Privacy Policy

Effective date: June 1, 2026

1. General

This Privacy Policy describes what personal data Gcardus collects, how it is used, stored, and protected.

By using the Service, you agree to this Policy. This Policy complies with the Sri Lanka Personal Data Protection Act No. 9 of 2022 (PDPA).

2. Data Controller

The data controller is Dharsha Dulaj De Silva, an individual (natural person), operating this service at gcardus.com.

Contact:

3. Data We Collect

Registration: email address (required), display name (optional).

Payment: payment date and selected plan. Card data is processed solely by our payment provider — we never receive or store it.

Technical: IP address, browser User-Agent, login timestamps. Required for account security.

We do not share your data with advertising networks or use it for targeted advertising.

4. Purpose and Legal Basis

Contract performance: providing Service access, managing subscriptions, processing payments.

Legitimate interest: account security and fraud prevention.

Legal obligation: retaining payment records as required by law.

We do not sell personal data to third parties.

5. Data Sharing

Payment processor — We share: payment amount, order ID, user ID. No card data is shared with us.

Data may be disclosed to government authorities upon lawful request.

No other third-party sharing occurs without your explicit consent.

6. Retention Periods

Account data (email, name): retained until account deletion.

Subscription status (active/inactive, start and end dates): retained until account deletion.

Technical logs: retained 90 days, then automatically deleted.

7. Your Rights

You have the right to: access a copy of your data, correct inaccuracies, delete your account and associated data (except data legally required to be retained), restrict processing, withdraw consent.

To exercise these rights, contact: . We respond within 30 days.

8. Cookies

__Secure-next-auth.session-token — authentication session token. Lifetime: 30 days. Required for login functionality.

No marketing, analytics, advertising, or tracking cookies are used.

9. Security

Passwords are stored as bcrypt hashes (cost factor 12). Plain-text passwords are never accessible.

All connections are secured by HTTPS/TLS.

In the event of a data breach, users will be notified within 72 hours as required by applicable law.

10. Cross-Border Transfers

Service servers may be located outside Sri Lanka. Data transfers to other countries are carried out with adequate protection measures in place.

11. Changes to This Policy

We may update this Policy at any time. The current version is always available on this page.

12. Contact