Last Updated: December 30, 2024
Welcome to AstroX Network, Inc. (hereinafter referred to as "Card3," "we," or "our"). This Privacy Policy outlines how we collect, use, disclose, and process your personal information when you access or use our website, including all related webpages, websites, and social media pages (collectively referred to as the "Website"), and any online services provided through the Website (collectively referred to as the "Services").
We may update this Privacy Policy from time to time. If we make changes, we will notify you by revising the date at the top of this policy. We encourage you to regularly review this Privacy Policy to stay informed about our information processing practices and the rights and choices available to you.
This Privacy Policy aims to inform you about:
The types of personal information we collect;
How we use this information;
When and how we disclose your information;
Your rights concerning data protection;
How we protect your information.
By accessing or using our Services, you agree to the collection, use, and disclosure of your personal information in accordance with this Privacy Policy. If you do not agree with any part of this policy, please do not use our Services.
We collect your information to provide, maintain, and improve our Services, ensure a personalised user experience, and comply with applicable laws and regulations. Below are our specific practices regarding information collection:
We collect information that you directly provide to us, such as:
Account Registration Information: When you create an account, we collect your email address, username, password, and other relevant information.
Communication Information: Through customer support, feedback, surveys, or other interactions with us, you may provide your name, email address, telephone number, and other information.
Transaction Information: When processing payments and transactions, we collect relevant financial information, such as transaction records.
Points/Rewards Data: When you participate in our Points/Rewards Program, we may collect information related to your task completions, referral actions, event participation, and redemption history. This data is used to calculate your Points balance, verify eligibility, and maintain accurate transaction records.
When you access or use our Services, we automatically collect certain information, including but not limited to:
Device and Browser Information: Such as device type, operating system, browser type, IP address, device identifiers, etc.
Usage Data: Including the pages you visit, links you click, features you use, duration of your visit, etc.
Location Information: Geographical location information based on your IP address or device location services.
We may obtain your information from other sources, including but not limited to:
Third-Party Service Providers: Such as partners involved in payment processing, data analysis, marketing services, etc.
Social Media: If you log in or interact with us through social media accounts, we may obtain your public information from these platforms, such as username, avatar, friend lists, etc.
Based on the information we collect, we may infer or derive additional information about you, such as:
Location Inference: Estimating your approximate location based on your IP address.
Interests and Preferences: Inferring your interests and preferences based on your usage behaviour and interaction data to personalise content or service recommendations.
The information we collect can be categorised as follows:
Personally Identifiable Information (PII): Such as name, email address, telephone number, etc.
Sensitive Personal Information: Such as financial information (which may require additional protection under applicable laws and regulations).
Technical Information: Such as device model, operating system, browser type, etc.
Behavioural Information: Such as pages visited, links clicked, features used, etc.
We collect and process your information only on lawful, transparent, and fair grounds, ensuring that all information collection activities have a clear legal basis, such as:
Contractual Fulfillment: Personal information necessary to fulfil our service agreements with you.
Legitimate Interests: For our legitimate business interests, such as providing and improving Services, marketing, etc.
User Consent: In certain cases, collecting and processing information based on your explicit consent.
We utilise the collected information to provide, maintain, and improve our Services, ensure a personalised user experience, and comply with applicable laws and regulations. Specifically, our usage includes but is not limited to the following:
Service Provision: Using your information to deliver the services you request, including processing transactions, managing accounts, supporting customer service, and performing other related functions.
Account Management: Maintaining your account information to ensure you can access and use our Services seamlessly.
Security Assurance: Monitoring and protecting our Services from unauthorized access, alteration, disclosure, or destruction.
Content Customisation: Personalising content, recommending products or services based on your preferences and usage behaviour to enhance your experience.
User Interface Optimisation: Improving our user interface design and feature layout based on your interaction data.
Points transactions and usage patterns: Ensuring fair usage of the Points system and deliver tailored incentives that match user preferences.
Important Notifications: Sending technical notices and security alerts related to your account, security, or service updates.
Marketing and Promotions: Sending marketing information about our products, services, promotional activities, or partners, provided you have consented to receive such information (see Your Privacy Rights and Choices).
Customer Support: Responding to your inquiries, feedback, and support requests to provide necessary assistance and solutions.
Trend Analysis: Analysing user data to identify usage trends, behaviour patterns, and service demands to improve existing Services or develop new ones.
Performance Monitoring: Monitoring Service performance, identifying and fixing technical issues to ensure efficient operation.
Research and Development: Conducting internal research and development activities to innovate and optimise our products and Services.
Legal Obligations: Complying with applicable laws, regulations, legal processes, and governmental requests, including but not limited to tax, accounting, and anti-money laundering regulations.
Risk Management: Detecting, preventing, and responding to potential security threats, fraudulent activities, or illegal actions to protect the interests of Card3 and its users.
Dispute Resolution: Assisting in resolving disputes between users and Card3, or responding to information requests in legal proceedings.
We may utilise automated tools and algorithms to process and analyse your information to support our Service functions and business decisions. These automated decisions may include but are not limited to:
Risk Assessment: Evaluating account security or fraud detection.
Content Recommendation: Recommending relevant content or services based on your interests and behaviour.
When collaborating with our partners or third-party service providers, we may share your information to provide an integrated service experience. This includes but is not limited to:
Payment Processing: Partnering with payment gateways to handle transaction information.
Social Media Integration: Collaborating with social media platforms to provide social login and sharing functionalities.
Data Analysis: Working with analytics service providers to conduct user behaviour analysis and optimise Services.
We commit to ensuring the legality, transparency, and fairness of your information use. All information processing activities are based on lawful grounds and, where necessary, obtain your explicit consent.
We employ various technologies and tools to analyse and track user behaviour and interactions while using our Services. These analysis and tracking activities help us understand user needs, optimise service performance, and enhance user experience. Our specific practices regarding analysis and tracking include:
Cookies are small text files stored on your device that help us remember your preferences and behaviour. We also use other similar tracking technologies, including web beacons, pixel tags, and software development kits (SDKs), to collect and store information about your use of our Services.
Functional Cookies: Used to ensure our Website and Services operate correctly, such as remembering your login status or language preferences.
Performance Cookies: Collect data on how you use our Services to help us improve website performance and user experience.
Advertising Cookies: Used to display advertisements that may interest you and measure the effectiveness of advertising campaigns.
Social Media Cookies: Allow you to share content or log in to our Services via social media platforms.
We collaborate with third-party analytics service providers who may use Cookies, web beacons, SDKs, and device identifiers to collect information about your use of our Services and other websites and mobile applications. This information includes but is not limited to your IP address, browser type, pages visited, time spent, links clicked, and conversion information. We use this data to:
Analyse User Behaviour: Understand how users interact with our Services, identify usage trends and patterns.
Optimise Content and Features: Improve website design, feature layout, and content presentation based on analysis results.
Measure Marketing Effectiveness: Assess the effectiveness of advertising and marketing campaigns to optimise marketing strategies.
Conduct A/B Testing: Test different versions of pages or features to determine which versions are more popular with users.
We may use the following technologies and services for advertising and marketing activities:
Retargeting Ads: Displaying personalised advertisements to users who have previously visited our Website to encourage revisits and conversions.
Partner Tracking: Sharing anonymised user data with partners to facilitate joint marketing and promotional activities.
You can manage and control our analysis and tracking activities through the following means:
Browser Settings: Most browsers allow you to manage Cookies settings, including blocking Cookies or being notified when Cookies are sent.
Ad Preferences Centre: Visit the Ad Preferences Centre to manage your advertising preferences.
Opt-Out of Third-Party Ad Networks: Opt out of personalised advertising by visiting the Network Advertising Initiative or Digital Advertising Alliance.
Please note that disabling certain Cookies and tracking technologies may affect your experience and functionality when using our Services.
To protect your privacy, we anonymise and aggregate the data we collect. This means we do not associate personally identifiable information with analytical data, ensuring that your personal information is neither disclosed nor misused.
We ensure that all analysis and tracking activities comply with applicable data protection laws and regulations, including but not limited to Hong Kong's Personal Data (Privacy) Ordinance (PDPO), the European Union's General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). In processing your data, we adhere to the principles of legality, transparency, and data minimisation, ensuring that your privacy rights are respected and protected.
We may disclose your personal information under specific circumstances, including but not limited to the following scenarios. We commit to disclosing your information only in the situations described in this Privacy Policy or with your explicit consent.
To provide you with our Services, we may disclose your personal information to the following types of third parties:
Service Providers: Including but not limited to providers of website hosting, payment processing, data analysis, customer service, marketing and advertising, technical support, and other services. These service providers may use your information only to the extent necessary to provide these services to us and must comply with applicable data protection laws.
Corporate Partners: Corporate partners collaborating with us may need access to certain information about you to provide integrated services or products. For example, blockchain service providers may require your wallet address to process transactions.
In the following circumstances, we may disclose your personal information to comply with legal obligations, protect our rights, or respond to legal processes:
Legal Proceedings: If we receive a court order, subpoena, or other legal documents requiring us to disclose your information, we will comply with the relevant legal provisions.
Law Enforcement Requests: To cooperate with law enforcement investigations or legal proceedings, we may need to disclose your information.
Emergency Situations: In emergencies, to protect the life, safety, or property of users, we may disclose necessary information.
During corporate transactions, we may disclose your personal information:
Mergers and Acquisitions: If we are involved in a merger, acquisition, asset sale, or other corporate restructuring, your information may be transferred to the relevant parties as part of the transaction.
Financing: In the course of financing, potential investors or financial institutions may require access to certain business information, including data related to you.
To protect the rights, property, or safety of Card3, our users, or others, we may need to disclose your personal information. This includes but is not limited to:
Fraud Prevention: Detecting and preventing fraudulent activities.
Security Protection: Ensuring our Services are not misused and maintaining the integrity and security of our Services.
Enforcement of User Agreements: Enforcing our user agreements and terms of use to prevent abuse or violations.
We may share aggregated or anonymised information with third parties, which cannot be used to identify you personally. Nevertheless, we do not attempt to re-identify such information unless required by law.
In certain circumstances, we may disclose your personal information based on your explicit consent. For example, when you choose to participate in promotional activities or subscribe to our newsletters, we may use your information for related purposes. You may withdraw your consent at any time, as outlined in the User Rights section.
As previously mentioned, we may transfer your personal information to servers or databases located outside your country or region. The data protection laws in these countries or regions may differ from those in your country or region, but we will ensure that such transfers comply with applicable data protection laws and implement necessary safeguards, such as using the European Union Standard Contractual Clauses (SCCs).
We do not sell your personal information to third parties for commercial purposes. Your information is solely used to provide and improve our Services, enforce this Privacy Policy, and comply with legal obligations.
We retain your personal information in accordance with the purposes outlined in this Privacy Policy and the requirements of applicable laws. Below are the specifics of our data retention policies:
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected or as required or permitted by law. Specifically:
Account-Related Data: We retain personal information related to your account for as long as your account remains active. Even if you delete your account, we may retain certain information for a reasonable period to address legal obligations, resolve disputes, or enforce our agreements.
Transaction and Financial Data: To comply with legal, regulatory, or supervisory requirements, we may need to retain data related to your transactions and financial activities. The retention period for this data will be determined based on the specific requirements of applicable laws.
Business Operations and Analysis: To improve our Services, conduct internal analyses and research, we may retain anonymised or aggregated data. This data is not linked to your personal identity.
Legal Compliance: When required to respond to legal proceedings, investigations, or law enforcement requests, we may retain relevant personal information until the end of the legal retention period.
We will delete your personal information in the following circumstances:
User Request for Deletion: If you request the deletion of your personal information, please send a email to mail@card3.ai to request the deletion, we will delete your data within a reasonable time, unless we are required by law to retain certain information.
Data No Longer Needed: When your personal information is no longer used for the purposes for which it was collected and is no longer needed to achieve those purposes, we will delete or anonymise such data.
Legal Requirements: If we are legally required to retain certain information, we will retain it in accordance with legal requirements and delete it to the extent permitted by law.
To protect your privacy, we may anonymise and aggregate the data we collect. This means we do not associate personally identifiable information with analytical data, ensuring that your personal information is neither disclosed nor misused. Anonymised data may be used for statistical analysis, research, and business improvement without identifying specific individuals.
We are committed to collecting and retaining only the minimum amount of personal information necessary to achieve our business purposes. By adhering to the data minimisation principle, we reduce potential privacy risks and ensure our data processing activities comply with applicable data protection laws and best practices.
To ensure the continuity of Services and data integrity, we may regularly back up your personal information. These backup data are stored in secure environments and protected according to the same security standards as primary data. Backup data is used solely for data recovery in the event of system failures, data corruption, or other emergencies and are securely deleted when no longer needed.
When we determine that your personal information needs to be deleted, we will employ secure data destruction methods, including but not limited to:
Electronic Data Destruction: Using secure erasure tools to completely delete data from electronic storage devices, ensuring it cannot be recovered.
Physical Data Destruction: Destroying physical media containing personal information, such as hard drives, flash drives, and paper documents, to ensure data is no longer accessible.
If you want to delete your data, please send a email to mail@card3.ai to request the deletion. Once deleted, no information related to you will be stored anymore.
Through these measures, we ensure that your personal information is thoroughly and securely destroyed when no longer needed.
We respect and are committed to protecting your privacy rights. Under applicable data protection laws and regulations, you are entitled to the following rights. This section outlines your rights and how to exercise them.
If you are located within the European Economic Area (EEA) or Switzerland, you are entitled to the following rights under the General Data Protection Regulation (GDPR):
Right of Access: You have the right to request access to the personal data we hold about you, including detailed information on how we process your data.
Right to Rectification: If you find that the personal data we hold about you is inaccurate or incomplete, you have the right to request correction of such information.
Right to Erasure (Right to be Forgotten): In certain circumstances, you have the right to request the deletion of your personal data, such as when the data is no longer necessary for the purposes for which it was collected or you withdraw your consent.
Right to Restrict Processing: You have the right to restrict our processing of your personal data in specific situations, such as when you contest the accuracy of the data or object to its processing.
Right to Data Portability: You have the right to request your personal data in a structured, commonly used, and machine-readable format and to transfer that data to another data controller.
Right to Object: You have the right to object to our processing of your personal data based on legitimate interests or the performance of a public task, particularly in direct marketing scenarios.
Right to Withdraw Consent: If we process your personal data based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the legality of processing carried out prior to your withdrawal.
Right to Automated Decision-Making: Under GDPR, you have the right not to be subject to decisions based solely on automated processing, including profiling, which have legal or similarly significant effects on you.
If you are a resident of California, you are entitled to the following rights under the California Consumer Privacy Act (CCPA):
Right to Know: Understand the categories of personal information we collect, the sources of that information, its use, and with whom it is shared.
Right to Access: Access the personal information we have collected about you.
Right to Delete: Request the deletion of the personal information we have collected about you.
Right to Opt-Out: Opt out of the sale or sharing of your personal information.
Right to Non-Discrimination: Exercising your privacy rights will not result in discrimination against you.
California "Shine The Light" Law: Under California Civil Code Section 1798.83 ("Shine The Light" Law), California residents have the right to request and obtain the following information annually at no cost:
The categories of personal information disclosed to third parties in the previous calendar year.
The names and addresses of all third parties with whom personal information was shared.
If you are located in Hong Kong, you are entitled to the following rights under the Personal Data (Privacy) Ordinance (PDPO):
Right to Access: You have the right to access your personal data held by us.
Right to Correct: If you find that the personal data we hold about you is inaccurate or incomplete, you have the right to request correction of such information.
Right to Refusal: In certain circumstances, you can refuse our continued processing of your personal data.
In some other regions, you may also enjoy similar privacy rights, such as:
Access and Correction: Request access to and correction of your personal information.
Deletion: Request the deletion of your personal information.
Restriction of Processing: Request restriction on the processing of your personal information.
Data Portability: Request to receive your personal data in a portable format.
Right to Object: Object to certain types of data processing, such as direct marketing.
We may transfer your personal information to servers or databases located outside your country or region. The data protection laws in these countries or regions may differ from those in your country or region, but we will ensure that such transfers comply with applicable data protection laws and implement necessary safeguards, such as using the European Union Standard Contractual Clauses (SCCs).
International Data Transfer: To provide our Services and improve user experience, we may transfer your personal information to third-party service providers located outside your country or region. The data protection laws in these countries or regions may differ from those in your country of residence.
Safeguards:
European Union Standard Contractual Clauses (SCCs): If your data transfer involves users from the European Economic Area (EEA) or Switzerland, we will utilise the European Union Standard Contractual Clauses (SCCs) as the legal basis for data transfer.
Hong Kong Personal Data (Privacy) Ordinance (PDPO): For transfers involving Hong Kong, we will ensure that third-party service providers comply with Hong Kong's PDPO, ensuring that your personal information is afforded the same level of protection.
Contractual Obligations: We will enter into written agreements with all third-party service providers to ensure they comply with applicable data protection laws and use your personal information solely for the purposes necessary to provide the Services.
By using our Services, you consent to the transfer of your personal information to other countries or regions in accordance with this Privacy Policy and agree that we will implement necessary safeguards to protect your information.
Our data transfer activities are based on the following legal grounds:
Contractual Fulfillment: To fulfil our service agreements with you, we need to transfer necessary personal information.
Legitimate Interests: For our legitimate business interests, such as providing efficient Services and improving user experience.
User Consent: In certain cases, based on your explicit consent, we transfer data.
While we implement reasonable measures to protect your personal information, cross-border data transfers may involve different legal environments and risks. We strive to ensure your information is adequately protected during transmission, but we cannot fully guarantee the security of cross-border transfers.
In the following special circumstances, we may transfer your personal information to other countries or regions:
Corporate Transactions: During mergers, acquisitions, asset sales, or other corporate restructurings.
Legal Requirements: When legally required, such as court orders or law enforcement requests.
Emergency Situations: To protect the life, safety, or property of users, we may need to transfer your information in emergencies.
Do-Not-Track (DNT) is a browser setting that allows users to send signals to websites and online services indicating that they do not wish to be tracked. While DNT signals are widely discussed, there are currently no unified technical standards or legal requirements to respond to DNT signals.
Currently, our systems do not detect or respond to DNT signals. This means that even if you have enabled DNT settings, we will continue to collect and use your information in the manner described in this Privacy Policy.
Should laws require or technical standards be established regarding DNT, we will update our Privacy Policy and data processing practices accordingly to respond to DNT signals. At that time, we will update this Privacy Policy and notify you to explain how we handle DNT signals.
We take the security of your personal information seriously and implement various technical and organisational measures to protect your data from unauthorised access, disclosure, alteration, or destruction. Below are our specific security measures:
- Transmission Encryption: We utilise industry-standard encryption technologies (such as TLS/SSL) to protect data transmitted during your use of our Services, ensuring your information is not intercepted or altered by third parties during transmission.
- Storage Encryption: Your personal information is also encrypted during storage to prevent unauthorised access and data breaches.
- Principle of Least Privilege: Only employees and contractors who need access to your personal information to provide Services are granted access. All access permissions adhere to the principle of least privilege, ensuring employees only access information necessary for their work.
- Authentication: We implement robust authentication mechanisms, including multi-factor authentication (MFA), to ensure that only authorised personnel can access sensitive data and systems.
- Firewalls and Intrusion Detection Systems: We deploy firewalls and intrusion detection systems to prevent unauthorised access and network attacks, protecting our servers and infrastructure.
- Regular Security Assessments: We conduct regular security assessments and penetration testing to identify and rectify potential security vulnerabilities, ensuring our systems remain secure.
- Regular Backups: We regularly back up your personal information to prevent data loss or corruption. Backup data are stored in secure environments and protected according to strict security standards.
- Disaster Recovery Plan: We have established a disaster recovery plan to ensure that in the event of major system failures or data loss incidents, we can promptly restore Services and data, minimising the impact on users.
- Security Training: All employees and contractors undergo training on data protection and information security upon joining and regularly participate in refresher training to stay informed about the latest security threats and protection measures.
- Security Awareness Program: We conduct security awareness programs to enhance employees' understanding of common security threats, such as phishing and social engineering attacks, and promote good security practices.
- Data Centre Security: All data centres we utilise are equipped with stringent physical security measures, including 24/7 monitoring, access controls, video surveillance, and fire and theft prevention systems, ensuring the security of data storage facilities.
- Office Environment Security: At our offices, we implement physical access controls to restrict unauthorised personnel from entering areas where personal information is stored.
- Incident Monitoring and Detection: We continuously monitor our systems and networks to promptly detect and respond to potential security incidents.
- Response Plan: We have a comprehensive security incident response plan to ensure that in the event of a security incident, we can quickly take action to limit damage, notify affected users, and cooperate with law enforcement as necessary.
- Post-Incident Analysis and Improvement: Following a security incident, we conduct post-incident analysis to assess the cause and impact of the incident and implement necessary measures to prevent similar incidents from occurring in the future.
- Regular Audits: We regularly conduct internal and external audits of our security measures to ensure their effectiveness and compliance.
- Compliance Checks: We collaborate with third-party security experts to perform security compliance checks, ensuring our security practices meet industry standards and legal regulatory requirements.
- Continuous Improvement: We continually evaluate and enhance our security strategies and measures to address evolving security threats and technological advancements.
- Policy Revisions: If updates to our security policies and measures are required, we will promptly revise them and notify users through appropriate channels.
We may update this Privacy Policy from time to time to reflect changes in our information processing practices, legal and regulatory updates, or other necessary adjustments. The updated Privacy Policy will take immediate effect and display the "Last Updated Date" on this page.
When we make significant changes to this Privacy Policy, we will notify you through the following methods:
Website Announcement: Publish a Privacy Policy update notice prominently on our Website.
- Effective Date: Each time the Privacy Policy is updated, the "Last Updated Date" at the top will be modified to reflect the latest effective date.
- Continued Use: If you continue to use our Services after the Privacy Policy has been updated, it indicates your acceptance and agreement to the updated Privacy Policy. If you do not agree with the updated Privacy Policy, please cease using our Services.
We encourage you to regularly review this Privacy Policy to understand how we collect, use, disclose, and protect your personal information. Staying informed about our privacy practices ensures you have a comprehensive understanding of how we handle your information.
In certain situations, such as legal requirements or emergencies, we may update this Privacy Policy immediately without additional notice. However, we will endeavour to update this page and reflect the latest effective date as soon as possible.
- Email: mail@card3.ai
If you wish to exercise your data protection rights (such as accessing, correcting, or deleting your personal data), please follow the steps below:
Submit a Request:
Send your request via email to mail@card3.ai
Clearly indicate "Data Access Request" or a related subject in the email subject line to enable us to promptly identify and process your request.
Provide Necessary Information:
Please include sufficient information in your email to help us identify your account and relevant data. This may include your full name, registered email address, username, or other identifying information.
Identity Verification:
To protect your privacy and data security, we may require identity verification. You may need to provide a valid government-issued identification document (such as a passport or driver's licence) or other information that can verify your identity.
Processing Time:
We will process your request as promptly as possible and respond within the legally mandated timeframe. Typically, we will respond within 30 working days, although in some cases, additional time may be required.
To ensure our data protection strategies comply with applicable laws and regulations, Card3 has appointed a Data Protection Officer (DPO). If you have any questions regarding data protection or require further assistance, please contact our DPO using the contact information provided above.