Privacy Policy
Last updated: 26 June 2026
This Privacy Policy explains how Atlas Mint Ltd (“CardFactory”, “we”, “us”) collects, uses, shares, and protects personal data when you visit cardfactory.ai (the “Website”) or use app.cardfactory.ai (the “Service”). We are the data controller for the processing described here.
1. Who we are
The controller responsible for your personal data is:
Atlas Mint Ltd
71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Registered in England and Wales, company number 15730771
Email: [email protected]
We have not appointed a statutory Data Protection Officer, as we are not legally required to. For any privacy matter, contact us at the address above.
EU representative (Art. 27 EU GDPR)
As we are established in the United Kingdom and offer the Service to people in the European Economic Area, we have appointed a representative in the EU under Article 27 of the EU GDPR. You may contact our EU representative on any matter relating to the processing of personal data of individuals in the EEA:
Oleg Dovydenko
Email: [email protected]
2. Data we collect
Account & profile data
When you register, we collect your name, email address, a hashed password, your interface language, and an optional avatar. We store your authentication sessions, including the IP address and browser user-agent used, for security and audit purposes.
Workspace & usage data
We process the workspaces (“brands”) you create, your team members and their roles, your settings, and records of how you use the Service (e.g. generation tasks, credit ledger entries, support messages).
Customer Content
We process the content you upload or create — product catalogs, descriptions, brand information, images and other assets, design templates, and the outputs generated from them. Most of this is business data, but it may contain personal data if you choose to include it. For Customer Content, you act as the controller and we act as your processor (see our Data Processing Agreement).
Billing data
Paid plans are handled by our payment processor (currently Stripe). We receive and store billing details such as your name, email, plan, country, the card brand and last four digits, and transaction history. We never receive or store full card numbers.
Technical & website data
We automatically collect technical data such as IP address, device and browser information, referring pages, timestamps, and server/error logs. On the Website we also use analytics and marketing technologies — see Cookies & tracking.
3. How & why we use data — and our legal bases
Under the UK GDPR and the Data Protection Act 2018 (and, where we offer the Service to people in the EEA, the EU GDPR) we rely on the following legal bases (Art. 6(1)):
- To provide the Service and your account — performance of our contract with you (Art. 6(1)(b)).
- To process payments, credits and subscriptions — performance of contract and compliance with legal (e.g. tax/accounting) obligations (Art. 6(1)(b),(c)).
- To secure the Service, prevent fraud and abuse, debug and improve reliability — our legitimate interests (Art. 6(1)(f)).
- To measure and improve the Website and Service — your consent for non-essential analytics cookies, and our legitimate interest in aggregated, privacy-preserving statistics (Art. 6(1)(a),(f)).
- For marketing and advertising measurement — your consent (Art. 6(1)(a)).
- To comply with legal obligations and respond to lawful requests — legal obligation (Art. 6(1)(c)).
We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you.
4. AI processing & your content
The Service generates images, copy and SEO using third-party AI providers. Two commitments apply:
- We do not use your Customer Content to train AI models, and we select providers whose terms mean your content is not used to train their models (for example, data submitted via the OpenAI API is not used for training by default).
- We send only the task content needed for generation. When we call an AI provider, we transmit the relevant instructions and data required to perform the task (e.g. a product description or template). We do not transmit your account identity and the provider does not receive a link to your account — unless you yourself include identifying information directly in the content or prompts you write.
We use a small number of established AI providers as processors acting on our behalf (for example, OpenAI for text and image generation, and PhotoRoom for image processing). We can provide the current list of these providers on request at [email protected].
5. Cookies & tracking
We use cookies and similar technologies. Strictly necessary cookies (for sign-in, security and remembering your consent choice) are always active. We only set analytics, preference and marketing technologies after you consent via our cookie banner, which you can change at any time using the “Cookie settings” link in the footer.
Google Consent Mode v2
Where we use Google services, we operate Google Consent Mode v2: by default all storage and advertising signals are set to denied, and they are only updated to granted for the categories you allow.
Technologies we use
| Category | Examples / providers | Purpose |
|---|---|---|
| Strictly necessary | Session & authentication cookies; consent record; language preference | Keep you signed in, secure the Service, remember your settings and consent |
| Statistics | Google Analytics; privacy-friendly server-side analytics | Understand how the Website and Service are used so we can improve them |
| Marketing | Meta (Facebook) Pixel; Google advertising tags | Measure campaign effectiveness and show more relevant ads |
Some of these are activated only if and when we enable them; in each case they remain gated behind your consent. Where server-side analytics is used, we configure it to minimise personal data and avoid cross-site tracking.
6. Sharing & disclosure
We do not sell your personal data, and we do not share it with third parties for their own independent purposes. We do share data with:
- Service providers (processors) who process data on our behalf and under our instructions to operate the Service. By category, these are: cloud hosting and storage, payment processing, AI generation, transactional email, and CDN/security providers. We can provide the current list of these providers, and the safeguards that apply, on request — see the Contact section below.
- Authorities where required by law or in response to a valid, lawful request (e.g. a court order or competent authority request). We may also restrict or suspend a specific account in such cases.
- Successors in connection with a merger, acquisition or sale of assets, subject to this Policy.
7. International transfers
Our application data — including your account, Customer Content and generated outputs — is hosted in the European Union (Germany). As a UK-based controller, our use of EEA hosting relies on the UK’s adequacy regulations for the EEA. Some of our processors are located outside the UK and EEA (e.g. in the United States). Where personal data is transferred to a country without adequate protection, we rely on appropriate safeguards — primarily the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the European Commission’s Standard Contractual Clauses (and the EU SCCs themselves for EEA data subjects), or, where the importer is certified, the UK Extension to the EU–US Data Privacy Framework — and on UK or EU adequacy decisions where they apply.
8. Retention
We keep personal data for as long as your account is active and as needed to provide the Service. After account closure we delete or anonymise personal data within a reasonable period, except where we must retain certain records to comply with legal obligations (for example, invoices and accounting records under UK law, which generally require retention for six years), to resolve disputes, or to enforce our agreements. Backups are purged on a rolling schedule.
9. Your rights (UK/EEA)
If you are in the UK or EEA, you have the right to:
- access your personal data and obtain a copy;
- rectify inaccurate or incomplete data;
- erase your data (“right to be forgotten”);
- restrict or object to certain processing, including processing based on legitimate interests;
- data portability;
- withdraw consent at any time (without affecting prior processing); and
- lodge a complaint with a supervisory authority.
To exercise any right, email [email protected]. Our supervisory authority is the UK Information Commissioner’s Office (ICO) (ico.org.uk). If you are in the EEA, you may also lodge a complaint with the data protection authority in your country of residence.
10. US state privacy rights
Depending on your US state of residence (e.g. California under the CCPA/CPRA), you may have the right to know, access, correct and delete your personal information, and to opt out of the “sale” or “sharing” of personal information for cross-context behavioral advertising. We do not sell personal information for money. However, our use of advertising technologies (such as the Meta Pixel) may be considered “sharing” under some laws.
Do Not Sell or Share My Personal Information: you can opt out by declining or disabling the “Marketing” category in our cookie banner (“Cookie settings” in the footer). We also honor the Global Privacy Control (GPC) browser signal where applicable. We will not discriminate against you for exercising your rights.
11. Security
We use technical and organisational measures appropriate to the risk, including encryption in transit (TLS), access controls and role-based permissions, network protection (firewall, WAF/CDN), and least-privilege practices. No method of transmission or storage is completely secure, but we work to protect your data and to notify you and the authorities of a personal data breach where legally required.
12. Children
The Service is intended for business use by people aged 18 or older. It is not directed to children, and we do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.
13. Changes to this Policy
We may update this Policy from time to time. We will post the new version here with an updated “Last updated” date and, for material changes, take reasonable steps to notify you.
14. Contact
Questions or requests? Email [email protected] or write to us at our registered address above.