2. Data We Collect
- Account data: first name, last name, email, password (hashed)
- Profile data: title, company, phone, bio, photo, social links, documents
- Contact data: information from scanned or manually added contacts
- Usage data: card views, access source (QR, NFC, link), timestamps
- Payment data: handled exclusively by Stripe — CardMeApp stores no banking data
- Technical data: IP address (server logs, retained 30 days), session cookies
When scanning a paper card, the image is processed on our servers and deleted immediately after extraction.
3. Legal Basis for Processing (Art. 6 GDPR)
- Performance of contract (Art. 6.1.b): card creation, contact management, card analytics
- Consent (Art. 6.1.a): optional analytics cookies, marketing communications
- Legitimate interest (Art. 6.1.f): platform security, abuse prevention, service improvement
- Legal obligation (Art. 6.1.c): accounting obligations related to payments
4. Retention Periods
- Active account: data retained for the lifetime of the account
- After account deletion: immediate deletion, except legal obligations
- Payment data (Stripe): 7 years (legal accounting obligation)
- Server logs: 30 days
- Card view analytics: rolling 24 months
5. Sub-processors & International Transfers
- Supabase Inc. (EU servers) — authentication, database, file storage
- Stripe Inc. (USA — SCC) — payments
- OpenAI Inc. (USA — SCC) — paper card scan processing only
- Google LLC (EU) — event mapping, optional OAuth login
- Meta Platforms (USA — SCC) — optional OAuth login (if enabled)
- LinkedIn / Microsoft (EU) — optional OAuth login
Standard Contractual Clauses (SCC) govern all transfers outside the EU in accordance with GDPR.
6. Your Rights (Art. 15–22 GDPR)
- Right of access (Art. 15): obtain a copy of your data
- Right to rectification (Art. 16): correct inaccurate data
- Right to erasure (Art. 17): delete your account and all associated data
- Right to data portability (Art. 20): export your data in JSON format
- Right to object (Art. 21): object to processing based on legitimate interest
- Right to restriction (Art. 18): restrict certain processing activities
- Withdrawal of consent: at any time without affecting past processing
To exercise your rights: go to Settings → Privacy Settings in the app (instant deletion and export) or email privacy@materydev.com (response within 30 days).
You have the right to lodge a complaint with your national supervisory authority: CNPD (Luxembourg), CNIL (France), or APD (Belgium).
7. Cookies
CardMeApp uses:
- Strictly necessary cookies: Supabase authentication session, local preferences — no consent required
- First-party analytics cookies: measuring your card's view count — consent requested on first visit
No advertising or third-party profiling cookies are used.
8. Data Security
Your data is protected by: TLS 1.2/1.3 encryption in transit, Supabase Row Level Security (RLS), service role access limited to server-side API routes, and HTTP security headers (HSTS, X-Frame-Options, CSP). Any data breach will be reported to authorities within 72 hours (Art. 33 GDPR).
9. Deletion & Data Portability
From Settings → Privacy Settings, you can: download all your data (JSON format, Art. 20 GDPR) or permanently delete your account (Art. 17 GDPR) with one click. See also: Data Deletion page.