Privacy Policy

Last updated: April 29, 2026

DiscountOneCard, operated by ClickingSpree, takes your privacy seriously. This page explains what we collect, how we use it, and the choices you have.

What we collect

• Account data — name, email, password hash (we never store your plaintext password), phone (optional), organization, role.
• Membership data — your plan, start/end dates, affiliate/referral codes used, family relationships.
• Session & security data — IP address and user-agent of each sign-in and each offer redemption, for sharing-abuse detection and troubleshooting.
• Offer activity — which offers you viewed and redeemed, and when. Unlimited offers are de-duplicated to a per-use event; one-time and recurring redemptions are also persisted for business analytics.
• Uploaded images — logos and photos you or your organization admin upload for your business listing.
• Passkeys — public credentials registered by your device, plus metadata like when and how you last used them. We never receive your biometric data or private keys.
• Push subscriptions — if you opt in, the endpoint and keys your browser provides for sending notifications.
• Marketing leads — information you provide on our marketing contact form (name, email, phone, organization details).

How we use it

• To operate your membership and render your digital card.
• To email you transactional messages (verification, password resets, family invites, gift codes, renewal reminders) via SendGrid.
• To detect account-sharing and abuse — e.g., if a card is used from two distant networks in a short window, we flag it and nudge you toward a family plan.
• To produce aggregate analytics for your organization's admin (e.g., signup trends, top-redeeming businesses).
• To help customer support and organization admins investigate issues. Admins can impersonate members within their org; every impersonation is written to an audit log.

What we don't do

• We don't sell your data.
• We don't share your personal information with businesses beyond what's needed to honor a redemption (which is just your name on your verification screen).
• We don't track you across unrelated websites.
• We never receive your biometric data (fingerprint, face, etc.). Passkeys stay on your device.
• We don't use advertising cookies and we don't run ad personalization.

Cookies & analytics

We use the following cookies and similar storage:

• Session cookie (strictly necessary) — HttpOnly, Secure, SameSite=Lax. Keeps you signed in. No consent required because it's necessary for the service to function.
• WebAuthn challenge cookie (strictly necessary) — short-lived, used only during passkey registration/sign-in.
• Theme preference (localStorage) — remembers light/dark mode.
• Cookie-consent decision (localStorage) — remembers whether you've accepted analytics so we don't show the banner again.
• Google Analytics 4 (opt-in) — when (and only when) you click Accept on the cookie banner, we set Google's _ga and _ga_<id> cookies. We use this to understand site usage in aggregate. We've enabled IP anonymization and Consent Mode v2 so no analytics-related storage happens before consent. We do not enable Google Signals, ad personalization, or cross-device tracking.

You can withdraw consent at any time by clearing site data in your browser. The banner will re-appear and default back to denied. EU/UK and California visitors get the banner on first visit; declining is a single click and is honored permanently on that browser.

Third-party processors

• SendGrid — sends our transactional email; receives recipient email addresses and message contents.
• Cloudflare Turnstile — bot protection on public lead and business-self-signup forms; receives an opaque challenge token + your IP.
• OpenStreetMap / CARTO — map tiles (your IP is necessarily visible to the tile server while a map is rendered).
• Nominatim (OSM) — geocodes a business's address when an admin clicks Locate from address.
• Google Fonts — loads the Inter typeface (standard request headers).
• Google Analytics 4 — only when you opt in via the cookie banner; covered above.
• Linode — hosts our servers and database backups.

Retention

• Session records expire after 90 days of inactivity or 30 days idle.
• Password reset tokens expire after 1 hour.
• Offer-use events are pruned automatically after 90 days; session events after 180 days.
• Cancelled memberships remain in the database as historical records. You can request full deletion at any time (see below).

Children

Users under 13 may not sign up directly. If you're under 18, a parent or guardian must consent to your use. We're an educational-adjacent service and don't collect more data from minors than necessary to operate a card.

Your choices

• View or change your profile at any time from the Account page.
• Disable push notifications from the Account page or your browser settings.
• Cancel your membership from the Account page; your data is retained as described above unless you request deletion.
• To request deletion of your data, email your organization admin or reach us via the contact form.

Security

We hash passwords with scrypt (salted, memory-hard). Session tokens and password-reset tokens are stored hashed in the database. Cookies are HttpOnly, Secure (in production), and SameSite=Lax. Every request that changes state has an Origin check on top of the SameSite cookie behavior. All pages are served over HTTPS with HSTS. Every admin action is audit-logged.

Changes

We may update this policy; we'll notify significant changes via email or an in-app banner.

Contact

Reach us via the contact form or the phone number listed there.