Privacy Policy
Effective June 30, 2026
This Privacy Policy explains how TestCards(“we”, “us”) handles information in connection with the TestCardswebsite, API, and MCP server (together, the “Service”). TestCards is a developer tool for software testing and QA: it generates Luhn-valid sample card numbers, validates numbers with the Luhn algorithm, and reports the scheme and BIN/IIN structure of a number. By using the Service you agree to the practices described here.
1. Scope
This policy covers the Service only. It does not cover third-party sites or services we link to, or the sandbox/test environments of payment processors with which you use our test data. Capitalized terms not defined here have the meaning given in our Terms of Use.
2. Information we collect
We deliberately collect as little as possible. Specifically:
- Account email. When you create an API key, we store the email address you provide so we can issue and look up your key and enforce quotas.
- API key & usage metadata. We store your API key, your plan, your monthly request allowance and the number of requests used in the current period, and timestamps. We also keep a lightweight per-call usage log (the API key; the endpoint called: BIN, Luhn, or generate; and the time) to meter usage and detect abuse.
- Billing data. If you subscribe to a paid plan, our payment processor (Stripe) handles your payment. We store a Stripe customer identifier so we can match a subscription to your key. We never see or store your full card number, CVC, or other payment-card credentials. Those go directly to Stripe.
- Server logs. Our hosting and infrastructure providers automatically process standard request data (such as IP address and user-agent) as part of delivering and securing the Service.
We do not collect or store real cardholder data or other personal financial information. Card numbers you submit to the BIN or Luhn endpoints are test values processed in memory to return a result (scheme, BIN structure, Luhn validity) and are not stored. The bundled BIN reference is a small public CC-BY sample, not a database of real accounts.
3. How we use information
We use the limited information above only to:
- issue and authenticate your API key and enforce plan quotas and rate limits;
- provide, maintain, secure, and improve the Service, and detect and prevent abuse or fraud;
- process subscriptions and recurring billing for paid plans through Stripe;
- respond to your support requests; and
- comply with legal obligations.
4. Cookies & tracking
We use essential cookies and similar storage only, for example, to keep the Service functioning and secure. We do not use advertising cookies, and we do not run third-party ad networks or cross-site ad tracking on the Service.
5. Third-party services / sub-processors
We rely on a small number of service providers (“sub-processors”) to operate the Service. They process data only on our behalf and under their own terms and privacy policies:
- Stripe: payment processing and subscription billing for paid plans.
- Convex: database and backend that stores API keys, plan/usage metadata, and the per-call usage log.
- Vercel: application hosting and delivery (including standard server/request logs).
6. How we share information
We do not sell your personal data. We share information only with the sub-processors listed above so they can perform their functions, and where we are legally required to do so, to enforce our Terms, or to protect the rights, safety, and security of TestCards, our users, or the public. If we are ever involved in a merger, acquisition, or asset sale, information may be transferred as part of that transaction, subject to this policy.
7. Data retention
We keep your account email and API-key metadata for as long as your key is active and as needed to provide the Service. The per-call usage log is kept only as long as useful for metering and abuse prevention and may be pruned. When you ask us to delete your key, or after a prolonged period of inactivity, we delete or de-identify the associated records, except where we must retain limited information to comply with legal, tax, or accounting obligations (for example, billing records held by Stripe).
8. Your rights
Depending on where you live, you may have rights under laws such as the GDPR and the CCPA/CPRA, including the right to access, correct, or delete your personal information, to obtain a copy of it, and to opt out of the “sale” or “sharing” of personal information (note that we do not sell or share personal information for cross-context behavioral advertising). Because the only personal data we hold is your account email and associated key metadata, you can exercise these rights, including deletion, by emailing us at support@testcards.io from the address tied to your key. We will not discriminate against you for exercising these rights.
9. Security
We use reasonable technical and organizational measures to protect the limited information we hold, including access controls and reputable infrastructure providers. API keys are secrets, so keep yours confidential. No method of transmission or storage is completely secure, so we cannot guarantee absolute security; notify us promptly of any suspected unauthorized use of your key.
10. Children’s privacy
The Service is a developer tool intended for businesses and professionals. It is not directed to children under 13 (or the minimum age required in your jurisdiction), and we do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.
11. International users
The Service is operated from, and information is processed and stored in, the United States. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States and other countries where our sub-processors operate, which may have different data-protection laws than your own.
12. Changes
We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date above and, where appropriate, provide notice. Your continued use of the Service after changes take effect constitutes acceptance.
13. Contact
Questions about this Privacy Policy or your data? support@testcards.io.