Legal

Legal documents

Effective date: 2026-05-06. For support, privacy, account, billing, security, export, or deletion requests, contact support@ignislabs.io.

Terms of Service

Effective date: 2026-05-06 Last updated: 2026-05-06

1. Who we are

These Terms govern use of (my)cards, (my)loyalty, related websites, APIs, and support channels operated by Ignis Labs (Pty) Ltd, registration number 2025/758623/07, VAT number 4670324104, with registered address at 28 Wesley Street, Observatory, Cape Town, 7806.

Contact: support@ignislabs.io.

2. Acceptance and eligibility

By accessing or using the Services, you agree to these Terms. You confirm that you have legal capacity to use the Services in your country or region. If you are below the age of legal capacity, you may use the Services only with consent and supervision from a parent, guardian, or other legally authorized representative, where local law permits this.

If you use the Services for an organization, you confirm that you are authorized to bind that organization.

3. Service description

(my)cards is a digital card wallet and access platform. It can store, display, organize, and sync user-added card records such as card numbers, barcodes, labels, notes, and related metadata.

(my)loyalty is a loyalty platform that facilitates merchant loyalty plans, points/stamps/rewards records, QR issuing/redemption flows, and related analytics. Merchants remain responsible for their customer offers, staff actions, reward availability, store/franchise configuration, and honoring merchant-funded rewards unless Ignis Labs expressly agrees otherwise in writing.

We may add, change, suspend, or discontinue features where reasonably required for product, legal, security, or operational reasons.

Some account, sync, recovery, export, deletion, sharing, and loyalty features may be introduced, changed, or expanded over time and may not be available to every user, platform, country, merchant, or account type at the same time.

4. Accounts and security

You are responsible for keeping your devices, operating-system accounts, passwords, passcodes, biometrics, account credentials, recovery methods, and shared devices secure.

Possession of an authenticated device, authenticated account, shared card, screenshot, backup credential, or recovery method may permit access to stored cards, loyalty records, or account features.

You must promptly contact relevant card issuers, retailers, merchants, or loyalty providers directly for card freezes, reversals, balance disputes, or redemption disputes. To the extent permitted by law, Ignis Labs is not responsible for losses caused by stolen devices, compromised accounts, malware, unsafe device settings, shared devices, user-authorized sharing, incorrect recipient selection, or unauthorized access outside our reasonable control.

5. Third-party cards, balances, rewards, and stored value

Unless we expressly state otherwise, Ignis Labs does not issue, hold, insure, reimburse, reverse, recover, or guarantee third-party card balances, loyalty points, rewards, vouchers, coupons, gift cards, or other stored-value products.

Third-party cards, balances, vouchers, coupons, and issuer-controlled loyalty programs remain subject to the relevant issuer, retailer, merchant, or program terms. Disputes about third-party transactions, balances, expired value, unauthorized redemption, or issuer records must be handled with the relevant issuer, retailer, merchant, or loyalty provider.

Displayed balances, rewards, program status, or activity may be delayed, stale, unavailable, or inaccurate due to sync delays, network issues, merchant configuration, issuer systems, API failures, or third-party outages.

6. Sync, backups, recovery, export, deletion, and sharing

V2 (my)cards may provide account-backed encrypted cloud sync through the Ignis API. Legacy recovery paths may continue to use iCloud/CloudKit on iOS or Google Drive on Android for eligible users.

Sync, backup, restore, migration, and recovery features are provided subject to technical limits. We do not guarantee that any backup, restore, sync, migration, or recovery attempt will be uninterrupted, complete, current, or error-free.

Sensitive synced card fields use application-level field encryption before database storage, with encryption key material stored through GCP Secret Manager and access governed through production security controls. This is not end-to-end encryption: authorized application processes and restricted administrative access may decrypt relevant app-stored records where necessary to provide the Services, support a verified and authorized support request, process a lawful rights request, investigate abuse/security issues, or comply with law.

Verified export requests may be fulfilled through an automated export process that collates account data into a downloadable ZIP file. After verification/request acceptance, export files are normally generated within 24 hours. Download links/packages are retained for up to 48 hours after generation and then deleted.

Verified deletion requests may be actioned through deletion processes designed to delete or anonymise user data across Ignis-controlled systems, subject to legal obligations, dispute/security needs, backup lifecycle constraints, and external systems controlled by users or third-party providers.

If sharing or transfer features are enabled, you are responsible for choosing the correct recipient. Recipients who receive access through a user-authorized share may be treated as authorized users for that shared content. Current planned account-to-account sharing requires the recipient to have an account, requires a separate in-product acknowledgement before sharing, and creates an audit record, but does not currently support revocation. Screenshot sharing remains your responsibility and is treated similarly to sharing a physical card or image of a card.

7. Acceptable use

You must not use the Services unlawfully, fraudulently, abusively, or in a way that interferes with security, availability, integrity, payments, entitlements, loyalty issuing/redemption, QR controls, or another user's rights.

Additional rules are set out in the Acceptable Use Policy.

8. Third-party services and app stores

Some functionality relies on third parties, including app stores, analytics, diagnostics, hosting, support tooling, payment platforms, iCloud/CloudKit, Google Drive, and merchant/issuer systems. Their terms and policies may also apply.

For app-store distributed services, Apple or Google platform terms may govern billing, subscriptions, refunds, and certain license conditions.

9. Fees, billing, renewals, cancellations, and refunds

Paid features, subscriptions, or business plans will be described in-product, in the relevant app store, or in an order form.

Platform-billed purchases are generally handled through the relevant app store's merchant-of-record process. Refund rights depend on billing channel and mandatory law. Nothing in these Terms limits non-waivable statutory rights.

For billing support, contact support@ignislabs.io.

10. Support limitations

Support can help with app, account, sync, export, deletion, and (my)loyalty service issues within our available records and tools. Support cannot guarantee recovery of third-party card balances, reverse third-party transactions, compel issuers or merchants to honor rewards, or investigate events that depend on systems we do not operate.

11. Intellectual property

The Services, including software, branding, design, and content excluding user-provided data, are owned by Ignis Labs or licensors and protected by law. We grant you a limited, revocable, non-exclusive, non-transferable license to use the Services in accordance with these Terms.

12. Suspension and termination

We may suspend or terminate access where reasonably necessary, including for material breach, security risk, legal requirement, fraudulent activity, abusive activity, or payment/entitlement issues.

You may stop using the Services at any time, subject to any subscription, billing, or contract obligations.

13. Disclaimers and limitation of liability

To the fullest extent permitted by law, the Services are provided on an "as available" basis. We do not guarantee that the Services will be uninterrupted, error-free, or fit for every specific purpose.

To the extent allowed by law, indirect, incidental, special, consequential, or punitive damages are excluded. Examples of excluded loss, where permitted by law, include lost rewards, lost balances, expired vouchers, issuer disputes, merchant disputes, fraud, theft, unauthorized redemption, device compromise, account compromise, service outages, sync failures, backup failures, restore failures, stale third-party data, or third-party retailer/issuer system failures.

Mandatory legal protections and non-excludable liabilities remain unaffected.

14. Governing law and disputes

These Terms are governed by the laws of the Republic of South Africa, without prejudice to mandatory consumer protection, data protection, or other non-waivable rights that may apply in your country or region.

The courts of South Africa will have jurisdiction over disputes, except where mandatory law gives you a right to bring or defend claims in another forum.

15. Changes to these Terms

We may update these Terms to reflect service, legal, operational, or security changes. Material changes will be communicated through reasonable channels, such as in-app notice, website notice, or email where available.

Privacy Policy

Effective date: 2026-05-06 Last updated: 2026-05-06

1. Who we are

This Privacy Policy explains how Ignis Labs (Pty) Ltd, registration number 2025/758623/07, handles personal information for (my)cards, (my)loyalty, related websites, APIs, and support interactions.

Contact: support@ignislabs.io Address: 28 Wesley Street, Observatory, Cape Town, 7806

2. Our role

Ignis Labs may act as:

  • a responsible party/controller for service operations, account administration, support, analytics, security, billing, and product improvement; and
  • an operator/processor in defined business contexts where we process merchant/customer data for (my)loyalty on a business customer's instructions.

3. Information we collect

Depending on the Services used, we may process:

  • account/contact data, such as name, email address, organization role, and support identity details;
  • card and wallet records, such as store links, card type, barcode/QR format, labels, notes, sync status, restore status, and related metadata;
  • encrypted sync and recovery content for V2 (my)cards;
  • legacy recovery metadata where iCloud/CloudKit or Google Drive is used by eligible users;
  • (my)loyalty program data, such as merchant program membership, stamps, points, rewards, QR issuing/redemption events, transaction history, analytics, and merchant/customer records;
  • usage, analytics, diagnostic, crash, and security data;
  • billing and transaction metadata, such as subscription/order identifiers and payment status, but not full payment-card PAN where platform billing handles payment;
  • support communications, attachments, export/deletion requests, and related correspondence.

The information we process depends on the features you use. Some account, sync, recovery, export, deletion, sharing, and loyalty features may be introduced, changed, or expanded over time and may not be available to every user, platform, country, merchant, or account type at the same time.

Current card-share images are generated on device and are not uploaded to Ignis storage. If we add card-photo or identity-card attachment storage, that storage will be protected by authenticated/tokenized access controls.

4. Important limits around third-party card value

(my)cards does not give Ignis Labs access to third-party issuer systems unless we expressly state that a specific integration applies. We generally cannot view, verify, freeze, reverse, restore, or reimburse third-party issuer balances, voucher values, gift-card values, loyalty points, transaction histories, or issuer-side redemptions.

5. Why we process information

We process information to:

  • provide, maintain, and secure the Services;
  • create and manage accounts;
  • provide sync, backup, restore, migration, export, and deletion features;
  • operate (my)loyalty programs, QR issuing/redemption, rewards, analytics, and merchant reporting;
  • provide support and respond to requests;
  • detect abuse, fraud, security issues, and service failures;
  • process billing/subscription metadata and contractual administration;
  • comply with legal obligations and enforce rights.

Legal bases depend on the jurisdiction and context and may include contract performance, legitimate interests, legal obligation, consent where required, and customer instructions in processor/operator contexts.

6. Security and encryption

We use technical and organizational controls appropriate to risk, including access controls, monitoring, secure development practices, encryption in transit, storage/database encryption controls, and application-level field encryption for sensitive synced card fields.

Sensitive synced card fields are encrypted before database storage, with key material stored through GCP Secret Manager and access governed through production security controls. This is not end-to-end encryption: authorized application processes and restricted administrative access may decrypt relevant app-stored records where necessary to provide the Services, support a verified and authorized support request, process a lawful rights request, investigate abuse/security issues, or comply with law.

No system is perfectly secure.

7. Sharing and recipients

We share information only where needed with:

  • infrastructure, hosting, storage, and database providers;
  • analytics and diagnostics providers;
  • customer support tooling;
  • app stores, billing platforms, or payment ecosystems;
  • iCloud/CloudKit or Google Drive where selected/used by the user for legacy recovery;
  • merchants and business customers where needed to operate (my)loyalty;
  • professional advisers, authorities, or dispute parties where legally required or reasonably necessary.

We do not sell personal information in the ordinary commercial sense.

8. International transfers

Data may be processed outside your country, including jurisdictions that may not offer equivalent privacy protection. Where required, we apply contractual, organizational, and technical safeguards appropriate to the transfer.

9. Retention

We retain data only as long as needed for service delivery, account management, support, security, legal obligations, dispute handling, merchant program administration, and backup lifecycle needs. More detail is set out in the Data Retention and Deletion policy.

10. Exports, deletion, and privacy rights

Subject to jurisdiction and verification, you may request access, correction, deletion, restriction/objection, portability/export, or withdrawal of consent where consent applies.

Request channel: support@ignislabs.io

Verified export requests may be fulfilled through an automated export process that collates account data into a downloadable ZIP file. After verification/request acceptance, export files are normally generated within 24 hours. Download links/packages are retained for up to 48 hours after generation and then deleted.

Verified deletion requests may be actioned through deletion processes designed to delete or anonymise user data across Ignis-controlled systems, subject to legal obligations, dispute/security needs, backup lifecycle constraints, and third-party systems controlled by users or external providers.

We may refuse or limit requests where law permits and will explain the basis where required.

11. Children and legal capacity

Services are not intentionally directed at people who do not have legal capacity to use the Services in their country or region without consent from a parent, guardian, or other legally authorized representative. If we learn of unauthorized child data collection, we will take appropriate deletion/remediation steps.

12. Complaints

Please contact us first at support@ignislabs.io.

You may also complain to the South Africa Information Regulator in a POPIA context or to another relevant supervisory authority where applicable.

13. Changes to this Policy

We may update this Policy to reflect service, legal, operational, or security changes. Updated versions will carry a revised effective date.

Data Retention and Deletion

Effective date: 2026-05-06 Last updated: 2026-05-06

1. Retention principles

We retain personal information only as long as needed for the purpose collected or processed, unless law, contract, legitimate business/legal need, consent, or protected statistical/research use permits longer retention.

Financial, tax, VAT, and accounting records are retained for at least 5 years where Ignis holds them, and longer where required for an audit, investigation, dispute, unpaid/unsubmitted return, legal hold, or similar statutory reason.

2. Retention schedule

Data categoryRetention period
App telemetryUp to 24 months
Crash/error diagnosticsUp to 12 months
Support tickets and support emailsUp to 36 months, unless longer needed for disputes, security, or legal obligations
User export ZIP/download packageUp to 48 hours after generation
Billing/financial records5 years where held, or longer if legally required
Security logsUp to 18 months, unless longer needed for security investigation or legal hold
Ignis-controlled backupsUp to 90 day rolling lifecycle, unless otherwise required
Encrypted (my)cards sync dataWhile account/service remains active, then deleted/anonymised on verified deletion subject to legal and backup lifecycle limits
Card-photo/identity-card attachments, where availableWhile account/service remains active, then deleted/anonymised on verified deletion subject to legal and backup lifecycle limits
Legacy iCloud/CloudKit or Google Drive recovery dataControlled by user/platform settings and provider retention behavior
(my)loyalty program recordsWhile program/account remains active, then retained as needed for merchant contract, audit, fraud, redemption, dispute, and legal purposes
QR issuing/redemption audit recordsUp to 5 years where needed for fraud, reward/redemption audit, merchant contract, or dispute purposes
B2B tenant data after terminationUp to 60 days for export/wind-down unless contract, law, dispute, or backup lifecycle requires longer

3. Export requests

Verified export requests may be fulfilled by an automated job that collates available account data into a downloadable ZIP file.

Export files are normally generated within 24 hours after verification/request acceptance.

Export ZIP/download packages are retained for up to 48 hours after generation, then deleted.

4. Deletion requests

Verified deletion requests may be actioned through deletion processes designed to delete or anonymise user data across Ignis-controlled systems where no overriding legal basis exists.

Deletion may be delayed or limited where required for:

  • legal obligations,
  • active legal claims/disputes,
  • fraud/security investigations,
  • merchant reward/redemption audit trails,
  • backup integrity constraints during normal expiration windows.

Deletion commitments distinguish Ignis-controlled systems from iCloud/CloudKit, Google Drive, app stores, payment providers, merchants, issuers, and other third-party systems.

5. Contact

Send export, deletion, or privacy requests to support@ignislabs.io.

Charges, Billing and Refunds

Effective date: 2026-05-06 Last updated: 2026-05-06

1. Pricing and billing channels

Paid functionality may be offered through subscriptions, one-time purchases, or business invoicing.

Prices, billing periods, currencies, taxes, renewals, and included features are displayed at the point of purchase, in the relevant app store, or in an order form.

2. App-store purchases

For app-store purchases, Apple or Google may act as merchant of record under their platform terms. Subscriptions may auto-renew unless canceled through the relevant app-store account settings before renewal.

Refund requests for platform-billed purchases are generally handled through the relevant Apple or Google refund process.

3. Direct/business billing

For direct invoicing, Ignis Labs (Pty) Ltd, registration number 2025/758623/07, VAT number 4670324104, is merchant of record unless a separate signed agreement states otherwise.

Direct billed subscriptions, renewals, cancellations, failed payments, and refunds are handled under the relevant order form, contract, and mandatory law.

4. Refunds and statutory rights

Refund eligibility depends on billing channel, contract terms, platform rules, and mandatory consumer law. Non-waivable consumer protections remain intact.

5. Billing support

For billing support, contact support@ignislabs.io with relevant identifiers such as account email, order/invoice ID, platform transaction ID, and transaction date.

Security Disclosure and Contact

Effective date: 2026-05-06 Last updated: 2026-05-06

1. Purpose

We support responsible, good-faith reporting of security vulnerabilities affecting (my)cards, (my)loyalty, related APIs, and related websites.

2. How to report

Send reports to support@ignislabs.io.

Please include where possible:

  • affected product/environment,
  • reproducible steps,
  • impact/severity assessment,
  • proof-of-concept details,
  • your contact information.

3. Good-faith reporting

We ask researchers to:

  • avoid privacy violations and data exfiltration,
  • avoid service disruption or destructive testing,
  • avoid social engineering, physical attacks, extortion, or coercive disclosure demands,
  • give us reasonable time to investigate and remediate before public disclosure.

4. Out-of-scope examples

Issues may be out of scope if they are low-impact informational findings, duplicate reports without new information, findings in third-party systems beyond our control, or automated bulk scanning that degrades service.

5. Incident communication

Where incidents affect personal information or service integrity, we handle notifications in line with legal and contractual obligations.

Acceptable Use Policy

Effective date: 2026-05-06 Last updated: 2026-05-06

1. Scope

This Acceptable Use Policy applies to users, merchants, staff/admin users, API clients, and integrators using (my)cards, (my)loyalty, related APIs, dashboards, and support surfaces.

2. General rules

You must not:

  • use the Services unlawfully, fraudulently, deceptively, or abusively;
  • interfere with service security, integrity, availability, rate limits, or anti-abuse controls;
  • bypass QR, redemption, anti-replay, authentication, billing, entitlement, or access controls;
  • scrape, copy, or extract data without authorization;
  • upload, submit, or share content that infringes rights or violates law;
  • impersonate another person, merchant, staff member, or account holder;
  • misuse support, export, deletion, or recovery channels.

3. Card and sharing rules

You are responsible for the cards, screenshots, images, records, and account-to-account shares you create or authorize.

If sharing or transfer features are enabled, you are responsible for choosing the correct recipient. Access granted by you may be treated as authorized access. Current planned account-to-account sharing requires the recipient to have an account, requires a separate in-product acknowledgement before sharing, and creates an audit record, but does not currently support revocation.

4. (my)loyalty merchant and staff rules

Merchants and staff must:

  • configure loyalty plans, rewards, franchise/network participation, and redemption rules accurately;
  • honor valid customer offers and rewards according to applicable merchant/program rules;
  • train staff and keep cashier PINs, staff devices, QR scanners, and admin accounts secure;
  • not issue, redeem, reverse, alter, or manipulate points/stamps/rewards fraudulently;
  • not use customer data outside permitted loyalty, support, analytics, or legal purposes.

Ignis facilitates the platform and related analytics. Merchants remain responsible for their customer offers, staff actions, store/franchise configuration, and merchant-funded reward obligations unless Ignis expressly agrees otherwise in writing.

5. QR issuing and redemption

(my)loyalty QR issuing/redemption controls may include encrypted signed payloads, device-specific data, short validity windows, multi-scan prevention, and one-time redemption protections. These controls reduce risk but do not eliminate all misuse, device compromise, staff error, network failure, or merchant configuration risk.

6. Enforcement

We may suspend, restrict, or terminate access where reasonably necessary for security, legal, fraud, abuse, payment, entitlement, or platform-integrity reasons.

Report misuse, unauthorized access, or security concerns to support@ignislabs.io.

Cookie and Tracking Notice

Effective date: 2026-05-06 Last updated: 2026-05-06

1. Scope

This Notice explains tracking technologies used on our websites and, where relevant, SDK-based telemetry in our mobile applications.

2. What we may use

We may use:

  • strictly necessary cookies or storage for core functionality and security;
  • local storage or device identifiers;
  • analytics/performance tools to understand usage and improve reliability;
  • crash/diagnostic tools to diagnose errors and security issues;
  • functional/preference storage for user settings;
  • marketing tracking only where enabled and legally permitted.

3. Consent and controls

Consent requirements vary by jurisdiction. Non-essential cookies or trackers should run only where permitted by law and, where required, after consent.

Users can manage tracking through cookie preference controls where provided, browser settings, platform/device permissions, and app settings where available.

Blocking certain technologies may affect functionality.

4. Third-party providers

Analytics, diagnostics, hosting, app-store, and support providers may process technical or usage metadata on our behalf or as independent providers under their own terms.

5. Contact

Privacy or tracking questions: support@ignislabs.io.