Skip to main content
Card Curator
Card Curator
Security

Security & Data Protection

Your financial data security is our top priority. Here's how we protect your information.

Our Security Commitment

We never ask for or store your credit card numbers, CVV codes, or banking credentials.

Card Curator uses bank-level encryption and industry-standard security practices to protect the information you do provide - like which cards you have and their points balances.

What We Never Collect
  • Credit card numbers
  • CVV codes or expiration dates
  • Bank account numbers or routing numbers
  • Online banking passwords or credentials
  • Social Security numbers
  • Transaction history from your bank

You manually enter card information - we never connect to your bank accounts or pull financial data automatically.

Our Security Measures

256-Bit SSL Encryption

All data transmitted between your browser and our servers is encrypted using 256-bit SSL/TLS encryption - the same standard used by banks and financial institutions.

You can verify our SSL certificate by clicking the padlock icon in your browser's address bar.

Encrypted Database Storage

All data stored in our database is encrypted at rest. Even if someone gained unauthorized access to our servers, they couldn't read your information without encryption keys.

We use MongoDB Atlas with encryption-at-rest enabled, hosted on secure cloud infrastructure.

Secure Password Storage

Your password is never stored in plain text. We use bcrypt hashing with salt - a one-way encryption method that means even we can't see your password.

If you forget your password, we can't recover it - you'll need to reset it via email. This is a security feature, not a limitation.

Limited Employee Access

Only essential technical staff have access to production systems, and access is logged and audited.

No employee can view your password. Customer support can only see non-sensitive information like your email address and card list.

Automatic Session Timeouts

For your protection, sessions automatically expire after a period of inactivity. This prevents unauthorized access if you forget to log out.

You can manually log out anytime from the account menu.

Regular Security Audits

We regularly review our codebase for security vulnerabilities and keep all dependencies up to date with the latest security patches.

Our infrastructure is monitored 24/7 for suspicious activity and potential security threats.

Third-Party Services

Services we use and how they protect your data

AI Provider (Anthropic)

We use Anthropic's Claude AI for our chat assistant. When you use the chat, your messages are processed by Anthropic under their privacy policy and enterprise data protection terms. Anthropic does not use customer data to train their models.

Hosting (Vercel)

Our application is hosted on Vercel's secure infrastructure with automatic SSL, DDoS protection, and global CDN delivery.

Database (MongoDB Atlas)

We use MongoDB Atlas with encryption at rest, network isolation, and regular automated backups. Atlas is SOC 2 Type II certified.

Merchant Data (Google Places API)

When you search for merchants, we use Google Places API to find and categorize businesses. Google does not receive your personal information - only the merchant name you're searching for.

Your Role in Security

Help us keep your account secure:

  • Use a strong, unique password (not used on other sites)
  • Don't share your password with anyone
  • Log out when using shared or public computers
  • Be cautious of phishing emails - we'll never ask for your password via email
  • Keep your email account secure (it's used for password resets)
  • Report any suspicious activity immediately
Compliance & Standards

GDPR Compliance: We comply with the EU General Data Protection Regulation. EU users have rights to access, rectify, erase, and port their data.

CCPA Compliance: California residents have rights under the California Consumer Privacy Act to know what data we collect and request deletion.

Data Retention: We retain your data only as long as your account is active. When you delete your account, we remove your data within 30 days.

Data Breach Policy

In the unlikely event of a data breach that affects your personal information, we will:

  • Notify affected users within 72 hours
  • Provide clear information about what data was affected
  • Offer guidance on protective measures you should take
  • Report the breach to relevant authorities as required by law

To date, Card Curator has never experienced a data breach.

Questions About Security?

If you have security questions or want to report a vulnerability, please contact us.

General security questions: info@cardcurator.ai

Report a vulnerability: info@cardcurator.ai