Contents
Who We Are
CardBuilder Pro ("we", "us", "our") is a software-as-a-service platform for designing and distributing custom Home Assistant dashboard cards. The service is operated by CardBuilder Pro and is accessible at cardbuilder.pro.
For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), CardBuilder Pro is the data controller for the personal data described in this Privacy Policy.
If you have any questions about how we handle your data, please contact us at privacy@cardbuilder.pro.
Data We Collect
We collect the following categories of personal data when you use CardBuilder Pro:
Account Data
- Email address (used for account creation, login, and communications)
- Username or display name
- Encrypted password hash
- Account creation date and last login timestamp
Home Assistant Instance Data
- Instance identifier (fingerprint hash — never your IP or HA URL)
- Integration version and configuration flags
- Active license information linked to the instance
Card & Marketplace Data
- Cards you create, publish, or download
- Marketplace upload metadata (title, description, tags, category)
- Download activity linked to your account
- Card version history and snapshot data (Pro Cloud only)
Billing Data
- Subscription status and plan type
- Payment transaction identifiers (provided by our payment processor)
- We do not store card numbers, bank details, or full payment data
Technical & Usage Data
- Server-side logs (request timestamps, error logs)
- Browser type and language preference
- Referral URL when signing up
How We Use Your Data
We use your personal data only for the following purposes:
Legal Basis for Processing (GDPR)
Under the GDPR, we rely on the following legal bases for processing your personal data:
Processing your account data, instance fingerprints, and card data is necessary to deliver the service you signed up for.
Server-side logging, fraud prevention, and aggregated usage analytics based on our legitimate interest in maintaining a secure, functioning service.
Retaining billing records as required by applicable tax and accounting law.
Marketing communications and non-essential cookies, where we ask for your explicit consent and provide a clear opt-out.
Data Retention
We retain your personal data for as long as necessary to provide the service and comply with our legal obligations.
Active account data is retained for the lifetime of your account. If you delete your account, we will remove your personal data within 30 days, except where we are required by law to retain certain records (e.g. billing records, which are kept for 7 years in accordance with accounting obligations).
Card data you have published to the marketplace may be retained in anonymised form even after account deletion, as other users may have downloaded those cards.
Server log data is retained for a maximum of 90 days for security and debugging purposes.
Third Parties & Data Sharing
We do not sell your personal data. We share it only with the following categories of processors:
Payment processor
We use Stripe, Inc. to process payments. Stripe acts as an independent data controller for payment data. Please refer to Stripe's Privacy Policy for details.
Cloud hosting
Our infrastructure is hosted on cloud providers within the European Union or with appropriate safeguards (Standard Contractual Clauses) in place.
Transactional email
We use a third-party email delivery service to send transactional emails. Only your email address and message content are shared with them.
Legal authorities
We may disclose your data to law enforcement or other authorities if required by applicable law or to protect the rights, property, or safety of CardBuilder Pro, its users, or the public.
We enter into Data Processing Agreements with all processors that handle personal data on our behalf.
Your Rights Under GDPR
If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:
Right of access
You may request a copy of the personal data we hold about you.
Right to rectification
You may request correction of inaccurate or incomplete data.
Right to erasure
You may request deletion of your personal data, subject to legal retention obligations.
Right to restrict processing
You may request that we limit how we use your data in certain circumstances.
Right to data portability
You may request a machine-readable export of your personal data.
Right to object
You may object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent
Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at privacy@cardbuilder.pro. We will respond within 30 days. You also have the right to lodge a complaint with your national Data Protection Authority.
Security
We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction.
Passwords are hashed using bcrypt and are never stored in plain text. All data in transit is encrypted using TLS. Access to production systems is restricted to authorised personnel.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email or by posting a prominent notice on the CardBuilder Pro website.
The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the service after changes take effect constitutes acceptance of the revised policy.
Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact us at: