Privacy policy Cardokey illustration with padlock, scales, and legal documents

Privacy Policy – Cardokey™

Version and date of the document: V1.0 of 17/04/2025

Others declaration:

ARTICLE 1 – INTRODUCTION

1.1. Identification of the Data Controller This Privacy Policy is issued by Cardokey™.com, with its registered office at [Full Address of Cardokey™.com], Andorra. Cardokey™.com is responsible for the processing of data collected or processed through the use of its official website https://www.cardokey.com.

1.2. Scope of Application This Privacy Policy applies to all services offered on the website www.cardokey.com. It does not apply to third-party websites, services, or platforms accessible through the Cardokey™.com website. Cardokey™.com is not responsible for the privacy practices of these third-party services.

1.3. Zero Trust & Zero Knowledge Commitment Cardokey™.com offers solutions based on Cardokey™ technology, which operates on a strict Zero Trust & Zero Knowledge framework, ensuring that user data is not accessed, stored, or shared at all.

Cardokey™ products are designed to function without a remote server, a centralized database, the creation of a user account, user identification, and without leaving sensitive digital traces.

All features of Cardokey™ ensure that user data is not stored or transmitted to remote servers. All processing is carried out exclusively locally on the user’s device, without interaction with an external infrastructure.

Notably, Cardokey™ utilizes AES-256 CBC encryption with a patented segmented key system, ensuring advanced data protection.

1.4. Compliance with Regulations Cardokey™.com strives to comply with the strictest international data protection and cybersecurity regulations, taking into account its specific activity. This notably includes the principles of the:

  • General Data Protection Regulation (GDPR – Regulation (EU) 2016/679)
  • Law 15/2003 on the Protection of Personal Data in Andorra, amended by Qualified Law 29/2021

While the Zero Trust & Zero Knowledge operational model limits the direct applicability of certain requirements, Cardokey™.com is committed to maintaining a level of data protection consistent with the highest standards.

1.5. Definitions In this policy, the following terms are defined as follows:

  • Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (Although Cardokey™.com does not systematically collect such data).
  • Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. (In the context of Cardokey™.com, this term mainly refers to local and non-persistent processing).
  • Data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. (Cardokey™.com is the data controller for any data collected during direct interactions).
  • Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. (Consent would be required for any collection of personal data during direct interactions).  

ARTICLE 2 – DATA COLLECTION AND PROCESSING

2.1. Lack of Systematic Data Collection Cardokey™.com does not collect, store, share, or sell any personal or technical data from users, except in the case of direct interaction, including for:

  • A contact request via the dedicated form.

The data is only processed within the strict scope of handling the request and is never used for any other purpose.

2.2. Data That May Be Collected If a user voluntarily provides information via the contact form, only the data that is strictly necessary is processed:

  • Identity (surname, first name)
  • Contact details (email address)
  • Content voluntarily submitted in the message

This data is used exclusively to respond to the user’s request and is deleted immediately after processing.

2.3. Data Storage and Security Cardokey™.com applies the highest security standards, in accordance with the principles of the GDPR and Qualified Law 29/2021.

  • Absence of persistent storage: No personal data collected during direct interactions is stored persistently on Cardokey™.com’s servers after the request has been processed.
  • Security of communications: Data exchanges during direct interactions are secured by appropriate protocols.

2.4. Protection of Classified Data and Sensitive Environments Cardokey™ solutions are designed to protect sensitive information and include the use of patented segmented key encryption systems. The use of RSA-4096 asymmetric encryption allows AES-256 CBC keys to be securely managed locally. This mechanism eliminates the risk of key exfiltration and provides advanced protection for locally processed data.

2.5. Storage, Deletion, and Retention of Customer Data The data provided via the contact form is used only to respond to the request and deleted immediately after processing.

2.6. International Data Transfers Cardokey™.com does not transfer any data outside the European Economic Area (EEA) unless an adequate legal framework is applied (Standard Contractual Clauses – SCCs).

2.7. Data Breach Procedure In accordance with Articles 33 and 34 of the GDPR and Qualified Law 29/2021, Cardokey™.com applies a proactive response in the event of an incident:

  • Immediate containment and impact analysis.
  • Notification within 72 hours to the Andorran Data Protection Agency (APDA) if necessary.
  • Informing affected users if a high risk is identified.
  • Post-incident audit to strengthen protection measures.

2.8. Cyber Resilience and Protection Against Disasters and Cyberattacks Cardokey™.com guarantees the integrity and availability of data even in the event of a breakdown, theft, disaster, or massive cyberattack, primarily through the inherent design of Cardokey™ technology.

2.8.1. Encryption and Secure Backup

    • Advanced encryption: AES-256 CBC with keys managed securely.
    • Separation of keys and data: Decryption keys are never stored in a way that compromises the security of the locally processed data within the Cardokey™ ecosystem. AES-256 CBC encryption keys are managed securely within the Cardokey™ hardware or software environment.
    • Encrypted and redundant backups: Users are responsible for their own backups of any locally processed data, and Cardokey™ encourages encrypted and redundant backups on multiple offline and secure media.

2.8.2. Enhanced Protection Against Cyberattacks

    • Ransomware & Over-Encryption: The local nature of Cardokey™ processing and the separation of keys mitigate risks associated with ransomware targeting centralized systems.
    • Advanced Cyberattacks (APT, Zero-Day, Espionage): The Zero Trust & Zero Knowledge architecture and the principles of Cardokey™ technology, including patented segmented key encryption and hardware-based access control, are designed to prevent exfiltration of private keys or sensitive data, even under physical or logical constraint. The combination of AES-256 CBC encryption enhances resilience against advanced attacks.
    • Cloudless resiliency: No dependency on remote servers eliminates the risk of centralized attacks.

2.8.3. Resilience to Physical Disasters and Accidental Losses Cardokey™’s design ensures that access to data relies on locally managed keys. In the event of:

    • Theft or loss of encrypted media: Without the locally managed keys, data remains unusable.
    • Accidental destruction or natural disaster: Users with duplicate backups of their locally processed data can recover it. Cardokey™ encourages users to maintain geographically isolated backups of their encrypted data.

2.9. Non-Disclosure Agreements (NDAs) and Confidentiality of Trade All business relationships with Cardokey™.com involving the exchange of sensitive or confidential information are routinely covered by a Non-Disclosure Agreement (NDA).

  • Strict application: Any information exchanged in the context of partnerships, technical collaborations, or business discussions is protected by legally binding confidentiality clauses.
  • Scope of the NDA: The NDA covers documents, communications, technical exchanges, innovations, internal data, as well as any confidential information transmitted by Cardokey™.com or received from a partner.
  • Penalties for violations: Any unauthorized disclosure of confidential information is subject to contractual and legal penalties that may include legal actions for breach of confidentiality and trade secrets.
  • Term of Protection: Non-disclosure obligations remain in effect even after the end of the contractual relationship, according to the term defined in each agreement.

This clause reinforces Cardokey™.com’s commitment to protect all critical information exchanged in the course of its business, ensuring a strict legal framework against any leakage or compromise.

ARTICLE 3 – USE OF SENSORS AND ACCESS TO LOCATION DATA

Cardokey™ products are designed to operate without requiring access to sensors on user devices for their core functionality of secure key management and authentication. Any potential future integrations that might utilize device sensors will adhere to the following principles:

3.1 These sensors may include: (This list remains as in the original, but with the understanding that Cardokey™’s core function does not inherently require them)

  • GPS (precise location)
  • Wi-Fi and mobile networks (approximate location)
  • Bluetooth (local detection without external transmission)
  • Biometric data (fingerprint, facial recognition)
  • Microphone and camera (only with explicit consent)
  • Environmental sensors (accelerometer, gyroscope, proximity sensors, brightness)
  • Security Modules (NFC, HSM, PGP)

3.2 All data generated by these sensors (if utilized in future integrations):

  • Will remain exclusively on the user’s device and will not be transmitted to a remote server or third-party service under any circumstances.
  • Will not be subject to external or remote storage.
  • Will only be accessible with the explicit consent of the user, especially for sensitive sensors such as microphone and camera.
  • Can be managed by the user, who can change or revoke the permissions granted at any time through their device settings.

3.4 Ensuring that Sensor Data is not used for behavioral tracking purposes Cardokey™.com ensures that any data collected via device sensors (if utilized in future integrations) will never be used for behavioral tracking, targeted advertising, or user profiling. Access to sensors will be strictly limited to essential software features and only after obtaining the user’s explicit consent. No analysis of usage patterns will be carried out on the basis of this data, and it will not be stored or passed on to third parties.

ARTICLE 4 – COMPLIANCE WITH DISTRIBUTION PLATFORMS

The software, applications, and extensions associated with Cardokey™ comply with the requirements of the following platforms:

  • Google Play Console (applications Android)
  • Chrome Web Store (browser extensions)
  • Microsoft Store and Edge Add-ons (Windows apps and browser extensions)
  • Apple macOS and iOS (apps distributed on the App Store)

Cardokey™.com is committed to adhering to the security and privacy policy guidelines imposed by these platforms. The Zero Trust & Zero Knowledge architecture is guaranteed so that no user data is collected, transmitted, or stored beyond the user’s device. There is no integration with third-party services to mitigate the risks associated with tracking or collecting personal data. The requirements of each platform are regularly reviewed to ensure continuous compliance with changes in the applicable regulations.

SECTION 5 – NON-DISCRIMINATION CLAUSE (CCPA COMPLIANCE)

In accordance with the provisions of the California Consumer Privacy Act (CCPA), Cardokey™.com guarantees that users will not be discriminated against in exercising their rights regarding the protection of personal data.

No restrictions or limitations will be applied to users wishing to exercise their rights, in particular with regard to:

  • Access to their personal data (related to any voluntary submissions).
  • Rectification of inaccurate or incomplete information (related to any voluntary submissions).
  • Deletion of data provided voluntarily.
  • Objecting to or restricting the processing of their data (related to any voluntary submissions).

Cardokey™.com undertakes not to apply additional fees or changes in access to features in response to a request to exercise rights by a user. Any user wishing to assert their rights may contact Cardokey™.com directly using the contact details provided in this Privacy Policy. In accordance with the CCPA, the exercise of personal data protection rights (access, deletion, opposition) will not result in any modification, restriction, or degradation of the services offered by Cardokey™.com.

ARTICLE 6 – NO PROFILING AND FINGERPRINTING

6.1. Absence of Profiling and Automated Decisions Cardokey™.com does not carry out any profiling, behavioral tracking, or automated decision-making affecting users.

  • No user activity analysis is performed.
  • No artificial intelligence algorithm is used to classify users.
  • No mechanism for personalizing services based on user data is put in place.

6.2. Absence of Fingerprinting Cardokey™.com guarantees that no form of fingerprinting is used on its website. No tracking, device identification, or behavioral profiling is implemented. The operation of the website is exclusively local and offline, ensuring that no user data is recorded, stored, or traced. The underlying Cardokey™ technology is designed to function without creating sensitive digital traces.

ARTICLE 7 – COMPLIANCE WITH DUAL-USE REGULATIONS

7.1. Export Regulations and Authorization Cardokey™.com strictly enforces regulations for the management and export of cybersecurity technologies, including for encryption products classified as dual-use civil and military, where applicable.

DataShielder NFC HSM™ products, which may be integrated or related to Cardokey™ solutions, have received an import authorization into France from the Principality of Andorra, validated on December 7, 2024, via the company AMG Pro, in accordance with Decree No. 2001-1192 of December 13, 2001, amended by Decree No. 2024-95 of February 8, 2024.

This authorization was obtained after submission of the file to the ANSSI, which, in accordance with its mission to verify compliance with regulatory requirements, did not refuse within the time limits provided for by the legislation in force.

Since February 7, 2025, DataShielder NFC HSM™ products are also authorized for re-export from France to the Member States of the European Union, in compliance with Regulation (EU) 2021/821 of May 20, 2021, on dual-use items.

7.2. Reference Texts This authorization is issued pursuant to the following texts:

  • Decree No. 2001-1192 of 13 December 2001, amended by the Decree of 8 February 2024, on the control of the export and transfer of dual-use goods and technologies.
  • Regulation (EU) 2021/821 of 20 May 2021 establishing an export control regime for dual-use items.

7.3. Audit Commitment Cardokey™.com is committed to ensuring regular compliance audits, where applicable to its specific activities and products, to ensure continued adherence to legal and regulatory requirements. These internal audits are carried out periodically in accordance with the regulatory requirements in force.

ARTICLE 8 – CERTIFICATIONS AND AUDITS

8.1. No Cloud Certification Requirement Cardokey™.com does not require SOC 2 or ISO 27001 certifications specific to cloud infrastructures, as no remote servers are used for the core data processing or storage within the Cardokey™ technology.

The products are designed with a strong emphasis on local processing and minimal external connectivity, ensuring significant isolation of user data from any external network infrastructure. This architecture influences the relevance of certain audits normally applied to connected systems.

8.2. Safety Audit and Quality Control A strong emphasis on safety and quality control is applied throughout the value chain, from product design to manufacturing. All audits conducted are aimed at ensuring the resilience, tamper-proof nature, and data leak prevention of Cardokey™ systems.

In addition to internal checks to ensure product functionality, Cardokey™.com applies enhanced controls on payment management and financial transaction protection, where applicable to its operations. Access to financial systems is strictly limited to authorized personnel to limit internal risks.

ARTICLE 9 – DATA PROTECTION OFFICER (DPO)

9.1. Appointment of the DPO In accordance with the requirements of the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) and other applicable regulations, Cardokey™.com has appointed a Data Protection Officer (DPO) responsible for ensuring the company’s compliance with the protection of personal data.

The DPO of Cardokey™.com is: Name: [Name of DPO or DPO Service] Position: [Title of DPO or DPO Service] Contact: [Email Address of DPO]

9.2. Missions of the DPO Cardokey™.com’s DPO carries out several essential missions, including:

  • Ensuring that data processing complies with applicable regulations (GDPR, Qualified Law 29/2021, etc.).
  • Informing and advising Cardokey™.com on its data protection obligations.
  • Monitoring the application of the security and data protection policies put in place.
  • Responding to users’ requests regarding their rights (access, rectification, deletion, objection, etc.).
  • Liaising with data protection authorities, including the Andorran Data Protection Agency and relevant European or international authorities.

9.3. Contact and Complaints Any user wishing to obtain information on the management of their personal data or to exercise their rights may contact Cardokey™.com’s DPO at the following address: Email: [Email Address of DPO] Mailing address: [Name of Cardokey™.com] [Full Address of Cardokey™.com] Andorra

If no response is provided within 30 days, the user may refer the matter directly to the Andorran Data Protection Agency (APDA) for non-compliance with the legal obligation to respond within 30 days.

ARTICLE 10 – SPECIFIC REQUIREMENTS FOR DISTRIBUTION PLATFORMS

10.1. Google Play Console (Android) Cardokey™ apps do not collect, store, or transmit any personal data for their core functionality. Some Android permissions (e.g., NFC, storage, camera, if used for specific features) are used only to enable product functionality and are not exploited for third-party purposes. No data is shared with third parties, and all core operations are performed locally on the user’s device, in accordance with Google Play’s privacy policies.

10.1.1. Compliance with Google Play Policies Regarding Sensitive Data and Permissions Cardokey™ applications requiring access to sensitive Android features (NFC, storage, camera, microphone, GPS, SMS, RCS, MMS – note: Cardokey™’s core function minimizes the need for many of these) comply with the following requirements:

    • Express consent: No permissions are enabled by default. The user must manually enable them through their device settings.
    • Seamless Use: Access to these features is strictly limited to the essential needs of the app, and the data generated remains exclusively on the device.
    • No abuse of permissions: Cardokey™.com never asks for access to superfluous features and respects Google Play’s transparency policy.

10.1.2. Data protection and local storage All data related to Cardokey™’s core functionality remains strictly stored on the user’s device and can only be accessed by the app itself. No user data related to Cardokey™’s core function is stored on external servers or shared with third parties.

10.2 – Chrome Web Store (Chrome Extensions) Cardokey™ extensions do not collect or share any user data for their primary functions. They may use localStorage to temporarily store local information that is necessary for the extension to function properly. No hidden tracking, no transmission of data to third parties, and no unjustified access to cookies or browsing history are carried out.

10.2.1 Using Local Storage Cardokey™ extensions exclusively use the localStorage and Web Storage API to temporarily store settings necessary for their proper functioning. These data:

    • Are never transmitted to remote servers.
    • Are accessible only to the user and only in the context of the extension.
    • Settings saved locally via localStorage and Web Storage do not contain any personal or sensitive data related to the core Cardokey™ functionality.
    • Users can manually clear saved local data via a “Delete Data” option built into the extension, if applicable.

10.3. Microsoft Store & Edge Add-ons (Windows) Cardokey™ apps and extensions comply with Microsoft’s privacy policy standards. If an application accesses local files (e.g., secure storage of encryption keys), these files remain isolated and are never shared with third-party services. Cardokey™.com guarantees that there will be no hidden fingerprinting or tracking, in accordance with Microsoft Store policies.

10.3.1. Local File Access Protection (Windows) Some Cardokey™ applications may require access to local files to encrypt, protect, or authenticate sensitive data locally. These files:

    • Are never forwarded to a remote server.
    • Remain exclusively stored and processed on the user’s device.
    • Are only accessible to locally installed applications with the user’s consent.

10.4. Apple App Store (macOS & iOS) Cardokey™ apps do not track users, collect any data for advertising profiling, or transmit any information outside of the device for their core functions. If an app accesses iOS/macOS sensors (e.g., NFC, microphone, GPS, if used for specific features), this use is strictly limited to essential and user-controllable features. If third-party APIs are used (e.g., payment via Apple Pay, if applicable), their impact on user data complies with Apple’s requirements and is fully transparent to the user.

10.4.1. Compliance with App Tracking Transparency (ATT) Policy Cardokey™.com warrants that it does not use advertising IDs or user tracking tools for marketing or advertising purposes within its core Cardokey™ functionality. In accordance with Apple guidelines:

    • No user data is collected for profiling or advertising targeting related to the core Cardokey™ function.
    • There is no integration with third-party advertising or analytics services for the core Cardokey™ function.
    • No use of Apple ID (IDFA) to track user activity on other apps for the core Cardokey™ function.
    • Cardokey™ does not collect or share any location data in the background or without the user’s explicit consent (if location services are ever integrated for specific, user-initiated features).
    • Apps do not transmit any data off the device unless the user voluntarily performs an action that requires data exchange (e.g., sharing a public key, if applicable).

ARTICLE 11 – COMPLIANCE WITH ANDORRAN DATA PROTECTION LEGISLATION

11.1. Application of Andorran Laws Cardokey™.com, as a company registered in the Principality of Andorra, is subject to local data protection regulations, including:

  • Qualified Law 15/2003 of 18 December 2003 on the Protection of Personal Data
  • Qualified Law 29/2021 of 28 October 2021, which aligns Andorra with the principles of the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679)

These laws guarantee a data protection framework equivalent to European standards, recognized as adequate by the European Union in accordance with Article 45 of the GDPR.

ARTICLE 12 – COMPLIANCE PRINCIPLES AND DATA SECURITY

12.1. Privacy by Design Cardokey™.com integrates data protection into the design of its website and services, in accordance with the principles of privacy by design and privacy by default. The underlying Cardokey™ technology is inherently designed with these principles in mind, operating without reliance on centralized data storage or user identification.

12.2. No Data Storage In accordance with the Zero Trust & Zero Knowledge approach, Cardokey™.com does not store or process any personal data persistently. Cardokey™ products are engineered to function without needing to retain sensitive digital information after use, aligning with the principle of leaving no sensitive digital traces.

12.3. Adoption of Enhanced Security Measures Cardokey™.com implements advanced security measures to ensure data protection and prevent breaches. This includes the core design of Cardokey™ products, which utilize AES-256 CBC encryption with a patented segmented key system to protect data locally, without the risks associated with centralized storage or transmission.

12.6. Strict Access Control and Mitigation of Internal Risks

12.6.1 Access Security and Systematic Encryption Cardokey™.com applies advanced authentication and encryption protocols to ensure that all digital access and media are protected against any intrusion or theft attempts. The Cardokey™ technology itself embodies this through its local operation and patented encryption methods.

12.7 – Data Breach Management: In the event of a hardware compromise or attempted security breach affecting Cardokey™.com’s infrastructure, incident response procedures are carried out proactively. While Cardokey™ products are designed to minimize the risk of exploitable data due to their architecture, Cardokey™.com remains vigilant. In the event that a security incident concerns a customer or partner, Cardokey™.com undertakes to inform them as soon as possible, in accordance with the requirements of the applicable data protection regulations.

ARTICLE 13 – RIGHTS OF USERS UNDER ANDORRAN LEGISLATION PRIVACY POLICY

In accordance with Articles 16 to 21 of Law 29/2021, users have the following rights, aligned with the GDPR and Andorran legislation:

  • Right of Access: To verify what information has been provided voluntarily and processed.
  • Right to Rectification: To correct any inaccurate or incomplete data.
  • Right to object: Contest the use of their data.
  • Right to Deletion (Right to be Forgotten): To demand the permanent deletion of their data.
  • Right to Portability: Receive their data in a readable format (new obligation reinforced by Law 29/2021).
  • Right to Restriction of Processing: Restrict the processing of certain information.

13.1. Processing Time for Requests Cardokey™.com guarantees that any request to exercise rights will be processed within a maximum period of 30 days, except in exceptional circumstances requiring a justified extension of up to 60 days. Requests can be sent by e-mail to: contact [ at ] https://www.google.com/search?q=cardokey.com or dpo [ at ] https://www.google.com/search?q=cardokey.com

ARTICLE 14 – RECOURSE IN THE EVENT OF A DISPUTE

If a user believes that their rights have not been respected, they may file a complaint with the Andorran Data Protection Agency (APDA), the competent supervisory authority in Andorra.

14.1. Complaints Procedure In accordance with Article 25 of Law 29/2021, any person who considers that the processing of their data has been carried out in violation of the applicable laws may:

  • Refer the matter to the Andorran Data Protection Agency (APDA) for an administrative investigation. APDA Contact: https://www.apda.ad
  • To lodge an appeal with the competent courts in Andorra in order to obtain compensation for the damage suffered.

Cardokey™.com is committed to cooperating fully with data protection authorities in the event of an investigation.

ARTICLE 15 – CHANGES TO THE PRIVACY POLICY

15.1. Commitment to update Cardokey™.com undertakes to update this policy in the event of legislative or regulatory changes affecting data protection. Any changes will be published explicitly on the official Cardokey™.com website.

15.2. Frequency and transparency of updates Cardokey™.com will regularly review and update this privacy policy as needed. Any significant changes will be clearly indicated on the website.

As Cardokey™ technology evolves, updates may be released for any associated software or applications. A dedicated updates page will be maintained, explicitly detailing:

  • The changes made.
  • Security improvements.
  • Any vulnerabilities identified and corrected.

The complete version history Cardokey™ of Freemindtronic software, applications and extensions can be found here: Freemindtronic Version History

15.3. Notification of Users Users who wish to be notified of updates by email must make an express request by providing their email address to Cardokey™.com.

15.4. Information in the event of changes to the functionalities In the event of changes to functionalities involving data processing (though the core principles of Cardokey™ aim to minimize this), Cardokey™.com undertakes to inform users:

  • By notification on the official website.
  • Via any applications concerned.

ARTICLE 16 – CONTACT DETAILS

Privacy Policy Cardokey™

Email : contact [ at ] Cardokey.com
Téléphone : +376 804 500