Privacy Policy

Last updated: May 7, 2026

Back to home

1. Introduction

This Privacy Policy describes how [COMPANY_NAME] (“we”, “us”, or “our”) collects, uses, and shares personal information when you use our digital business card platform and related services (the “Services”), accessible at [WEBSITE_URL].

By using the Services, you acknowledge this Policy. If you do not agree, please do not use the Services.

Controller: [COMPANY_NAME]
Address: [COMPANY_ADDRESS]
Privacy & data protection inquiries: [CONTACT_EMAIL]
Data protection contact (where applicable): [DPO_EMAIL]

2. Data we collect

We collect information that you provide directly, automatically when you use the Services, and in some cases from third parties such as payment providers.

Account & authentication

  • Contact and identity details (e.g., name, email address, username)
  • Phone number where you choose to provide it
  • Authentication data processed by our service providers (we do not store your password in plain text)
  • Consent and preferences (e.g., marketing opt-in where offered; terms acknowledgement metadata)

Profile & digital card content

  • Profile and card configuration (sections, branding, links, social handles, downloadable assets)
  • Media you upload or connect (e.g., images hosted via our media vendor)
  • Public-facing content displayed to visitors who view your card

Lead capture & visitor interactions

  • Information submitted through forms or flows on digital cards (e.g., name, email, phone, custom fields you configure)
  • Associated metadata such as timestamps, card route or identifier, and technical context needed to operate lead features

Billing

  • Subscription and checkout data processed by our payment partner (merchant of record). Typically includes billing status, receipts, customer identifiers, and limited payment metadata — not full payment card numbers on our infrastructure.

Usage & technical data

  • Device and browser information, IP address, and general geographic region
  • Diagnostics, logs, and security signals needed to operate, secure, and improve the Services

Depending on applicable law (including the GDPR where it applies), we rely on one or more of the following bases:

  • Contract: to provide the Services you request (accounts, profiles, lead capture, analytics for account holders)
  • Legitimate interests: to secure our systems, prevent abuse, troubleshoot, measure product performance at an aggregated level, and improve the Services — balancing these interests against your rights
  • Consent: where required for optional communications or cookies similar technologies where mandated (e.g., certain marketing preferences)
  • Legal obligation: to comply with laws, lawful requests, and corporate compliance duties

4. Third-party services & subprocessors

We engage vendors that process personal information on our behalf or provide integrated functionality. These may include:

  • Supabase — authentication, database, and storage services for accounts and application data (may process credentials and profile content regions per their configuration)
  • Lemon Squeezy — payment processing and subscription management as merchant of record for paid plans
  • Vercel — application hosting and related edge infrastructure for the web app (we do not load the Vercel Web Analytics SDK in this application)
  • Cloudinary (or equivalent configured media CDN) — delivery and transforms for user-uploaded or linked imagery
  • Resend (or equivalent email vendor) — transaction and operational emails such as verification and security notices

This list may evolve as we onboard or replace subprocessors. We evaluate vendors for security and contractual safeguards appropriate to the risks involved.

5. First-party product analytics

We may collect certain usage events through first-party pipelines (for example route or product interaction events submitted to protected application endpoints such as /api/analytics/events) for security, troubleshooting, aggregated product insights, and feature improvement.

Unless separately disclosed and consented where required by law, we do not integrate Google Analytics (GA4) or Meta / Facebook Pixel advertising technology as part of these Services. If our practices materially change in the future, we will update this Policy and notices as applicable.

6. Cookies & local storage

We may use cookies and browser storage technologies to:

  • Maintain secure sessions when you authenticate (essential cookies)
  • Remember preferences and improve reliability across visits
  • Store attribution parameters captured from campaign links (such as UTMs or click identifiers) in localStorage to relate signups or leads back to campaigns you run

You can control cookie settings via your browser. Blocking essential cookies may limit sign-in functionality. Local storage attribution entries can often be cleared in your browser site data settings for [WEBSITE_URL].

7. International data transfers

We may process and store personal information in the United States, the European Economic Area, the United Kingdom, Israel, or other regions where our providers operate data centres. Laws in those jurisdictions may differ from your home jurisdiction.

Where GDPR applies and transfers leave the UK/EEA, we endeavor to rely on lawful transfer mechanisms such as adequacy decisions, Standard Contractual Clauses (“SCCs”), supplementary measures as appropriate, and vendor agreements that require equivalent protection. Obtain details or copies via [CONTACT_EMAIL] where mandated by law.

8. Retention

We keep personal information for as long as your account remains active or as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce terms.

Lead data associated with cards may remain available until you delete it or terminate the account, subject to legal holds and backups governed by retention schedules described in our internal policies.

9. Security

We maintain administrative, technical, and organisational measures designed to safeguard personal information (including encryption in transit, access restrictions, separation of environments, vendor reviews). No transmission or storage method is fully secure — please use strong passwords and report suspected incidents to [CONTACT_EMAIL].

10. Your GDPR rights

Where GDPR applies and we act as controller, you may:

  • Access the personal information we hold about you
  • Rectify inaccurate information
  • Request erasure (“right to be forgotten”) subject to lawful exceptions (e.g., billing/legal holds)
  • Request restriction of processing while we verify objections or rectify data
  • Data portability for information you supplied that we process automatically by contract/consent where technically feasible
  • Object to processing grounded in legitimate interests (including profiling when applicable)
  • Withdraw consent where processing relied on consent, without affecting lawful processing beforehand
  • Lodge a complaint with your supervisory authority

To exercise rights email [CONTACT_EMAIL] with your request and verification tokens we require to protect your account data.

11. Your CCPA / CPRA rights

If California law applies (CCPA / CPRA as amended), you may request to know/access, delete, or correct categories and specific pieces of personal information we collected, and to opt out of sale or certain sharing for cross-context behavioural advertising.

We do not sell personal information for money. If practices change materially, we will update this disclosure and notices as legally required (including honoured opt-outs where applicable).

You may designate an authorised agent consistent with regulation; we verify requests to deter fraud. Contact [CONTACT_EMAIL] to submit a request or obtain additional disclosures.

12. Israel Privacy Protection Authority expectations

Pursuant to the Israeli Privacy Protection Act and related regulation, individuals may request access to databases containing their personal information, request corrections, and seek information about how data flows to third parties. We provide clear contact channels noted above and limit collection to lawful, transparent purposes communicated in this Policy.

Residents may contact [CONTACT_EMAIL] regarding rights and complaints. Guidance from the IPA may apply to lawful processing justification and onward transfer controls.

13. Children

The Services are not directed toward children under [AGE_THRESHOLD] (commonly 16). We do not knowingly collect personal information from children. If you believe we received such data inadvertently, notify us promptly at [CONTACT_EMAIL] for deletion.

14. Changes to this policy

We may update this Policy materially as our Services evolve or legal requirements shift. We will post the updated version on this page and revise the “Last updated” date. Where mandated, we’ll provide additional notice before changes take effect.

15. Contact us

Privacy questions — [CONTACT_EMAIL]
Website — [WEBSITE_URL]