Security

Access to account-backed information requires authenticated access. Users are responsible for keeping their sign-in credentials, email accounts, devices, and app-store accounts secure.

If you believe someone accessed your account without authorization, stop using the affected session and contact support through the channels made available in the product.

Personal self-managed cards can be viewed and changed only by their owner. Provider-issued cards can be viewed by the customer holder but can be punched or reversed only by workspace members with owner, admin, or staff access.

Customers cannot punch or reverse provider-issued cards. Providers are responsible for assigning appropriate staff roles and removing access when staff no longer need it.

Kartisiya uses administrative, technical, and organizational safeguards designed to protect account, card, workspace, customer, subscription, and activity information.

Balance-changing activity is recorded to support accountability and dispute review. Providers should avoid storing sensitive or unnecessary information in card or customer records.

Local guest cards are stored on the device and are not protected by account-level sync or recovery.

Payment card details are handled by app stores or payment processors. Kartisiya receives only the information needed to confirm access to paid features, provide support, and operate the service.

If you believe you found a vulnerability, report enough detail to reproduce the issue and avoid accessing, changing, or disclosing data that is not yours.

We prioritize reports that affect account access, workspace permissions, card balances, customer data, or subscription enforcement.

Please report security concerns through the support channels made available on the website or inside the product.