Privacy Policy

Last updated: April 19, 2026

DiscountOneCard, operated by ClickingSpree, takes your privacy seriously. This page explains what we collect, how we use it, and the choices you have.

What we collect

• Account data — name, email, password hash (we never store your plaintext password), phone (optional), organization, role.
• Membership data — your plan, start/end dates, affiliate/referral codes used, family relationships.
• Session & security data — IP address and user-agent of each sign-in and each offer redemption, for sharing-abuse detection and troubleshooting.
• Offer activity — which offers you viewed and redeemed, and when. Unlimited offers are de-duplicated to a per-use event; one-time and recurring redemptions are also persisted for business analytics.
• Uploaded images — logos and photos you or your organization admin upload for your business listing.
• Passkeys — public credentials registered by your device, plus metadata like when and how you last used them. We never receive your biometric data or private keys.
• Push subscriptions — if you opt in, the endpoint and keys your browser provides for sending notifications.
• Marketing leads — information you provide on our marketing contact form (name, email, phone, organization details).

How we use it

• To operate your membership and render your digital card.
• To email you transactional messages (verification, password resets, family invites, gift codes, renewal reminders) via SendGrid.
• To detect account-sharing and abuse — e.g., if a card is used from two distant networks in a short window, we flag it and nudge you toward a family plan.
• To produce aggregate analytics for your organization's admin (e.g., signup trends, top-redeeming businesses).
• To help customer support and organization admins investigate issues. Admins can impersonate members within their org; every impersonation is written to an audit log.

What we don't do

• We don't sell your data.
• We don't share your personal information with businesses beyond what's needed to honor a redemption (which is just your name on your verification screen).
• We don't track you across unrelated websites.
• We never receive your biometric data (fingerprint, face, etc.). Passkeys stay on your device.
• We don't use advertising cookies. Our only cookies are an HttpOnly session cookie and short-lived WebAuthn challenge cookies.

Third-party processors

• SendGrid — sends our transactional email.
• Cloudflare Turnstile — bot protection on the marketing lead form.
• OpenStreetMap / CARTO — map tiles (your IP is necessarily visible to the tile server).
• Nominatim (OSM) — geocodes a business's address to map coordinates when an admin clicks "Locate from address."
• Google Fonts — loads the Inter typeface (standard request headers only).
• Linode — hosts our servers and database backups.

Retention

• Session records expire after 90 days of inactivity or 30 days idle.
• Password reset tokens expire after 1 hour.
• Offer-use events are pruned automatically after 90 days; session events after 180 days.
• Cancelled memberships remain in the database as historical records. You can request full deletion at any time (see below).

Children

Users under 13 may not sign up directly. If you're under 18, a parent or guardian must consent to your use. We're an educational-adjacent service and don't collect more data from minors than necessary to operate a card.

Your choices

• View or change your profile at any time from the Account page.
• Disable push notifications from the Account page or your browser settings.
• Cancel your membership from the Account page; your data is retained as described above unless you request deletion.
• To request deletion of your data, email your organization admin or reach us via the contact form.

Security

We hash passwords with scrypt (salted, memory-hard). Session tokens and password-reset tokens are stored hashed in the database. Cookies are HttpOnly, Secure (in production), and SameSite=Lax. Every request that changes state has an Origin check on top of the SameSite cookie behavior. All pages are served over HTTPS with HSTS. Every admin action is audit-logged.

Changes

We may update this policy; we'll notify significant changes via email or an in-app banner.

Contact

Reach us via the contact form or the phone number on the sales site.