Cardheist
Anmelden
Entdecken Über uns Anmelden

Privacy policy

Last updated: May 23, 2026

What data we collect

Cardheist collects only what's needed to run the site and provide you with a usable account.

  • Account — email address, hashed password (if you set one), verification status, optional marketing consent, and an optional display name used in mail salutations.
  • Social-login identities — if you sign in via Google or Facebook, we store the provider's user ID and the email + name they return. We never receive or store your social password. You can unlink any provider under Account → Connected accounts.
  • Sessions — IP address and user-agent at login, session token cookie.
  • Affiliate clicks — server-side log entry per click (timestamp + product), no personal data, no third-party cookies. Only logged after you accept Functional cookies.
  • Analytics — anonymised, aggregated page views. Opt-in.

Where your data lives

  • Postgres database — Hetzner Cloud, Falkenstein, Germany (EU).
  • Email delivery — Brevo (sendinblue.com), France (EU). Used to send verification mails, password resets, and (if you opt in) deal alerts. Brevo signs an EU-standard DPA and processes only what's needed to deliver the email.

How long we keep it

  • Account — until you delete it.
  • Active sessions — until you sign out, or 30 days of inactivity.
  • Server logs — 90 days, then auto-rotated.
  • Affiliate clicks — 24 months for commission reconciliation.

Your rights

Under GDPR you can exercise the following rights from your account page (or by emailing us):

  • Access — download a JSON export of everything we hold about you under Account → Download your data.
  • Rectification — change name, email, password, or marketing consent under Account.
  • Deletion — wipe your account and all associated data under Account → Delete account. Confirmation email sent.
  • Objection / Withdrawal — turn off marketing emails any time under Account → Email preferences.
  • Portability — the data export is in machine-readable JSON.
  • Complaint — you can lodge a complaint with the Danish Data Protection Authority (Datatilsynet).

Cookies

Cardheist.com uses cookies in four categories. You choose which categories you accept on your first visit. You can change your mind any time via the button at the bottom of the page.

  • Strictly necessary — login session, CSRF protection, your cookie consent. Always set; the site won't work without them.
  • Functional — affiliate-click logs (hashed IP, no personal data) so retailer partners can attribute commissions correctly. Opt-in.
  • Statistics — anonymised page-level statistics. No personal data, no third parties. Opt-in.
  • Marketing — ads (e.g. Google AdSense) and affiliate networks may set third-party cookies if you accept. Opt-in.

Affiliate links

When you click a link to a retailer, we may receive a small commission. The retailer knows you came from Cardheist.com but does not receive your identity. If you've accepted marketing cookies, affiliate networks and the retailer may set their own cookies on their domain to measure whether your click led to a purchase.

Contact

Questions about our privacy policy? Write to privacy@cardheist.com — we reply within 5 working days.