How we collect, use, and protect your data.

Your privacy is a top priority at Substantive AI, Inc., the company behind Punchcard ("Punchcard", "we", "us", "our"). We are committed to protecting your personal information and being transparent about how we use it. We appreciate your trust and know that our business depends on earning it.

This website and application collect some Personal Data from its users.

This Privacy Policy applies to your use of our website and services.

The purpose is to explain how we collect, use, store, share, retain, transfer, and process your Personal Information.

We may amend this policy from time to time. We encourage you to review this policy periodically, as changes will be posted on this page. If we make any material changes to this policy, we will provide a prominent notice.

This is a short overview of the most important points in this policy. Each item is expanded in the sections below.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

The personal information we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use.

The personal information we collect may include: names, email addresses, phone numbers, mailing addresses, job titles, usernames, passwords, contact preferences, contact or authentication data, and billing addresses.

Information automatically collected: when you visit, use, or navigate the Services, we may automatically collect IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, and information about how and when you use our Services.

This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

We use personal information collected via our Services for a variety of business purposes described below.

We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law — like with your consent, to comply with laws, to provide you with services to enter into or fulfill our contractual obligations, to protect your rights, or to fulfill our legitimate business interests.

If you are located in the EU or UK, this section applies to you. The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. This includes encryption in transit and at rest, role-based access control, vulnerability scanning, and regular third-party audits of our security posture.

However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information.

We may share your information with vendors, consultants, and other service providers (collectively, "third parties") that need access to such information to carry out work on our behalf and that are contractually bound to keep your data confidential.

In some regions (like the EEA, UK, and Canada), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure, (iii) to restrict the processing of your personal information, and (iv) if applicable, to data portability.

You can review, change, or terminate your account at any time. If you have questions or comments about your privacy rights, you may email us at privacy@punchcard.com.

Our servers are located in the United States. If you are accessing our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed by us in our facilities and by those third parties with whom we may share your personal information.

We will take all necessary measures to protect your personal information in accordance with this Privacy Policy and applicable law.

Updates to this notice: we may update this privacy notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this policy.

We do not knowingly collect data from or market to children under 16 years of age. If we learn that personal information from users less than 16 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records.

If you have questions or comments about this notice, you may email us at privacy@punchcard.com or contact us by post at:

Substantive AI, Inc. Attn: Privacy United States