Privacy Policy
Your privacy is important to us. This policy explains what we collect and how we use it.
Last updated: May 7, 2026
This Privacy Policy explains how Redcoded Limited, trading as BAM Apps ("we", "us", "our") collects, uses, and protects your information when you use the Group Card application ("App") on the monday.com marketplace.
1. Information We Collect
1.1 monday.com Session Data
The App receives your monday.com session token to verify your identity. This token contains your monday.com user ID and account ID.
1.2 Card and Message Data
The App stores card and message data on monday.com's infrastructure. This includes:
- Card details (occasion type, recipient name, template, scheduled delivery date)
- Contributor messages (text content, GIF URLs, font and colour selection)
- Contributor identity (monday.com user ID and name)
- Card status (collecting signatures, scheduled, delivered)
All card and message data is stored on monday.com's infrastructure — we do not copy or store this data anywhere else.
1.3 OAuth Tokens and Permissions
OAuth is required only so the App can send scheduled delivery notifications on your behalf. When you authorize the App, your monday.com OAuth access token is stored in monday.com's SecureStorage (encrypted, server-side only) so the scheduled-delivery worker can notify the recipient and the card organizer when a card is delivered. Invites, reminders, and in-app actions use your active monday.com session and do not require this stored token.
The App requests the following permissions, all of which are required for core functionality:
me:read— identify the signed-in user when the App loadsusers:read— list workspace members so you can pick recipients and signersnotifications:write— send the scheduled delivery notification on your behalf when a card is deliveredteams:read— surface workspace teams so you can quick-add an entire team to a card
1.4 GIF Search Data
When you browse for GIFs in the message composer, your search queries are sent to Klipy (api.klipy.com) via our server. Klipy also receives an anonymous customer identifier for usage analytics — no personally identifiable information is sent.
1.5 What We Store
For full transparency, here is exactly what the App holds for you, all on monday.com's encrypted SecureStorage (server-side):
- Your OAuth access token, used to send scheduled delivery notifications on your behalf
- Card details: title, occasion, recipient, scheduled delivery date, and which user created the card
- Messages contributed to each card: text, font and colour choices, and any GIF chosen
- The list of people invited to sign each card and whether they have signed yet
- The schedule of upcoming card deliveries
The App does not store anything in your browser. All values listed above are
encrypted at rest by monday.com's SecureStorage and scoped per account using the key
prefix acct:<accountId>:…, so no app data crosses tenant boundaries.
All data is removed when you uninstall the App (see Section 5).
2. How We Use Your Information
| Data | Purpose |
|---|---|
| monday.com session token | Verify your identity and authorize API requests |
| Card and message data | Create, display, and deliver group greeting cards |
| OAuth tokens | Send scheduled delivery notifications on your behalf |
| GIF search queries | Provide GIF search and trending content in the message composer |
We do not use your data to:
- Serve advertisements
- Build user profiles for marketing
- Sell or rent data to third parties
- Train machine learning models
- Contact you for marketing purposes (unless you opt in)
3. How We Store Your Information
3.1 Card and Message Data
- Stored in monday.com's SecureStorage (encrypted at rest, server-side only), scoped per account
- Accessible only within the context of the App on your account
- We do not maintain a separate copy of your card data
3.2 OAuth Tokens
- Stored in monday.com SecureStorage (encrypted at rest, server-side only)
- Never exposed to the client or included in browser-accessible code
3.3 What We Do NOT Store
-
Email addresses — we read workspace member emails live via monday's
users:readAPI to render the invite picker, but we do not persist them - Passwords or account credentials
- Payment or banking information
- Data from other monday.com apps or boards
- Personal data beyond what is described above
4. Data Sharing
We do not sell, rent, or share your personal data with third parties except:
| Third Party | Data Shared | Purpose |
|---|---|---|
| monday.com platform | Session tokens, storage data | Authentication, data persistence |
| Klipy (api.klipy.com) | Search query strings, anonymous customer ID | GIF search and trending content |
| Google Fonts (fonts.googleapis.com, fonts.gstatic.com) | Standard HTTP request headers (IP address, User-Agent) | Loading the App's display fonts |
Note: Klipy receives only search query strings and an anonymous customer identifier when you browse for GIFs. No user identity, card content, or message data is sent to Klipy. Google Fonts receives only the standard HTTP request your browser sends when loading any web font — no user identity, card content, or message data is transmitted.
All communication with third-party services is encrypted via TLS 1.2 or higher.
5. Data Retention and Deletion
When you uninstall the App, monday.com fires a lifecycle webhook that the App handles immediately. Within seconds, every piece of data we hold for your account is deleted, including:
- Your OAuth access token
- All cards created on your account
- All messages contributed to those cards
- The list of contributors invited to each card
- Any pending or scheduled deliveries belonging to your account
Nothing about your account is retained on monday.com's infrastructure or anywhere else after uninstall.
6. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Delete your data (uninstall the App to remove all card data)
- Restrict processing
- Object to data processing
To exercise these rights, contact us at support@bam-apps.com.
GDPR (European Economic Area)
If you are in the EEA, our legal basis for processing is:
- Legitimate interest — to provide and improve the App
- Contract performance — to deliver the service you installed
CCPA (California)
We do not sell personal information. California residents may request disclosure of data collected and request deletion.
7. Security
- All data in transit is encrypted via TLS 1.2+
- monday.com session tokens are verified server-side using the app's signing secret (HS256)
- OAuth tokens are stored in SecureStorage (encrypted at rest, server-side only)
- No credentials or tokens are stored in source code or environment variables accessible to the client
- The App is hosted entirely on monday code (monday.com's own infrastructure)
8. Cookies
Group Card does not use cookies. Authentication is handled via monday.com session tokens (JWT in Authorization header). No tracking cookies or third-party cookies are used by the App.
9. Children's Privacy
The App is not directed at children under 13 (or the applicable age in your jurisdiction). We do not knowingly collect data from children.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the App listing on the monday.com marketplace. The "Last updated" date at the top reflects the most recent revision.
11. Contact
For questions or concerns about this Privacy Policy, contact us at:
- Email: support@bam-apps.com
- Entity name: Redcoded Limited