Effective Date: November 9, 2020

We take your privacy very seriously. We will not sell, lease, or exchange your personal data to, or otherwise share your personal data with, third parties in ways other than described in this Privacy Policy.

This Privacy Policy covers the collection, use, and disclosure of Personal Data/Personally Identifiable Information (as defined by applicable law and hereinafter collectively referred to as “Personal Data”) when visitors and Customers (collectively “Users”) access the arcard.co website, its subdomains and/or the Harvest Cards mobile application (hereinafter referred to as the “Platform”).

The Platform is owned and operated by Lightstrike LLC, a Washington limited liability company (the “Company”) with offices in the United States. Company collects Personal Data from its Users around the world and processes, transfers and stores data within the United States. By choosing to use the Platform, Users consent to the collection, use and disclosure practices identified in this Privacy Policy.

The terms used in this Privacy Policy have the same meanings as in our Terms and Conditions, which is accessible at arcard.co/terms-and-conditions, unless otherwise defined in this Privacy Policy.

1. What Information Is Collected by Company And How Is It Used?

Email Addresses

Company utilizes email to better facilitate communication regarding custom message creation and delivery. By providing their email to the Company, Users subscribe to receive additional information via email regarding products and services. Users may unsubscribe at any time through the opt-out link contained within those communications.

Physical Addresses

Company collects physical addresses to fulfill orders that include a physical card. By providing a physical address to the Company, Users acknowledge Company will utilize this address to complete product orders and may send other communications related to the Sites and Platform to this physical address.

2. Is Information Collected By Or Disclosed To Third Parties?

Company does not sell, trade, rent, or lease Personal Data to any third parties. Company utilizes and shares Personal Data with the following data processors:

Analytics Data 

• Google Analytics: Company uses Google Analytics as a web analytics tool to track user behavior on its websites. Google Analytics collects anonymized information in accordance with its Privacy Policy. If you do not want Google Analytics to track your behavior on the Platform, you may opt-out by installing Google Analytics Opt-out Browser Add-on.
• MixPanel: Company utilizes MixPanel for tracking user-driven events in its mobile application. MixPanel collects information in accordance with its MixPanel Privacy Policy. You can opt-out of MixPanel’s automatic retention of data collected by sending an email to legal@arcard.co.

Hosting Services

Personal Data collected is shared with its website hosting partners, Hasura and Netlify, to facilitate its cloud hosting services. Customers should click on the hyperlinks of those third party services for more information about their data collection and privacy policies.

Managed Email Services

Company utilizes Klaviyo to send transactional emails and assist in customizing its email marketing campaigns to its Customers. Users should review the hyperlink to Klaviyo’s privacy policy for more information about its data collection and use practices.

Marker Detection

Company uses the Vuforia product by PTC Inc to detect augmented reality markers. Users should review the hyperlink to PTC’s privacy policy for more information about its data collection and use practices.

Third Party Services – Internal Use

We may share Personal Data with third parties who provide services on our behalf for purposes such as accounting, facilitating the exchange of data between Company’s employees, internal reporting purposes, etc. We enter into contracts with such third parties regarding such services to ensure Personal Data is handled consistent with Company’s Privacy Policy and applicable law.

Other Potential Third Party Disclosures

Personal Data may also be disclosed to third parties to serve our legitimate business interests as follows: (1) as required by law, such as to comply with a subpoena, or similar legal process, (2) if Company is involved in a merger, acquisition, or sale of all or a portion of its assets, (3) to investigate, prevent, or take action regarding suspected or actual illegal activities or to assist government enforcement agencies; (4) enforce our agreements with you, and/or (5) investigate and defend ourselves against any third-party claims or allegations. We will use commercially reasonable efforts to notify Users about law enforcement or court ordered requests for Personal Data unless otherwise prohibited by law.

3. Children’s Privacy

The Platform does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If you are a parent or guardian and you are aware that your child has provided the Company with Personal Data, please contact the Company at legal@arcard.co. Company will delete such Personal Data within a commercially reasonable time, but no later than required under the applicable law relating the child’s country of residence. 

If Company becomes aware that Personal Data has been collected from anyone under the age of 13 without verification of parental consent, Company will take steps to remove that information from Company and Third-Party servers.

Company may also limit how information of Users between 13 and 18 years old is collected. In some cases, this means the Company will be unable to provide certain functionality of the Platform to these users.

4. Personal Data Retention by Company

Company will retain account and purchase data as long as it is necessary to facilitate Customer’s access and use of the Platform. When a Customer’s account is terminated, Personal Data collected through the Platform will be deleted in accordance with the requirements of applicable law. Personal Data obtained from Site visitors will be maintained as long as it is necessary to provide requested communications and information-based services or until a visitor exercises its right to opt-out of requested communications or information-based services. Anonymized and Pseudo-anonymized data will be retained as long as Company determines such data is commercially necessary for it legitimate business interests.

5. EU General Data Protection Regulation (“GDPR”) Notices

Data Controller. The information that Company collects, processes and/or uses through the Platform is controlled by Lightstrike LLC, Attention: Privacy Team, 500 Mercer Street, Suite C202-103A, Seattle, Washington 98109. You may contact us at any time by mail at the above address or by emailing us at legal@arcard.co.

Company will only collect and process Personal Data about Users where Company has lawful bases. Lawful bases include consent (where Users have given consent), contract (where processing is necessary for the performance of a contract with Users), and “legitimate interests.” Where Company relies on User consent to process Personal Data, Users have the right to withdraw or decline consent at any time and where Company relies on legitimate interests, Users have the right to object. If Users have any questions about the lawful bases upon which Company collects and uses Personal Data, please contact us at legal@arcard.co.

Users within the EU may email Company at legal@arcard.co in order to exercise their GDPR rights to: – Access, review, restrict processing of, or otherwise request erasure of your Personal Data; – Obtain the identity of the source of any Personal Data collected; – Request correction of any errors contained within Personal Data; – Request transfer of Personal Data to another service provider; – Object to the manner in which Personal Data is processed; or – Lodge a complaint with a supervisory authority.

Where Company relies on User consent to collect Personal Data, Users may withdraw consent either through the opt-out links provided in this Privacy Policy or through the contact information contained within this Section.

For all GDPR-based requests made pursuant to this section, Company will (a) respond as required under applicable law, (b) provide a copy of any requested Personal Data in a structured, commonly used and machine-readable format, and (c) transmit such Personal Data to another service provider without restriction in accordance with applicable law.

6. California Privacy Rights

California law permits California-resident Customers to request and obtain from Company once a year, free of charge, certain information about their Personally Identifiable Information (“PII”) (as defined by California law) disclosed to third parties for direct marketing purposes in the preceding calendar year (if any). If applicable, this information would include a list of the categories of PII that was shared and the names and addresses of all third parties with which Company shared information in the immediately preceding calendar year.

7. Company’s Security Policy

Company has implemented reasonable administrative, technical and physical security measures to protect User personal information against unauthorized access, destruction or alteration. Although Company endeavors to provide reasonable security for all information processed and maintained, no security system can ever be 100% secure.

8. “Do Not Track” Signals

“Do Not Track” is a feature enabled on some browsers that sends a signal to request that a website disable its tracking or cross-Platform user tracking. At present, the Platform does not respond to or alter its practices when a Do Not Track signal is received.

9. Notifications Of Changes To Privacy Policy

If Company makes material changes to Privacy Policy, Users will be notified by (1) changing the Effective Date at the top of the Privacy Policy, (ii) sending an email to all active Users which Company has an email address, and (iii) add a banner/notification to the Company websites. Express consent will be obtained when required for any material changes in Company’s collection and use practices.

10. Contact Us

Any questions regarding Personal Data or about Company privacy practices should be sent to: Lightstrike LLC, Attention: Privacy Team, 500 Mercer Street, Suite C202-103A, Seattle, Washington 98109 and/or at legal@arcard.co.