My Backup Card

Data Protection & GDPR

Last updated: March 20, 2026

1. Introduction

This Data Protection Notice explains how My Backup Card ("we," "our," or "us") processes personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. We are committed to protecting your personal data and respecting your privacy rights.

2. Data Controller

For the purposes of GDPR, we act as the data controller for personal data collected through the Service. Our operations are based in San Francisco, California, United States.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Consent: When you create an account and use the Service, you consent to the processing of your personal data as described in this notice
  • Contract Performance: Processing is necessary to provide the Service and fulfill our contractual obligations to you
  • Legitimate Interests: We process data to improve the Service, ensure security, and prevent fraud
  • Legal Obligations: We may process data to comply with applicable laws and regulations

4. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights regarding your personal data:

4.1 Right of Access

You have the right to request access to your personal data and receive a copy of the data we hold about you. You can access your account information through the Settings page, and you can request additional information by contacting us.

4.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. You can update your account information directly through the Settings page.

4.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data. You can delete your account at any time through the User Settings page. All data associated with your account will be permanently deleted within 24 hours.

4.4 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

4.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. You can export your vault data before deleting your account.

4.6 Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. You can opt out of analytics cookies through your browser settings.

4.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

4.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your country if you believe that our processing of your personal data violates applicable data protection laws.

5. Exercising Your Rights

To exercise any of your rights, you can:

  • Use the account management features in the Settings page
  • Contact us at privacy@MyBackupCard.com
  • We will respond to your request within one month. If your request is complex or we receive multiple requests, we may extend this period by up to two additional months, and we will inform you of any such extension.

6. Data Transfers

Your personal data is stored on Cloudflare's global edge network. If you are located in the EEA or UK, this involves a transfer of your personal data to a country outside the EEA/UK that may not have the same level of data protection.

We ensure appropriate safeguards are in place for such transfers, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Our service providers' compliance with applicable data protection frameworks
  • Client-side encryption ensuring your vault data is encrypted before transmission

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Zero-Knowledge Architecture: All vault data is encrypted client-side using AES-GCM encryption before transmission. We cannot access your unencrypted vault data.
  • Encrypted Storage: Account credentials are stored in encrypted form by our authentication provider
  • Secure Transmission: All data transmission uses HTTPS/TLS encryption
  • Access Controls: Access to personal data is restricted to authorized personnel only
  • Regular Security Assessments: We regularly review and update our security measures

8. Data Retention

We retain your personal data only for as long as necessary to provide the Service and fulfill the purposes outlined in this notice. When you delete your account, all associated data will be permanently deleted within 24 hours. We may retain certain information for longer periods if required by law or for legitimate business purposes.

9. Automated Decision-Making

We do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.

10. Children's Data

The Service is not intended for children under 13 years of age. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.

11. Changes to This Notice

We may update this Data Protection Notice from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by updating the "Last updated" date at the top of this page.

12. Contact Us

If you have any questions, concerns, or wish to exercise your rights under GDPR, please contact us at:

Email: privacy@MyBackupCard.com
Data Protection Officer: dpo@MyBackupCard.com