Privacy Policy
Effective: January 1, 2025 · Last updated: January 1, 2025
Perk.Cards operates the Card Intelligence Engine — a platform that collects, processes, and publishes credit card product data through automated crawling and AI-powered extraction. This Privacy Policy explains what data we collect, why we collect it, and how we protect it.
1. Data We Collect
1.1 Credit Card Product Data (Publicly Available)
We automatically crawl publicly available pages on bank and financial institution websites to collect information about credit card products including fees, reward rates, lounge access, and eligibility criteria. This data is sourced from publicly accessible webpages only. We do not scrape data that requires authentication or involves any personal cardholder information.
1.2 API Usage Data
When you use our public API, we may log: IP address and approximate geographic region, timestamp and endpoint accessed, request parameters, response codes and latency, and User-Agent string. We do not require registration for public endpoints. No personally identifiable information is required.
1.3 User Feedback
When you submit feedback about card data accuracy, we collect the card ID, feedback type and text, an optional anonymous identifier, and submission timestamp. Feedback is used solely to improve data accuracy.
1.4 Data We Do NOT Collect
We do not collect personal financial information, credit scores, cardholder names, card numbers, transaction history, email addresses (unless you contact us directly), cookies on public pages, or data from authenticated bank portals.
2. How We Use Data
We use data to publish accurate card product information, perform AI-powered data extraction and validation, prevent API abuse, improve data accuracy from user feedback, and monitor system health. We never sell, rent, or trade data.
3. AI Processing
We use Claude (Anthropic's AI) to extract structured card data from raw webpage HTML. This processing involves sending scraped text content to Anthropic's API for structured extraction. No personal data is sent to Anthropic — only publicly available card product text. Anthropic's data handling is governed by their own Privacy Policy.
4. Data Retention
Published card data is retained indefinitely and updated when sources change. Raw HTML snapshots are retained for 90 days then archived. API request logs (info/debug) are retained 30 days, warnings 90 days, and error/audit trails 1 year. User feedback is retained 2 years or until actioned.
5. Data Sharing
We do not sell, rent, or trade any data. We may share data with: Anthropic (for AI extraction — card text only, no personal data), Vercel (our hosting platform), our database provider (encrypted at rest), and law enforcement only if required by valid legal process.
6. Data Security
All data is encrypted in transit (TLS 1.3) and at rest. Admin panel access requires a strong shared secret and is rate-limited. Session tokens are derived HMAC values — raw secrets are never stored in cookies. All admin actions are recorded in an immutable change log. Inbound webhooks are verified with HMAC-SHA256 signatures.
7. Your Rights
Depending on your jurisdiction, you may have rights to access data we hold about you, request deletion of personal data, object to processing, and receive a copy of your data in a portable format. Contact us at privacy@perk.cards. We respond within 30 days.
8. Cookies
Our public pages do not use tracking cookies, advertising cookies, or third-party analytics scripts. The admin panel sets a single admin_session cookie — an HTTP-only, secure, SameSite=Strict session authentication token. This cookie expires after 8 hours and is never used for tracking.
9. Children
The Card Intelligence Engine is not directed at children under 13 (or 16 in the EU). We do not knowingly collect personal information from children.
10. Changes
We may update this Privacy Policy. Material changes will be noted at the top of this page with a revised effective date. Continued use of our services after changes constitutes acceptance.