Privacy Policy

Last updated: February 13, 2026

This Privacy Policy (“Policy”) explains how personal data is processed when you use Cardus AI (the “Platform”), including (i) data about users who create and manage projects, and (ii) data contained in interviews, transcripts, narratives, and, where enabled, audio uploaded or generated within a project (the “User Content”).

Cardus AI provides a platform for qualitative research and organizational narrative analysis. Our goal is to help teams collect and analyze real work experiences, with controls designed to minimize personally identifying information whenever possible.

1) Controller, Processor, and contact details

1.1 Cardus as Controller (account and platform operations)

For account data and general operation of the Platform, the data controller is:

Rodrigo Bastos ME (“Cardus”)
Address: Rua Arthur Ramozzi, 460 - Campos do Jordão - SP - Brasil
Privacy email: privacy@cardus.ai
General contact: contact@cardus.ai

1.2 Cardus as Processor (customer projects)

When an organization creates a project on the Platform (the “Project Controller”), that organization typically determines the purposes and means of processing for User Content within the project. In those cases, Cardus acts as a data processor (and may engage sub-processors), processing data only on the documented instructions of the Project Controller and under the applicable contract.

Important: If you participate in an interview for a customer project (for example, as an employee/participant), the primary privacy notice applicable to you may be the Project Controller’s notice. This Policy explains Cardus’ role as a service provider.

2) Personal data we process

We may process the following categories of data:

2.1 Account data (Platform users)

• Name, email, country/language (when collected), authentication method (e.g., Google or magic link).
• Subscription and billing information (primarily handled by payment providers).
• Project configuration (e.g., project language, interview settings, access permissions).

2.2 User Content (within projects)

• Interview responses, transcripts, narratives, and messages.
• If enabled by the project: audio of interviews or excerpts needed for transcription/processing.
• Project-related metadata (e.g., interview date/time, internal participant identifiers).

Data minimization: User Content does not need to include direct identifiers (such as names, government IDs, or addresses). We recommend Project Controllers configure their projects and instruct participants to avoid sharing unnecessary personal data.

2.3 Technical and usage data

• IP address, device/browser type, usage events, security logs, and aggregated metrics used for reliability and abuse prevention.
• Cookies or similar technologies (where applicable).

3) Sensitive personal data

Cardus does not require sensitive personal data to provide the service. However, participants may voluntarily include sensitive information in interviews (for example, health information, religious or philosophical beliefs, sexual life, racial/ethnic origin, or biometric data).

Where processing of sensitive data is applicable:

• The Project Controller is responsible for ensuring a valid legal basis (including explicit consent where required by law) and limiting processing to the authorized purposes.
• Cardus will process such data only to provide the service and under appropriate security controls, consistent with contractual instructions.

4) Purposes of processing

4.1 Purposes when Cardus acts as Processor (projects)

We process User Content to:

• Run interviews (including AI-led interviews where enabled by the project).
• Transcribe (if applicable), extract narratives, classify, cluster, and generate analysis and reports for the project.
• Provide query, exploration, and comparison features for project findings.
• Maintain the security, integrity, and proper functioning of the service for the project.

4.2 Purposes when Cardus acts as Controller (accounts and operations)

We process account and operational data to:

• Create and manage accounts, authentication, and access.
• Provide support, administrative communications, and service updates.
• Operate, maintain, improve, and secure the Platform (including fraud/abuse prevention).
• Comply with legal obligations and respond to lawful requests from competent authorities, where applicable.

5) Legal bases (as applicable)

Legal bases vary by country and by Cardus’ role:

• Projects (Cardus as Processor): the Project Controller determines the applicable legal basis (for example, consent, contract performance, legal obligations, or other lawful bases under applicable law).
• Accounts/operations (Cardus as Controller): we typically process data to perform our contract, comply with legal obligations, and/or pursue legitimate interests in operating and protecting the service, as applicable.

6) Sub-processors, international processing, and data sharing

To provide the service, Cardus relies on infrastructure and processing providers that may process data as processors/sub-processors, under confidentiality and security obligations, such as:

• Infrastructure and storage: Firebase / Google Cloud (e.g., Firestore and storage).
• Vector search/embeddings: Pinecone (or others, depending on project configuration).
• LLM processing via API: for example, Gemini and other providers integrated via API.

These providers may operate in different countries, meaning international processing may occur depending on project configuration and service region.

No training: Cardus does not use User Content to train AI models. User Content is processed to provide the project service and to operate the Platform (e.g., reliability and security), not as training data.

7) Retention and deletion

• During the project: we retain User Content to operate the service and enable analysis and reporting.
• End of project: the Project Controller may request deletion of User Content, and Cardus will delete data according to contractual mechanisms and timelines.
• We may retain minimal information where necessary for legal compliance, security, dispute resolution, or audit purposes, where applicable.

8) Security

We implement reasonable technical and organizational measures to protect data against unauthorized access, loss, alteration, or disclosure. Measures may include access controls, audit logs, encryption in transit and at rest (as supported by providers), and data minimization practices.

No system is completely secure, but we work to maintain safeguards appropriate to the nature of the information processed.

9) Your rights and how to contact us

Where Cardus acts as Controller, you may request to exercise rights available under applicable law (which may include access, correction, deletion, restriction/objection, portability, and withdrawal of consent where applicable).

How to submit a request: email privacy@cardus.ai with:

1. Your name and preferred contact method;
2. Proof of identity (and, if applicable, proof of authority to act on someone’s behalf);
3. A clear description of the request and the data involved;
4. Any details that help us locate the relevant data.

If you are a participant in a customer project: the Project Controller typically handles rights requests related to User Content in that project. If you contact us, we may help route your request when possible.

10) Cookies and analytics

We may use cookies or similar technologies for authentication, security, performance measurement, and analytics. Depending on your location, we may present a cookie notice and/or provide controls.

11) Changes to this Policy

We may update this Policy to reflect legal, technical, or operational changes. We will post the current version on this page with an updated “Last updated” date and, where appropriate, provide notice of material changes through reasonable means.

12) Contact

For privacy questions or requests: privacy@cardus.ai
For general support: contact@cardus.ai