Privacy Policy

1. Data We Collect

We collect the following categories of personal data:

• Account information — your name, email address, and password (stored as a secure hash) when you create an account.
• Card content — information you voluntarily enter on your digital business card: name, job title, company, bio, phone number, website, and any links you add.
• Profile and media — photos you upload (profile photo, company logo, cover photo) stored securely in cloud storage.
• Usage analytics — when someone views your card or clicks a link, we record a hashed IP address (we never store the raw IP), approximate country, the referring URL, and a timestamp. This data is tied to your card, not to the individual visitor.
• Payment data — if you subscribe to a paid plan, payment is processed entirely by Lemon Squeezy. We receive only confirmation of your subscription status; we do not store credit card numbers.
• Cookies and session data — we use cookies to maintain your authenticated session. See Section 4 for details.

2. How We Use Your Data

• Providing the service — to create, display, and manage your digital business card.
• Analytics dashboard — to show you aggregated statistics about who viewed your card and which links they clicked.
• Transactional emails — to send account confirmation, password reset, and billing notification emails via Resend (our email provider).
• Billing — to process subscription payments and manage your plan status through Lemon Squeezy.
• Service improvement — to understand aggregate usage patterns and improve the platform. We do not use your card content to train AI models.

Our legal basis for processing is contract performance (processing necessary to deliver the service you signed up for) and, where applicable, legitimate interests (aggregated analytics for service improvement).

3. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with the following trusted sub-processors, solely to deliver the service:

We may also disclose data if required by law or to protect our legal rights.

4. Cookies

We use a minimal set of cookies — only those necessary to operate the service:

• Authentication cookies — set by Supabase to maintain your logged-in session. These are essential and cannot be disabled without breaking authentication.
• Language preference — a single cookie (cardly-locale) that remembers your preferred language. It contains no personal data.

We do not use third-party advertising or tracking cookies. We do not use Google Analytics or similar services.

5. Your Rights (GDPR)

If you are in the EU or EEA, you have the following rights under the GDPR:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — correct any inaccurate data (most profile data can be updated directly in your account settings).
• Right to erasure — request deletion of your account and associated data.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests.
• Right to restrict processing — request that we limit how we use your data.

To exercise any of these rights, email us at support@getcardly.io. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

6. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, all associated personal data (profile info, card content, uploaded media, and analytics events) will be permanently deleted within 30 days. Billing records may be retained for longer where required by applicable tax or accounting law. Anonymised, aggregated analytics data (with no link to any individual) may be retained indefinitely for service improvement purposes.

7. Security

We implement industry-standard security measures: all data is transmitted over HTTPS, passwords are hashed using bcrypt, and database access is restricted by row-level security policies. No method of transmission over the internet is 100% secure, but we take reasonable precautions to protect your data.

8. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page and, for significant changes, notify you by email. Continued use of Cardly after changes are posted constitutes your acceptance of the revised policy.

9. Contact

For any privacy-related questions or to exercise your rights, contact us at: