type (e.g., "Data Access Request", "GDPR Request", "CCPA Request")
Include: Full name, email address, account ID (if available)
Verification: We may request proof of identity
12.3 Data Protection Officer
For GDPR-related inquiries:
Email: [email protected]
EU Representative: (If applicable, to be designated)
12.4 Security Incident Reports
To report security vulnerabilities or breaches:
Email: [email protected]
Subject Line: "Security Report"
Response: Acknowledged within 24 hours
12.5 Mailing Address
Card-Y Holdings Inc. 254 Chapman Rd, Ste 208 #17786 Newark, DE 19702 United States
12.6 Regulatory Complaints and Escalation
If unsatisfied with our response, you may file complaints with:
Data Protection Officer: [email protected] (first level escalation)
Central Bank of Egypt: For financial services complaints (Egyptian users)
Delaware Attorney General: Consumer Protection Division
Federal Trade Commission (FTC): For U.S. privacy issues
EU Data Protection Authorities: For GDPR issues (EU residents)
Egyptian Users - Escalation Path: If you believe your data has been misused, you may escalate to our Data Protection Officer or directly to the Central Bank of Egypt's consumer protection division.
BY USING CARD-Y SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THIS PRIVACY POLICY.
Document Information:
Policy ID: PRIVACY-2.1
Version: 2.1
Effective Date: November 10, 2024
Last Updated: May 3, 2026