Privacy Policy

1.1 Data provided by the user

• Registration data: first name, last name, email address, password (stored in encrypted form via hashing).
• Profile and card data: job title, company, phone number, address, website, social media profiles, profile photo and any other information entered by the user into their digital cards.
• Payment data: payment information (credit card number, billing details) is handled directly by Stripe and is never stored on our servers. We only retain the Stripe customer ID and subscription status.
• Communications: content of support requests and communications with our team.

1.2 Data collected automatically

• Usage data: pages visited, features used, date and time of access, session duration.
• Technical data: IP address, browser type, operating system, device type, device identifiers.
• Card interaction data: number of digital card views, QR code scans, link clicks, vCard downloads. This data is collected in aggregated and anonymized form for the user's statistics.

1.3 Cookies and tracking technologies

We process personal data for the following purposes:

• Service delivery: creating and managing the account, generating and displaying digital cards, producing business cards, managing QR codes and short links.
• Payments and billing: managing subscriptions, processing payments via Stripe, issuing invoices.
• Service communications: sending account-related notifications, Service updates, security alerts.
• Service improvement: analyzing usage in aggregated form to improve features and performance.
• Security: preventing fraud, abuse and unauthorized access, ensuring the integrity of the Service.
• Legal obligations: complying with legal requirements, responding to requests from competent authorities.

Data processing is based on:

• Performance of a contract (art. 6(1)(b) GDPR / art. 31 FADP): for the delivery of the Service and account management.
• Legitimate interest (art. 6(1)(f) GDPR / art. 31 FADP): for security, fraud prevention and Service improvement.
• Legal obligation (art. 6(1)(c) GDPR / art. 31 FADP): for tax, accounting and regulatory compliance.
• Consent (art. 6(1)(a) GDPR / art. 31 FADP): for optional marketing communications, where applicable.

We do not sell, rent or trade users' personal data. We share data exclusively with:

• Stripe: for payment processing. Stripe acts as an independent data controller for payment data. See the Stripe Privacy Policy.
• Hosting providers: data is hosted on Vercel infrastructure (for the application) and Neon (for the database), both with data centers in Europe.
• Email services: for sending transactional emails (account notifications, password reset).
• Card recipients: when a user shares their digital card, the data contained in the card is visible to the recipient. The user controls which information to include in the card.
• Competent authorities: when required by law or by court order.

Data is primarily stored on servers located in the European Union. If it becomes necessary to transfer data outside the European Economic Area or Switzerland, we ensure adequate safeguards are in place, including:

• Standard Contractual Clauses (SCC) approved by the European Commission.
• Adequacy decisions by the European Commission or the Swiss FDPIC.
• Recognized certifications and frameworks (e.g. EU-US Data Privacy Framework).

We adopt appropriate technical and organizational measures to protect personal data, including:

• Encryption of data in transit (TLS/HTTPS) and at rest.
• Password hashing with secure algorithms (bcrypt/argon2).
• Data access limited to authorized personnel under the principle of least privilege.
• Continuous infrastructure monitoring and vulnerability management.
• Regular backups and disaster recovery procedures.
• Payment data does not transit nor is stored on our servers (handled entirely by Stripe).

• Account data: retained for the duration of the active account and for up to 30 days after deletion.
• Billing data: retained for 10 years as required by Swiss tax regulations.
• Aggregated usage data: retained in anonymized form without time limits.
• Security logs: retained for up to 12 months.

In accordance with the Swiss FADP and GDPR (where applicable), the user has the right to:

• Access: obtain confirmation of the processing of their data and receive a copy.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion of their data ("right to be forgotten"), subject to legal retention obligations.
• Portability: receive their data in a structured, commonly used and machine-readable format.
• Objection: object to data processing on legitimate grounds.
• Restriction: request restriction of processing in certain circumstances.
• Withdrawal of consent: withdraw consent to processing at any time, without affecting the lawfulness of processing based on consent given prior to withdrawal.

The Service is not intended for minors under 16. We do not knowingly collect personal data from minors. If we become aware of having collected data from a minor, we will delete it immediately.

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of such services. We encourage users to review the respective privacy policies before providing personal data.

We reserve the right to update this Policy. Significant changes will be communicated through the Service or by email. Continued use of the Service after notification constitutes acceptance of the updated Policy.

Users have the right to file a complaint with the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland, or with the competent supervisory authority in their country of residence, if they believe the processing of their data violates applicable law.

For questions about this Policy or about the processing of personal data: