Privacy Policy

Last updated: 6 April 2026

1. Data controller

Bindex, Paris, France. Contact: privacy@getbindex.io.

2. Data we collect

2.1 Provided by you

  • Email address — account creation, communication (basis: contract performance)
  • Password (hashed PBKDF2-SHA256) — authentication
  • Portfolio data (cards, purchase prices) — portfolio feature
  • Watchlist — watchlist feature

2.2 Collected automatically

  • Scan images — card identification (processed in real time, not permanently stored unless debug mode is on, in which case retained 7 days max for quality improvement)
  • Monthly scan count — quota management
  • Technical info (OS, app version) — debugging, compatibility (basis: legitimate interest)
  • IP address (server logs) — security, abuse prevention (basis: legitimate interest)

2.3 Data we do NOT collect

  • Geolocation data
  • Phone contacts
  • Advertising identifier (IDFA / GAID)
  • Banking or credit card data (handled by Apple / Google)

3. Purposes

We process your data exclusively to: provide the service (account, portfolio, watchlist, scanner), manage quotas, manage subscriptions through RevenueCat, improve the service via anonymized analytics, ensure security, and send service-related notifications.

4. Legal basis (GDPR)

  • Contract performance (Art. 6.1.b) — for data required to operate the service
  • Legitimate interest (Art. 6.1.f) — for security and product improvement
  • Consent (Art. 6.1.a) — for any marketing communication, when applicable

5. Data sharing

We share your data only with the following processors:

  • Railway (server hosting, USA) — all service data
  • RevenueCat (subscription management, USA) — user identifier, subscription status
  • Third-party market data aggregator (EU) — anonymous price queries only (no personal data)
  • Apple / Google (subscription billing, USA) — transaction identifier

We never sell your personal data. We never share data for advertising purposes.

6. Transfers outside the EU

Some data is transferred to the United States (Railway, RevenueCat). These transfers are protected by Standard Contractual Clauses (SCC) of the European Commission and the EU-US Data Privacy Framework where applicable, in accordance with Article 46 GDPR.

7. Retention

  • User account: until deletion
  • Portfolio data: until account deletion
  • Scan images: real-time only, not permanently stored (7 days max in debug mode for quality improvement)
  • Server logs (IP): 12 months
  • Subscription data: subscription duration + 3 years (legal obligation)

After account deletion, all personal data is erased within 30 days, except data we are legally required to retain.

8. Your rights (GDPR)

  • Right of access (Art. 15)
  • Right of rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction (Art. 18)
  • Right to portability (Art. 20)
  • Right to object (Art. 21)

Account deletion is available directly in the app (Profile > Delete my account). For other requests, email privacy@getbindex.io with subject "GDPR rights request". We respond within 30 days.

If you believe your rights are not respected, you may file a complaint with the CNIL: www.cnil.fr.

9. Local storage and cookies

The mobile app uses secure device storage (Expo SecureStore) for the JWT auth token and local preferences. The mobile app does not use traditional cookies and includes no advertising or tracking SDKs (no Facebook SDK, no Google Analytics, no IDFA / GAID).

10. Security

  • Password hashing (PBKDF2-SHA256)
  • Encrypted communication (HTTPS / TLS)
  • JWT authentication with expiration
  • Restricted database access
  • Regular security updates

11. Minors

The app is intended for users aged 13 and up. We do not knowingly collect data from children under 13. For users 13–16, parental consent is required per Article 8 GDPR.

12. Changes

We may update this policy. For material changes, we will notify you via the app at least 15 days before the new version takes effect.

13. Contact