Privacy Policy
Effective: January 1, 2025 · Last updated: January 1, 2025
Perk.Cards operates the Card Intelligence Engine — a platform that collects, processes, and publishes credit card product data through automated crawling and AI-powered extraction. This Privacy Policy explains what data we collect, why we collect it, and how we protect it.
1. Data We Collect
1.1 Credit Card Product Data (Publicly Available)
We automatically crawl publicly available pages on bank and financial institution websites to collect information about credit card products including fees, reward rates, lounge access, and eligibility criteria. This data is sourced from publicly accessible webpages only. We do not scrape data that requires authentication or involves any personal cardholder information.
1.2 API Usage Data
When you use our public API, we may log: IP address and approximate geographic region, timestamp and endpoint accessed, request parameters, response codes and latency, and User-Agent string. We do not require registration for public endpoints. No personally identifiable information is required.
1.3 User Feedback
When you submit feedback about card data accuracy, we collect the card ID, feedback type and text, an optional anonymous identifier, and submission timestamp. Feedback is used solely to improve data accuracy.
1.4 Lead / Callback Requests
When you submit the "Get a callback" form on a card page, we collect: your name, mobile number (verified via SMS OTP from MSG91), email, city, monthly income range, employment type, and the card you enquired about. Submitting the form requires your explicit consent (a) to be contacted by Perk.Cards and the issuing bank, and (b) to share your details with the bank for application processing. We store the IP hash, user-agent, and UTM parameters for fraud-prevention and attribution. PAN is optional; we never ask for full card numbers, OTPs received from banks, or net-banking credentials.
1.5 Data We Do NOT Collect
We do not collect personal financial information, credit scores, card numbers, transaction history, banking OTPs, net-banking credentials, cookies on public pages, or data from authenticated bank portals.
2. How We Use Data
We use data to publish accurate card product information, perform AI-powered data extraction and validation, prevent API abuse, improve data accuracy from user feedback, and monitor system health. We never sell, rent, or trade data.
3. AI Processing
We use Claude (Anthropic's AI) to extract structured card data from raw webpage HTML. This processing involves sending scraped text content to Anthropic's API for structured extraction. No personal data is sent to Anthropic — only publicly available card product text. Anthropic's data handling is governed by their own Privacy Policy.
4. Data Retention
Published card data is retained indefinitely and updated when sources change. Raw HTML snapshots are retained for 90 days then archived. API request logs (info/debug) are retained 30 days, warnings 90 days, and error/audit trails 1 year. User feedback is retained 2 years or until actioned.
5. Data Sharing
We do not sell, rent, or trade any data. We may share data with: Anthropic (for AI extraction — card text only, no personal data), MSG91 (for sending SMS OTP to your phone — mobile number only), Brevo (for transactional email — name + email + lead context), Cloudflare Turnstile (for bot-detection on forms — no PII), the issuing bank or its authorised partner network that you consented to share details with (full lead record), Vercel (our hosting platform), our database provider (encrypted at rest), and law enforcement only if required by valid legal process. We never sell your data to advertisers or unrelated third parties.
6. Data Security
All data is encrypted in transit (TLS 1.3) and at rest. Admin panel access requires a strong shared secret and is rate-limited. Session tokens are derived HMAC values — raw secrets are never stored in cookies. All admin actions are recorded in an immutable change log. Inbound webhooks are verified with HMAC-SHA256 signatures.
7. Your Rights (Including under India's DPDP Act 2023)
You have the right to: (a) access the personal data we hold about you, (b) correct inaccurate data, (c) request erasure of your personal data (we will anonymise your lead records — a short audit trail is retained for legal & billing reconciliation), (d) withdraw consent and stop further sharing with partners, (e) nominate someone to exercise these rights on your behalf, and (f) lodge a complaint with the Data Protection Board of India. To delete your lead-form data instantly, visit /data-deletion — we verify your identity with an SMS OTP and anonymise matching records on the spot. For other requests, contact privacy@perk.cards; we respond within 30 days.
8. Cookies
Our public pages do not use tracking cookies, advertising cookies, or third-party analytics scripts. The admin panel sets a single admin_session cookie — an HTTP-only, secure, SameSite=Strict session authentication token. This cookie expires after 8 hours and is never used for tracking.
9. Children
The Card Intelligence Engine is not directed at children under 13 (or 16 in the EU). We do not knowingly collect personal information from children.
10. Changes
We may update this Privacy Policy. Material changes will be noted at the top of this page with a revised effective date. Continued use of our services after changes constitutes acceptance.