Privacy Policy

1. Who We Are

Card-o-Bot is an AI-assisted card creation application operated by Christian Herbie Clarke, doing business as Herbie Creative ("Card-o-Bot," "we," "us," or "our"). This Privacy Policy explains how we collect, use, store, disclose, and protect information when you use Card-o-Bot at cardobot.com, herbiecreative.com/cardobot, or related Card-o-Bot pages and APIs.

This policy supplements the Herbie Creative site-wide Privacy Policy. If this policy and the site-wide policy conflict for Card-o-Bot, this Card-o-Bot policy controls.

2. Information We Collect

Account Information

When you create or use an account, we may collect your username, password hash, email address, name, Google account identifier, profile image, authentication method, account creation date, and last-login date.

Card and Creative Data

We collect the prompts, chat messages, selections, card names, card text, card type, card attributes, generated artwork, saved cards, card metadata, and related creation history you submit or create in Card-o-Bot.

Technical and Usage Data

We may collect IP address, browser type, device information, operating system, referring URL, timestamps, session data, pages or API routes used, error logs, and security logs. This helps us keep the app working and protect it from abuse.

Information From Google Sign-In

When you sign in with Google, Card-o-Bot requests the openid, email, and profile scopes. Google provides your Google account ID, primary email address, name, and profile picture URL. We store the Google account ID, email, name, and profile picture reference on your Card-o-Bot account so we can authenticate you, merge accounts, and display your profile. We do not request or receive your Gmail, contacts, calendar, Drive files, or other Google data from these scopes.

Optional Google Drive and Google Photos Export

If you enable a Card-o-Bot feature that saves a card to your own Google Drive or Google Photos, Card-o-Bot will ask Google for additional permissions:

• https://www.googleapis.com/auth/drive.file — lets Card-o-Bot create and manage only the card files it saves for you in Drive. Card-o-Bot cannot list, read, modify, or delete other files in your Drive.
• https://www.googleapis.com/auth/photoslibrary.appendonly — lets Card-o-Bot add card images to your Google Photos library. Card-o-Bot cannot view, list, or modify your existing photos.

These exports only run when you ask for them. Card-o-Bot uses and transfers information received from Google APIs in accordance with the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to train generalized or third-party AI models and do not transfer Google user data to third parties except as required to operate the user-requested export or as required by law.

Information From AI Providers

When AI services generate or process your cards, those providers receive the prompts, chat messages, and related content needed to return the requested output. Outputs they return are stored on your Card-o-Bot account.

3. How We Use Information

• To create, authenticate, secure, and manage user accounts.
• To generate chat responses, card concepts, card text, and card artwork.
• To save, retrieve, display, edit, and organize your Card-o-Bot collection.
• To export cards to your Google Drive or Google Photos when you request it.
• To feature cards in Card-o-Bot marketing, social media, galleries, showcases, curated packs, compilations, merchandise, case studies, and other promotional or published materials, under the content license in our Terms of Service.
• To troubleshoot bugs, monitor performance, prevent fraud, and protect the app.
• To communicate with you about account, security, support, and service matters.
• To comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information. We do not use your Card-o-Bot prompts, saved cards, or generated images for third-party behavioral advertising, and we do not use Google user data to train generalized or third-party AI models.

4. AI Processing

Card-o-Bot uses third-party AI providers, including OpenAI, to process prompts and generate text and images. When you ask Card-o-Bot to create or revise content, the information needed to complete that request may be sent to those providers.

You should not submit sensitive personal information, confidential business information, health information, financial information, government ID numbers, passwords, private keys, or anything you do not have the right to use. AI systems may produce inaccurate, unexpected, or similar-looking content, and you are responsible for reviewing outputs before using them.

5. Cookies and Sessions

Card-o-Bot uses essential cookies and PHP sessions to keep you signed in, protect your session, remember account state, and operate the app. These cookies are required for logged-in features. We may also rely on Google sign-in scripts or related Google cookies when Google authentication is enabled.

6. How We Share Information

We share information only when needed to operate Card-o-Bot, comply with law, protect rights and safety, feature content consistent with our Terms of Service, or follow your direction. Service providers and recipients may include:

• OpenAI: AI text and image generation.
• Google: OAuth sign-in, account authentication, and — only when you use the feature — Google Drive and Google Photos export.
• Bluehost or other hosting providers: Web hosting, databases, logs, storage, and server infrastructure.
• CDN, email, analytics, or asset providers: Delivery of fonts, icons, scripts, static assets, transactional email, or aggregate performance measurement if used by the page.
• Marketing, editorial, print, or merchandise partners: To produce, distribute, print, or promote card packs, merchandise, promotional materials, or published showcases featuring Card-o-Bot cards, consistent with the content license in our Terms of Service. These partners receive card images, card text, and sometimes a creator handle, but not your email, password, or other private account data.
• Successors: In connection with a merger, acquisition, reorganization, sale of assets, or similar transaction involving Card-o-Bot or Herbie Creative.

We may disclose information if required by law, subpoena, court order, lawful government request, or when we believe disclosure is necessary to protect users, Card-o-Bot, Herbie Creative, or others.

7. Your Content, Visibility, and Promotional Use

Your saved cards and generated images are associated with your account and are stored on Card-o-Bot servers so you can view and manage them. Card-o-Bot is designed for personal account-based storage, but no online system is perfectly private or secure.

By using Card-o-Bot, you also grant Card-o-Bot and Herbie Creative the broad content license described in Section 6 of the Terms of Service. That license allows us to use, display, publish, remix, and distribute your cards in Card-o-Bot or Herbie Creative marketing, galleries, card packs, compilations, merchandise, and other promotional or commercial materials, with or without a public credit to you, at our discretion. Featured cards may appear with a username, display name, generated handle, or no identifying label.

Please do not create or store content that you would be harmed by losing, disclosing, having reviewed for safety, moderation, debugging, or legal compliance, or having featured publicly by Card-o-Bot. If you do not want a specific card to be usable in any medium, do not create or save it in Card-o-Bot.

8. Data Retention

• Account records: Kept while your account is active and for a reasonable period afterward for security, backup, and legal purposes.
• Saved cards and generated images: Kept while your account or collection remains active, unless deleted by you or removed under our policies.
• Prompts and chat-related records: Kept as needed to provide the app, debug issues, preserve saved cards, and protect against abuse.
• Logs and technical data: Kept on a rolling or as-needed basis for security, diagnostics, and hosting operations.

Backups, caches, logs, or records required for security or legal reasons may persist for a limited time after deletion from active systems.

9. Security

We use reasonable technical and organizational safeguards, including HTTPS, hashed passwords, server-side sessions, restricted configuration, and database access controls. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

10. Children

Card-o-Bot is not directed to children under 13. Users under 18 should use Card-o-Bot only with permission from a parent or legal guardian. Children under 13 may not create accounts or submit personal information. If we learn that we collected personal information from a child under 13 without appropriate consent, we will delete it.

11. Your Choices and Rights

You may request access, correction, deletion, or export of personal information associated with your account, subject to identity verification, technical limits, backup retention, safety needs, and legal requirements. Depending on your location, you may have additional rights under privacy laws such as CCPA/CPRA, GDPR, or similar laws.

You can revoke Card-o-Bot's access to your Google account (including any Drive or Photos permissions) at any time from your Google Account permissions page. Revoking will stop further exports or Google sign-in, but will not automatically delete files already saved to your Drive or Photos or cards stored in Card-o-Bot.

Deleting your account or a specific card will remove it from the active Card-o-Bot app and, over time, from our backups, subject to retention in Section 8. Deletion does not require us to recall, unpublish, or destroy card packs, marketing materials, merchandise, or promotional content we already published or distributed under the content license in Section 6 of the Terms of Service, though we will make reasonable efforts to stop new promotional uses of a deleted card where practical.

12. International Users

Card-o-Bot is operated from the United States. If you use Card-o-Bot from outside the United States, your information may be transferred to, stored in, and processed in the United States and other locations where our service providers operate.

13. Changes

We may update this Privacy Policy as Card-o-Bot changes. When we do, we will update the "Last updated" date. Material changes may also be announced through the app, website, or email when appropriate.

14. Contact

For privacy questions or requests, contact:

Christian Herbie Clarke
Herbie Creative / Card-o-Bot
christian@herbiecreative.com