Privacy Policy
Last updated: June 11, 2026
This Privacy Policy explains how Cardexium, a service operated by Floox (“Cardexium”, “we”, “us”, or “our”), collects, uses, shares, and protects your personal information when you use the Cardexium mobile applications, websites, and related services (the “Service”). By using the Service, you agree to the practices described here. Capitalized terms not defined here have the meaning given in our Terms of Service.
Contents
- 1. Introduction and Scope
- 2. Information We Collect
- 3. How We Use Information
- 4. Legal Bases for Processing
- 5. How We Share Information
- 6. Payments and Stripe
- 7. Third-Party Sign-In
- 8. Cookies and Similar Technologies
- 9. Other Users and Public Information
- 10. Data Retention
- 11. Security
- 12. Your Rights and Choices
- 13. U.S. State Privacy Rights
- 14. EEA and UK Rights (GDPR)
- 15. International Data Transfers
- 16. Children's Privacy
- 17. Marketing and Notifications
- 18. Third-Party Links and Services
- 19. Changes to This Policy
- 20. Contact Us
1. Introduction and Scope
This Policy applies to personal information we process about visitors, account holders, buyers, and sellers in connection with the Service. It does not apply to third-party services that have their own privacy policies (such as Stripe, Google, or Apple), or to information we process on behalf of another business as a service provider under that business’s own policy. Where we act as the “controller” of your personal information, this Policy governs that processing.
2. Information We Collect
Information you provide
- Account and profile data: name, email address, password, username/handle, display name, avatar, bio, location, and preferences.
- Collection and activity data: the Items you catalog as owned or wanted, conditions, grades, acquisition costs, binders, photos of your Items, follows, and similar activity.
- Marketplace data: Listings, offers, trades, orders, shipping addresses, tracking information, and dispute submissions.
- Content and communications: messages you send to other users or to us, photographs, descriptions, reviews, and support requests.
- Seller verification data: when you set up payouts, identity and business information you provide is collected primarily by our payment processor (see Section 6); we receive limited status and account-reference information.
Information collected automatically
- Device and technical data: device type and identifiers, operating system, app version, language, IP address, and crash and diagnostic data.
- Usage data: features used, pages and screens viewed, searches, interactions, and timestamps.
- Approximate location: derived from your IP address; we do not collect precise device location unless you grant permission for a feature that requires it.
- Cookies and similar technologies on our websites (see Section 8).
Information from third parties
- Sign-in providers (Google, Apple) when you choose to register or log in with them (see Section 7).
- Payment processor (Stripe): transaction status, payout status, and limited verification signals.
- Catalog and pricing data sources and service providers that help us operate, secure, and analyze the Service.
3. How We Use Information
We use personal information to:
- create and manage your account and authenticate you;
- provide the Service’s features, including cataloging, portfolio valuation, discovery, messaging, and the marketplace;
- process and facilitate orders, offers, trades, escrow, payouts, refunds, and disputes;
- prevent, detect, and investigate fraud, abuse, security incidents, and prohibited or unlawful activity, and to verify identity and comply with anti-money-laundering and sanctions obligations;
- provide customer support and respond to your requests;
- personalize and improve the Service, develop new features, and perform analytics and research;
- send you service, transactional, and administrative communications, and—subject to your choices—marketing communications and push notifications;
- comply with legal obligations and enforce our Terms and Policies.
4. Legal Bases for Processing
Where the GDPR or similar laws apply, we rely on the following legal bases: performance of a contract with you (to provide the Service and process transactions); our legitimate interests (to operate, secure, and improve the Service and prevent fraud), balanced against your rights; compliance with legal obligations (such as tax, accounting, and anti-money-laundering requirements); and your consent (for example, certain marketing, optional permissions, or cookies), which you may withdraw at any time.
5. How We Share Information
We share personal information in the following circumstances:
- With other users,as needed to operate the Service—for example, your public profile, Listings, and collection (to the extent you make them public) are visible to others, and a buyer and seller receive the information needed to complete a transaction (such as a shipping address and order details).
- With service providers that perform functions on our behalf (such as cloud hosting and storage, payment processing, identity verification, customer support, communications/email, analytics, and crash reporting), under contracts that limit their use of the information.
- With our payment processor (Stripe) to process payments, escrow, and payouts.
- For legal and safety reasons: to comply with law, regulation, legal process, or governmental request; to enforce our Terms; to protect the rights, property, or safety of Cardexium, our users, or others; and in connection with fraud prevention.
- In a business transaction: in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred, subject to this Policy.
- With your consent or at your direction.
We do not sell your personal information for money. To the extent “sharing” or “selling” is defined broadly under certain U.S. state laws (for example, for cross-context behavioral advertising), see Section 13 for your rights and choices.
6. Payments and Stripe
Payments, escrow, and seller payouts are processed by Stripe. When you pay or set up payouts, information such as your payment card details and seller identity, business, and banking details is collected and processed directly by Stripe under its own privacy policy. We do not store full payment card numbers. We receive limited information such as transaction and payout status, the last four digits or a token of a payment method, and verification results, which we use to operate the marketplace, prevent fraud, and meet legal obligations.
7. Third-Party Sign-In
If you register or sign in using Google or Apple, we receive basic profile information from that provider (such as your name and email address, or a private relay email if you use Sign in with Apple), as permitted by your settings with that provider. We use this information to create and secure your account. Your use of those providers is also governed by their terms and privacy policies.
8. Cookies and Similar Technologies
Our websites use cookies and similar technologies to keep you signed in, remember preferences, operate and secure the site, and understand usage. Our mobile apps use device identifiers and local storage for similar purposes. You can control cookies through your browser settings, and you can manage certain device permissions and identifiers through your device settings. Disabling some technologies may affect how the Service works.
9. Other Users and Public Information
Certain information is visible to other users by design, including your public profile and handle, public collections and Listings, follower relationships, and content you share in messages or transactions. Information you choose to make public, or that you share with other users, may be copied, stored, or re-shared by them outside our control. Please consider what you make public and what you share in messages.
10. Data Retention
We retain personal information for as long as your account is active and as needed to provide the Service, and afterward as necessary to comply with our legal obligations (including tax, accounting, and anti-money-laundering recordkeeping), resolve disputes, prevent fraud, enforce our agreements, and maintain business records. Transaction and certain marketplace records may be retained for several years as required by law. We may retain de-identified or aggregated information indefinitely. When information is no longer needed, we delete or de-identify it.
11. Security
We use administrative, technical, and organizational measures designed to protect personal information, such as encryption in transit, access controls, and tokenized payment handling. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your credentials confidential and for notifying us of any suspected unauthorized use at security@cardexium.com.
12. Your Rights and Choices
Depending on where you live, you may have rights to access, correct, update, port, restrict, or delete your personal information, to object to certain processing, and to withdraw consent. You can update much of your information and delete your account directly within the Service. To exercise other rights, contact us at privacy@cardexium.com. We will respond as required by applicable law and may need to verify your identity. We will not discriminate against you for exercising your rights. Note that we may retain certain information as permitted or required by law (see Section 10), and deleting your account does not remove information other users have retained or that is part of completed transactions.
13. U.S. State Privacy Rights
Residents of California and other U.S. states with comprehensive privacy laws may have additional rights, including the rights to know/access, delete, correct, and obtain a portable copy of their personal information, and to opt out of “sale” or “sharing” of personal information and certain targeted advertising. We collect the categories of personal information described in Section 2 for the purposes described in Section 3, and disclose them to the categories of recipients described in Section 5. We do not sell personal information for money, and we do not knowingly sell or share the personal information of individuals under 16. To exercise these rights, contact us at privacy@cardexium.com; you may use an authorized agent where permitted. If we deny a request, you may have the right to appeal by replying to our decision.
14. EEA and UK Rights (GDPR)
If you are in the European Economic Area, the United Kingdom, or Switzerland, Cardexium is the controller of your personal information for the processing described in this Policy. In addition to the rights in Section 12, you have the right to lodge a complaint with your local data protection authority. We process your information based on the legal bases in Section 4 and transfer it internationally only with appropriate safeguards (see Section 15).
15. International Data Transfers
We operate in the United States and may process and store personal information in the United States and other countries that may have data-protection laws different from those in your country. Where required, we use appropriate safeguards for international transfers, such as the European Commission’s Standard Contractual Clauses, and we take steps to ensure your information receives an adequate level of protection.
16. Children’s Privacy
The Service is intended for adults (18+) and is not directed to children. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a child without appropriate consent, we will delete it. If you believe a child has provided us personal information, contact us at privacy@cardexium.com.
17. Marketing and Notifications
We may send you marketing emails about features and offers. You can opt out at any time by using the unsubscribe link or by contacting us; you will still receive non-promotional service and transactional messages. If you enable push notifications, you can disable them in your device settings.
18. Third-Party Links and Services
The Service may link to or integrate third-party websites and services that we do not control. Their collection and use of your information is governed by their own privacy policies, and we are not responsible for their practices. We encourage you to review them.
19. Changes to This Policy
We may update this Policy from time to time. If we make material changes, we will notify you through the Service or by other reasonable means and update the “Last updated” date above. Your continued use of the Service after the changes take effect constitutes your acceptance of the updated Policy.
20. Contact Us
For privacy questions or to exercise your rights, contact us at privacy@cardexium.com. For general support, contact hello@cardexium.com.