Privacy Policy

Our digital-card platform helps individuals and organizations create, distribute and manage digital business cards, contact capture forms, NFC cards, email signatures, virtual backgrounds and other networking tools. We operate from Hungary and comply with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act (including the 2025 Data (Use and Access) Act), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) and other relevant privacy laws. This policy applies to all users of our website, mobile and web applications, NFC and QR products, APIs and any offline services that reference this notice, whether you hold a registered account or use the Service as a guest. We do not knowingly collect or store sensitive personal information such as racial or ethnic origin, political opinions, religious beliefs, health data or biometric identifiers; the information stored in our system is typically the type contained on a business card (e.g., name, company, title, contact details). The policy does not apply to external websites linked from our Service; those sites have their own privacy practices, and we encourage you to review them.

We collect and process personal data consistent with the GDPR's data-minimization principle:

• •Account and profile data. When you register or update an account, you provide your name, email address, password, company, job title and contact details. You may upload photos, logos and social links. Billing information is collected only for paid plans.
• •Contact card content. You control the information you place on each digital card – names, titles, phone numbers, email addresses, postal addresses, social media handles, bios, logos, galleries, audio files, documents or custom fields.
• •Contact capture and consent. When collecting another person's details, you must provide a clear capture disclaimer and link to your privacy policy. Recipients must tick a consent checkbox before you process their information. By submitting someone else's contact details to our Service (e.g., their email address), you represent that you have obtained their consent and may share the details accordingly.
• •Smart Scan and OCR data. When you use our Smart Scan feature to photograph or upload a paper business card, the image is processed using optical character recognition (OCR) and then sent to a third-party AI provider (currently OpenAI) to extract structured contact data such as names, phone numbers, email addresses and job titles. Source images are stored temporarily to complete the extraction and are deleted within 30 days. The extracted text, language metadata and resulting contact record are retained in your account. We do not permit our AI provider to use your data for model training.
• •Third-party integrations. When you connect social-login providers, CRM platforms (such as Salesforce or HubSpot), marketing tools or other third-party services, we receive basic profile data and authorization tokens required to operate those integrations. Contact data you choose to sync between our Service and a CRM is transmitted only at your direction.
• •Automatic data collection. We automatically log pages you visit, features you use, timestamps, referring URLs, device type, operating system, browser type, IP address (hashed) and general location (country level). We use cookies, web beacons and local storage to authenticate you, remember preferences, measure performance and monitor whether emails are opened. Analytics or marketing cookies are set only after you provide explicit consent; you can manage cookie preferences via our cookie banner and browser settings.
• •NFC/QR interactions. When you tap an NFC card or scan a QR code, the Service exchanges a URL or vCard with the recipient's device. We record the date, time, card identifier, device type and general location. Our NFC cards employ encryption, authentication protocols, domain whitelisting and dynamic QR fallbacks aligned with ISO 27001 and GDPR. Lost or stolen cards can be deactivated through your account settings.
• •Wallet pass data. When you add a digital card to Apple Wallet or Google Wallet, we generate a pass containing your selected card information. For Apple Wallet, we register your device token to deliver automatic pass updates via push notifications and track pass versioning. For Google Wallet, we store a wallet object identifier. We record wallet-save statistics (wallet type, date) for analytics purposes.
• •Push notification data. If you enable push notifications, we collect a Firebase Cloud Messaging (FCM) token for each of your device sessions. These tokens are used solely to deliver notifications you have opted into (e.g., card scan alerts, connection requests). You can disable push notifications at any time through your device settings or notification preferences in your account.
• •Guest user data. You may create a digital card as a guest without full registration. We store the card content you provide and assign a guest token. If you later create an account, guest data is merged with your registered profile.
• •Communications. We collect messages sent to customer support, feedback forms or surveys for quality assurance and service improvements.

We process personal information for legitimate purposes based on consent, contractual necessity and legitimate interests. Uses include:

• •Providing core services. Displaying the fields you choose to share, enabling you to exchange digital cards, manage leads, generate email signatures, create virtual backgrounds and add cards to mobile wallets.
• •Contact capture and lead management. Storing contact details with recipients' explicit consent for follow-up communications.
• •Smart Scan processing. Extracting contact data from uploaded business-card images using OCR and AI, and creating structured contact records in your network.
• •Operating and improving the Service. Using logs and analytics to ensure functionality, diagnose issues, analyze trends and develop new features.
• •Personalization and marketing. Tailoring content, recommendations or notifications based on usage patterns; sending marketing communications with consent; allowing you to opt out at any time.
• •Security and fraud prevention. Detecting suspicious behaviour and protecting against malware, phishing and unauthorized access.
• •Legal and regulatory compliance. Meeting tax, accounting and other legal obligations and responding to lawful requests.
• •Research and development. Using aggregated and anonymized data for research and to improve our algorithms; providing transparency and human oversight when deploying AI or machine-learning tools.

We retain personal data only as long as necessary to fulfil the purposes outlined above:

• •Account and content data. Retained while your account is active and deleted or anonymized within 30 days after account closure, unless a longer retention period is required by law or contract.
• •Smart Scan source images. Source images uploaded for OCR are retained for up to 30 days to allow reprocessing and quality review, then automatically deleted. The extracted contact data persists in your account until you delete it.
• •Usage and operational logs. Operational logs (including truncated IP addresses, hashed identifiers, device/browser metadata and referring URLs) are retained up to 90 days for analytics, debugging, security and support; then deleted or anonymized.
• •GDPR minimization and retention. We apply data minimization to logs and analytics by default, pseudonymize identifiers where possible and limit retention to the shortest period needed for security and service performance. Log data is automatically purged within 90 days unless legally required to retain it longer.
• •Communications and transaction records. Retained up to seven years to satisfy tax, accounting and legal obligations.
• •Anonymized or aggregated data. May be retained indefinitely for research, benchmarking and business insights.

We do not sell personal information. We share data only in limited circumstances:

• •With other users. When you share a card via QR code, link or NFC tap, recipients see only the fields you choose to disclose.
• •With your consent. We may share information for a specific purpose when you authorize us to do so.
• •Service providers and partners. Trusted vendors host infrastructure, process payments, send emails, provide analytics and support customer service. They receive only the data necessary to perform their functions and must keep it confidential. Key categories of service providers include cloud hosting, payment processors, email delivery services and customer-support platforms.
• •Analytics and advertising providers. With your consent, we share usage data with analytics providers (currently Google Analytics, Amplitude, Mixpanel) and advertising platforms (Facebook/Meta Pixel, Google conversion tracking) to measure performance and improve our marketing. These providers may use cookies or web beacons; they process data under their own privacy policies. No analytics or advertising cookies are set without your explicit prior consent.
• •AI and machine-learning processors. When you use Smart Scan, uploaded business-card images and extracted text are sent to OpenAI for structured data extraction. OpenAI processes this data under a Data Processing Agreement and is prohibited from using it for model training. No other personal data is shared with AI providers without your knowledge.
• •CRM and integration partners. When you enable a CRM integration (e.g., Salesforce, HubSpot), contact data is transmitted to that provider at your direction using OAuth or API credentials you supply. We do not initiate CRM syncs without your explicit action.
• •Legal requirements and protection of rights. We may disclose information if required by law, subpoena or court order, or to enforce our agreements and protect our rights or respond to legal claims.
• •Business transfers. If we undergo a merger, acquisition or asset sale, personal information may be transferred as part of the transaction; we will notify you of any material changes.
• •Aggregated or de-identified data. We may share anonymized analytics for research, marketing or benchmarking that do not identify individuals.
• •International transfers. Data may be transferred to and processed in countries outside your jurisdiction. We rely on Standard Contractual Clauses, the UK International Data Transfer Addendum or relevant Data Privacy Frameworks and commit to resolving complaints about our handling of personal information. We are certified under the EU-U.S., UK and Swiss Data Privacy Frameworks and abide by the Data Privacy Framework Principles.
• •Onward transfer accountability. If we transfer your data to a third-party agent, we require them to provide at least the same level of protection and remain liable for their processing.

• •Separate consent checkboxes. Our forms include distinct checkboxes for analytics, marketing and third-party sharing with clear descriptions. Boxes are never pre-ticked; you can withdraw consent at any time, and we maintain timestamped consent logs for audit trails.
• •Cookie controls. Our cookie banner offers "Accept," "Decline" and "Manage preferences" options with separate toggles for essential, analytics (Google Analytics, Amplitude), personalization (Mixpanel) and advertising (Facebook/Meta Pixel, Google conversion tracking) cookies. We do not drop non-essential cookies until you consent; you can reject them and still use our Service.
• •Opt-out of targeted advertising. We do not use contact data for third-party advertising unless you opt in. We do not sell, trade or share your personal information for cross-context behavioral advertising.
• •User communications and consent for others. If you provide another person's contact details, you must obtain their consent. We may disclose such information if required to comply with legal processes.

We act as data controller for our own user accounts, billing records and usage logs, and as data processor when we handle your customers' contact data. We execute Data Processing Agreements (DPAs) defining our obligations, security measures, retention periods and subprocessor authorizations. A DPA is available upon request for enterprise customers. Subprocessors (e.g., cloud hosting, analytics providers, payment processors, AI processors) are vetted, contractually bound to confidentiality and security requirements, and subject to our privacy obligations. A current list of subprocessors is available on our website; we will notify you of material changes to that list at least 30 days in advance, giving you the opportunity to object before new subprocessors begin processing your data.

We employ physical, technical and administrative safeguards to protect personal data. Measures include encryption at rest and in transit, role-based access controls, multi-factor authentication, domain whitelisting, dynamic link generation, regular vulnerability testing, employee privacy training and incident-response procedures. We cannot guarantee absolute security, but we take reasonable steps to prevent loss, misuse or unauthorized access. Data protection principles are integrated into product design, and high-risk processing triggers Data Protection Impact Assessments (DPIAs).

Our analytics and personalization tools may use machine learning to suggest networking connections or optimize engagement. Our Smart Scan feature uses OCR and a third-party large language model (currently OpenAI GPT-4o-mini) to extract contact data from business-card images. We have a Data Processing Agreement with OpenAI that prohibits using your data for model training and requires deletion of inputs after processing. When deploying AI, we inform you how personal data is used, provide meaningful information about the logic involved and ensure human oversight. Under the EU AI Act and GDPR Article 22, you can object to automated decision-making and request human review. AI-powered or beta features are provided "as is," may change or be discontinued, and should not be used for critical decisions without independent verification.

Our infrastructure is hosted in the EU and the United States. For cross-border transfers, we rely on Standard Contractual Clauses, the UK International Data Transfer Addendum, Data Privacy Framework certification and other recognized safeguards. We monitor and comply with evolving regulations, including the EU Digital Services Act, Digital Markets Act, AI Act, the UK Data (Use and Access) Act 2025 and India's DPDP Act 2023.

The Service is not intended for children under 13, and we do not knowingly collect personal data from them. If we learn that a child has provided personal information without parental consent, we will delete it. When targeting minors aged 16 (or a lower age permitted by local law), you must obtain verifiable parental consent and use age-gating features.

Subject to applicable law, you have the right to:

• • Access the personal data we hold about you
• • Rectify inaccurate or incomplete data
• • Erase your data (right to be forgotten)
• • Restrict or object to certain processing, including direct marketing
• • Data portability for information you provided, in a structured, commonly used and machine-readable format
• • Withdraw consent at any time without affecting prior lawful processing
• • Object to automated decision-making and request human review of decisions that produce legal or similarly significant effects
• • Lodge a complaint with a supervisory authority (in Hungary, the NAIH; in other EU/EEA countries, your local data-protection authority)

We will respond to verified rights requests within 30 days (GDPR) or 45 days (CCPA), with the possibility of extension where permitted by law. You can exercise these rights via your account settings or by contacting our Data Protection Officer. You may also export your card data in vCard format at any time through your account. Deletion requests apply to data we control; information shared with other users, stored by subprocessors or synced to external CRMs must be deleted by those parties.

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act provides you with additional rights:

• •Right to know. You may request the categories of personal information we have collected, the sources of collection, the business purposes for collection, the categories of third parties with whom we share data, and the specific pieces of personal information we hold about you.
• •Right to delete. You may request deletion of personal information we have collected from you, subject to certain exceptions (e.g., completing a transaction, detecting security incidents, complying with legal obligations).
• •Right to correct. You may request correction of inaccurate personal information.
• •Right to opt out of sale or sharing. We do not sell personal information as defined by the CCPA. We do not share personal information for cross-context behavioral advertising. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link.
• •Right to limit use of sensitive personal information. We do not collect sensitive personal information as defined by the CCPA (e.g., Social Security numbers, precise geolocation, racial or ethnic origin).
• •Non-discrimination. We will not discriminate against you for exercising your CCPA rights. You will not receive different pricing or service quality for making a privacy request.

To make a request, contact us at the email address provided on our website or use the privacy controls in your account settings. We will verify your identity before processing requests. An authorized agent may act on your behalf with written permission. We respond to verified requests within 45 days. In the preceding 12 months we have collected the categories of personal information described in Section 2 above for the business purposes described in Section 3.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (the Hungarian National Authority for Data Protection and Freedom of Information, NAIH, or the relevant authority in your jurisdiction) within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay via email or through the Service, describing the nature of the breach, the likely consequences, the measures we have taken or propose to take, and how you can contact our Data Protection Officer. We maintain an internal breach register documenting all incidents regardless of severity. For California residents, notification will also comply with California Civil Code Section 1798.82.

When you set a digital card's visibility to "Public," the card page and the information displayed on it become accessible to anyone on the internet, including search-engine crawlers and bots. We include the URLs of Public cards in our sitemap, which we submit to search engines (such as Google and Bing) to facilitate indexing and discoverability. Only the information you choose to display on your card (for example, name, job title, company, bio, avatar, banner image and enabled contact fields) is exposed on the public page. We do not expose your account email address, password, billing details, analytics data or any other information you have not added to the card itself. Cards set to "Private" or "Secure" are excluded from our sitemap, served with a "noindex" robots directive and require authentication or a PIN to view; they are not intended to be indexed by search engines. You can change your card's visibility at any time through your account settings. Please note that after you change a card from Public to Private, cached versions may persist in search-engine indexes until the search engine re-crawls and removes the content; we have no control over third-party caching behaviour. If you need expedited removal, you can use search-engine removal tools (for example, Google's Remove Outdated Content tool). By setting your card to Public you consent to this processing on the legal basis of your explicit consent (GDPR Article 6(1)(a)) and acknowledge that the information may be collected and displayed by third-party services.

We may update this privacy policy to reflect changes in law or our practices. Significant changes will be communicated through the Service or by email at least 30 days before they take effect, and we will note the effective date. Continued use after the effective date constitutes acceptance. For privacy questions, data-protection requests or complaints, contact our Data Protection Officer at the email address provided on our website. EU residents may also contact our EU representative; UK residents may contact our UK representative. Contact details for our DPO and representatives are published on our website. If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.