The app does not store and does not collect any private or cardholder sensitive data.
After a NFC card is tapped at the device, the app retrieves the card PAN, creates a cryptographically irreversible hash from it, and further uses it for validation logic emulation and for reporting the hash it to a web server.
The retrieved PAN is discarded. It is never stored, nor reported to any web service.
Any other data revealed by the tapped NFC card is never used and is discarded upon the card reading.
The user of the app is not required to use actual NFC payment cards. The cards may be as well expired or be in bad standing in the card issuer files.