Privacy Policy
Effective: 1 July 2026 • Last updated: 1 July 2026
This is an English courtesy translation. The German Datenschutzerklärung is authoritative.
1. Controller
The controller under the GDPR for personal-data processing in the
CardFinder app (package com.martechdm.cardfinder) is:
Martech Digital Media LTDA ("we")
CNPJ 44.803.907/0001-64
[[Street and number]]
[[Postal code, city]], Brazil
Email: [email protected]
CardFinder is a brand of Mediaholic OÜ, Tallinn, Estonia.
2. Overview
CardFinder recommends credit cards for the German market. No registration is required for the recommendation. Advertising and analytics are enabled only after you consent via the consent banner (Google UMP / IAB TCF v2). This policy describes the data processed in the process.
3. Data we process
- Quiz answers (e.g. habits, desired benefits): stored locally on your device and sent to our server to build the card list. Not linked to your identity.
- Consent choices: your selection for personalized ads and analytics (TCF consent string) is stored to respect your preference.
- Name and email address: only if you complete the optional "get more recommendations" / "get this card" form. Shared with our lead processor to handle your request (see section 6).
- Usage and diagnostic data: screens visited, actions taken, crash reports — collected via Firebase Analytics and Crashlytics, only after your consent.
- Advertising data and identifiers: advertising ID plus interaction/impression data, processed via Google Ad Manager / AdX — after your consent; without consent, non-personalized ads only.
- Push token (Firebase Cloud Messaging): only if you allow notifications.
- Pseudonymous usage ID: a random identifier for usage and retention analysis, unrelated to your real name.
- Device and connection data (device model, OS, language, truncated IP): processed automatically for delivery, security, and diagnostics.
We do not collect bank data, card numbers, or other sensitive financial data. The actual card application happens directly with the provider, outside CardFinder.
4. Purposes and legal bases
- Recommendation and core app function — Art. 6(1)(b) GDPR and our legitimate interest in a functioning app (Art. 6(1)(f)).
- Personalized advertising and analytics — your consent (Art. 6(1)(a)), obtained via Google UMP / TCF.
- Handling your lead request (name, email) — your consent / pre-contractual step (Art. 6(1)(a) and (b)).
- Security, abuse prevention, diagnostics — legitimate interest (Art. 6(1)(f)).
5. Consent and management
On first launch CardFinder shows a consent banner via the Google User Messaging Platform (UMP) following the IAB Transparency and Consent Framework (TCF v2), and mirrors your result to Firebase Consent Mode v2. Analytics and personalized ads are not enabled until you consent.
You can change or withdraw your consent at any time in the app under "Privacy settings". Withdrawal takes effect for the future and does not affect the lawfulness of processing carried out beforehand.
6. Recipients and services
- Google Ireland Ltd. / Google LLC — Google Ad Manager and AdX (advertising), User Messaging Platform (consent), Firebase Analytics, Crashlytics, Cloud Messaging, and Cloud Translate for translating card notes. Google Privacy Policy.
- Amazon Web Services — hosting of the API that provides recommendations.
- Lead processor (LeadClump / Ermes) — processing of the contact data (name, email) you voluntarily submit, to handle your request.
We do not sell your data. Data is shared with card providers only through your explicit action in the app (e.g. when you are handed off to a card's application).
7. International transfers
Some processors (notably Google and AWS) may process data in the USA. Such transfers rely on appropriate safeguards under Art. 46 GDPR (EU Standard Contractual Clauses) or on the EU-US Data Privacy Framework where the recipient is certified.
8. Retention
Quiz answers are stored locally until you retake the quiz or clear app data. Analytics and crash data are retained per Google's standard periods (typically up to 14 months for events, 90 days for crash reports). Server logs are kept up to 30 days. Lead contact data is retained as long as needed to handle your request and to meet legal obligations.
9. Your rights
Under the GDPR you have, in particular, the rights to:
- access the data stored about you (Art. 15);
- rectification of inaccurate data (Art. 16);
- erasure (Art. 17) and restriction of processing (Art. 18);
- data portability (Art. 20);
- object to processing based on legitimate interests (Art. 21);
- withdraw a given consent with effect for the future (Art. 7(3)).
To exercise your rights, email [email protected]. You also have the right to lodge a complaint with a data-protection supervisory authority.
10. Managing ads and your advertising ID
You can reset your advertising ID or opt out of personalized ads in your device settings (Android: Settings → Google → Ads). In the app you can adjust your consent at any time (see section 5).
11. Minors
CardFinder is intended for people aged 18 and over. We do not knowingly collect data from minors.
12. Security
We take technical and organizational measures to protect your data, including TLS encryption of communication between the app and server and access controls in our cloud infrastructure.
13. Changes
We may update this policy. Material changes are announced in the app or on this page, with the "Last updated" date above adjusted accordingly.
14. Contact
Martech Digital Media LTDA
Email: [email protected]