Privacy Policy

Cardlis Privacy Notice

Effective on:  September 28, 2017

Scope of this Notice


This privacy notice (hereinafter, the “Notice”) addresses data subjects (“you” or “your”) whose personal data (“PII”) Cardlis Applications Inc. (“us”, “we,” “our,” or “Cardlis”) may receive or otherwise process in our hosted merchant platform (the “Merchant Platform”) and in the Cardlis mobile applications (together with the Merchant Platform, the “Services”).

Within the scope of this privacy notice, Cardlis acts as a data controller, except where merchants use the Merchant Platform as a point of sale system, in which case Cardlis acts as a data processor. 

This Notice does not apply to, and we are not responsible for, the privacy practices of merchants and other third parties, other than those acting on our behalf and under our instruction. We encourage you to contact third parties directly if you have any questions or concerns with respect to their respective privacy practices or policies. 


Recourse and Enforcement    


Cardlis is a member of the VeraSafe Privacy Program, meaning that VeraSafe has assessed Cardlis’ data governance and data security for compliance with the VeraSafe Privacy Program Certification Criteria. The program criteria require that participants maintain a high standard of data protection and implement specific best practices pertaining to notice, choice, access, data security, and third-party information sharing.  

In the case that a privacy complaint or dispute cannot be resolved through Cardlis’ internal process, Cardlis has agreed to participate in the VeraSafe Dispute Resolution Procedure. To file a complaint with the procedure, please submit the required information to VeraSafe here: 

Cardlis is subject to the investigatory and enforcement powers of the Office of the Information and Privacy Commissioner of Alberta.


Categories of PII We Collect and Otherwise Process


The Services are designed to collect and otherwise process:

  • your basic contact information;
  • your payment card data;
  • your precise location information; 
  • your biographical information;
  • your purchase and/or sale history;
  • your browser and device information;
  • your usage history;
  • information uploaded to us by you;
  • information provided to us by third parties such as merchants and other users; and
  • other demographic information.




You may provide your PII directly to us when you use the Cardlis end-user mobile application, such as when you create a user account in the mobile application, buy a gift card, or join a loyalty program. 

When you do business with a merchant who uses the Merchant Platform, that merchant may provide us with the PII that you have shared with that merchant. 

Cardlis offers its users the opportunity to send gift cards to other people via the end-user mobile application. In the case where a Cardlis user sends you a gift card via the mobile application, we collect your PII from the Cardlis user who initiated this transfer. 
Purposes of Use[Cardlis Applications Inc. allows users the ability to change their account information through the Mobile APP or the Merchant Platform.  Merchants are responsible for entering their employee credentials within the Merchant Platform.


Purposes of Use


We collect and use your PII:

  • to enable your use of the Services;
  • to process payments on behalf of merchants who use Cardlis’ point-of-sale-system features;
  • to facilitate merchants’ administration of gift cards you have purchased;
  • to facilitate merchants’ administration of loyalty programs you have joined;
  • to process your payment when you purchase a gift card from our mobile application; 
  • to enable merchants to track receivables, refunds, and disputes, and to generate financial reports;
  • to protect our company, customers, and service providers from security risks; 
  • to improve our products and services, including customizing your experience with us, and displaying content based on your preferences and demographics;
  • to communicate with you regarding our products and services, or the products and services of third parties; and
  • as otherwise required by law

When you use or access the Services, you consent to our collection and processing of your PII as described in this Notice. In such circumstances, we collect and process your PII on the basis of such consent. In other cases, we may collect and process your PII where such collection and processing is necessary for the performance of a contract to which you are a party. Otherwise we may collect and process your PII in the pursuit of our legitimate interests, such as the desire to enable our users to send a Cardlis gift card to persons who are not Cardlis users.


We share PII with our data processors who further process such PII on behalf of, and under the instruction of, Cardlis. Such data processors include:

  • Internet hosting service providers;
  • software development and administration service providers; and
  • email service providers.

We require those data processors to maintain at least the same level of confidentiality, integrity, and availability that we maintain for such PII. Note that some of our data processors are located outside of Canada, in countries such as the United States, where the local data protection laws are not as rigorous as they are in Canada.  

We may also disclose PII:

  • to other third parties for the purposes for which we receive the PII (e.g., performance of contractual obligations and rights);
  • to the extent required by law or if we have a good-faith belief that such disclosure is necessary in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, or private parties, including but not limited to: in response to subpoenas, search warrants, or court orders; 
  • in connection with the sale or transfer all or a portion of our company’s business interests, assets, or both, or in connection with a corporate merger, consolidation, restructuring or other company change;  
  • with your consent; and
  • as otherwise required by law.

We may also share aggregated, non-personally identifiable information with third parties.


Data Retention


We retain PII only for as long as is necessary to accomplish the purpose(es) for which it was received or subsequently consented to by the data subject, or as otherwise required by law. For example, we retain copies of invoices, which may contain PII, for seven years in order to satisfy our statutory obligations. After such time, the PII is securely deleted. 

We may retain your email address and Cardlis customer ID number for as long as is required by law or by contract, which is typically as long as you maintain a balance on any gift card(s) that is stored in the Cardlis Services or maintain a membership in the loyalty program of a merchant who uses the Merchant Platform.

If you are a Cardlis user, you can deactivate your account at any time by emailing your request to If you are a Cardlis merchant, you can deactivate your account at any time by When you deactivate your account we will securely delete the PII associated with your account within 30 days, insofar as we are not obligated by law or by contract to retain such PII for a longer period of time. However, we keep backup copies of our databases as part of our disaster recovery/business continuity plans, and it may not be reasonably possible for us to delete data from such backups

Data Integrity & Security

Cardlis has implemented and maintains technical, administrative, and physical security measures that are reasonably designed to help protect PII that we process from loss, unauthorized access, disclosure, alteration, or destruction.  


Access, Review & Opting Out


Where you have submitted your own PII to the Services, you may access, and update, correct, amend, or delete such PII. You can do this from within the settings page on the Cardlis mobile application. 

Where your PII was submitted to the Services by another person (who is a Cardlis user), you may also access, update, correct, amend, or delete such PII. You can do so by contacting us using the information in the section Contact & Dispute Resolution Process. 

Where your PII was submitted to the Merchant Platform by a merchant, please contact that merchant with any requests to access, update, correct, amend, or delete your PII from the Merchant Platform.

Where Cardlis processes your PII for our direct marketing purposes, you may opt out of such processing at any time. You can do so by contacting us using the information in the section Contact & Dispute Resolution Process. If you wish to no longer receive commercial emails from Cardlis, you may unsubscribe from our mailing list using the opt-out mechanism contained in our commercial emails. 

We reserve the right to take appropriate steps to authenticate your identity, to charge a reasonable fee before providing access and to deny requests, except as required by applicable law. Please note that if you opt out of our direct marketing, you may continue to receive certain communications from us, such as those pertaining to an existing business relationship established between you and Cardlis. 

You may at any time opt out from geo-location services (i.e., our processing your precise location data) as well as from receiving push notifications by editing the settings on your device to revoke the permission. 


Privacy of Children


The Services are not directed at, or intended for use by, children under the age of 13. If you believe that PII pertaining to your under-13-year-old child has been submitted to the Services, and you would like to exercise your rights with regards to such PII, you may contact us using the information in the section Access, Review & Opting Out, and we will undertake reasonable efforts to comply with your request. 


Changes to This Notice


We may update this Notice from time to time by posting a new version on our website; When we make a material change to the Notice, we will update the Effective On disclosure above to reflect the effective date of the most recent version of the Notice.


Contact & Dispute Resolution Process


If you have questions about this Notice, or about PII collected by Cardlis, please contact us at:

Cardlis Applications Inc.
Attn: Curtis Vander Heyden
P.O Box 633. 
Picture Butte, AB

You may also email us at or call us at +1-403-593-0795. 

We will reply to your inquiry within 30 days. We will promptly investigate and attempt to resolve complaints and disputes in a manner that complies with this Notice.