Privacy Policy
Your privacy is important to us. This policy explains what we collect and how we use it.
Last updated: April 9, 2026
This Privacy Policy explains how Redcoded Limited, trading as BAM Apps ("we", "us", "our") collects, uses, and protects your information when you use the Group Card application ("App") on the monday.com marketplace.
1. Information We Collect
1.1 monday.com Session Data
The App receives your monday.com session token to verify your identity. This token contains your monday.com user ID and account ID.
1.2 Card and Message Data
The App stores card and message data using monday.com's Storage API. This includes:
- Card metadata (occasion type, recipient name, template, delivery date, opening effect)
- Contributor messages (text content, GIF URLs, font selection)
- Contributor identity (monday.com user ID and name for workspace members; name only for external signers)
- Card status (collecting signatures, scheduled, delivered)
All card and message data is stored via monday.com's Storage API — we do not copy or store this data outside of the monday.com platform.
1.3 OAuth Tokens
When you authorize the App, your monday.com OAuth access token is stored in monday.com's SecureStorage (encrypted, server-side only). This token is used to send notifications and look up workspace users and teams on your behalf.
1.4 GIF Search Data
When you browse for GIFs in the message composer, your search queries are sent to Klipy (api.klipy.com) via our server. Klipy also receives an anonymous customer identifier for usage analytics — no personally identifiable information is sent.
2. How We Use Your Information
| Data | Purpose |
|---|---|
| monday.com session token | Verify your identity and authorize API requests |
| Card and message data | Create, display, and deliver group greeting cards |
| OAuth tokens | Send notifications, look up users and teams |
| GIF search queries | Provide GIF search and trending content in the message composer |
We do not use your data to:
- Serve advertisements
- Build user profiles for marketing
- Sell or rent data to third parties
- Train machine learning models
- Contact you for marketing purposes (unless you opt in)
3. How We Store Your Information
3.1 Card and Message Data
- Stored via monday.com's Storage API, scoped per account
- Accessible only within the context of the App on your account
- We do not maintain a separate copy of your card data
3.2 OAuth Tokens
- Stored in monday.com SecureStorage (encrypted at rest, server-side only)
- Never exposed to the client or included in browser-accessible code
3.3 What We Do NOT Store
- Passwords or account credentials
- Payment or banking information
- Data from other monday.com apps or boards
- Personal data beyond what is described above
4. Data Sharing
We do not sell, rent, or share your personal data with third parties except:
| Third Party | Data Shared | Purpose |
|---|---|---|
| monday.com platform | Session tokens, storage data | Authentication, data persistence |
| Klipy (api.klipy.com) | Search query strings, anonymous customer ID | GIF search and trending content |
| Google Fonts (fonts.googleapis.com) | Viewer IP address (standard HTTP request) | Font rendering on public card pages (/c/:code) |
Note: Klipy receives only search query strings and an anonymous customer identifier when you browse for GIFs. No user identity, card content, or message data is sent to Klipy. Google Fonts receives only the standard HTTP request (including the viewer's IP address) when rendering public card pages — no user identity or card content is transmitted.
All communication with third-party services is encrypted via TLS 1.2 or higher.
5. Data Retention and Deletion
- On uninstall: When you uninstall the App, data stored via the monday.com Storage API and SecureStorage is removed with the app instance. Server-side data will be deleted within 10 days.
- Card data: Card and message data does not persist outside the App's storage scope. Uninstalling the App removes all card data.
6. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Delete your data (uninstall the App to remove all card data)
- Restrict processing (disable analytics via account settings)
- Object to data processing
To exercise these rights, contact us at support@bam-apps.com.
GDPR (European Economic Area)
If you are in the EEA, our legal basis for processing is:
- Legitimate interest — to provide and improve the App
- Consent — for optional analytics tracking
- Contract performance — to deliver the service you installed
CCPA (California)
We do not sell personal information. California residents may request disclosure of data collected and request deletion.
7. Security
- All data in transit is encrypted via TLS 1.2+
- monday.com session tokens are verified server-side using the app's signing secret (HS256)
- OAuth tokens are stored in SecureStorage (encrypted at rest, server-side only)
- External signing links use unguessable card identifiers
- No credentials or tokens are stored in source code or environment variables accessible to the client
- The App is hosted entirely on monday code (monday.com's own infrastructure)
8. Cookies
Group Card does not use cookies. Authentication is handled via monday.com session tokens (JWT in Authorization header). No tracking cookies or third-party cookies are used by the App.
9. Children's Privacy
The App is not directed at children under 13 (or the applicable age in your jurisdiction). We do not knowingly collect data from children.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the App listing on the monday.com marketplace. The "Last updated" date at the top reflects the most recent revision.
11. Contact
For questions or concerns about this Privacy Policy, contact us at:
- Email: support@bam-apps.com
- Entity name: Redcoded Limited