common.backToHome

GDPR Privacy Policy

common.lastUpdated April 26, 2026

1. Introduction

QuickCard.Digital ("we", "us", or "our") is committed to protecting your personal data and respecting your privacy rights. This GDPR Privacy Policy explains how we collect, use, store, and protect your personal information in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

QuickCard.Digital is the data controller responsible for your personal data. If you have any questions about this policy or our data practices, please contact us at:

Company: QuickCard.Digital s.r.o.

Registered office: Mlynské nivy 14, 821 09 Bratislava, Slovakia

Email:[email protected]

3. Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Account Information:

  • Email address
  • Password (encrypted)
  • Account creation date
  • Product update and newsletter preferences

3.2 Contact Card Information:

  • Full name
  • Job title
  • Company name
  • Phone number
  • Email address
  • Website URL
  • Social media links
  • Profile photo/logo
  • Custom attributes (Enterprise plans only)

3.3 Subscription Information:

  • Subscription plan type
  • Billing information (processed by Stripe)
  • Payment history
  • Transaction records

3.4 Team Information (Team & Enterprise plans):

  • Team member names and roles
  • Team invitations
  • Team branding settings

3.5 Usage and Technical Data:

  • Login timestamps and failed login attempts (used for account-lockout protection: 10 failures in 15 minutes triggers a temporary lockout)
  • IP address and user agent (used for security, fraud prevention, and error diagnostics)
  • SHA-256-hashed IP address (logged on public-form submissions — newsletter, contact-sales, share-card forwarding — to enforce per-IP rate limits)
  • Browser type and version, approximate geographic location derived from IP (for error grouping in our monitoring tool)
  • Application error reports including stack trace and browser context (collected only when an error occurs)
  • QR code scan counts (aggregate counts per card; we do not record who scanned)
  • Feature usage events while you are signed in

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract Performance: To provide our services as agreed in our Terms of Service
  • Consent: When you have given explicit consent for specific processing activities
  • Legitimate Interest: To improve our services, prevent fraud, and ensure security
  • Legal Obligation: To comply with applicable laws and regulations

5. How We Use Your Data

We use your personal data for the following purposes:

  • To create and manage your account
  • To provide and maintain the Service
  • To process payments and manage subscriptions
  • To generate and display your digital business cards
  • To enable team management features
  • To send service-related notifications
  • To send release notes and product updates when you opt in
  • To provide customer support
  • To improve and optimize our Service
  • To detect and prevent fraud and abuse
  • To comply with legal obligations

6. Data Sharing and Disclosure

We do not sell your personal data. We may share your data with:

6.1 Service Providers (sub-processors):

We rely on the following processors to operate the Service. All non-EU processors operate under EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.

  • Supabase Inc. (USA) — managed PostgreSQL database, authentication, file storage, and edge functions. Data is hosted in the EU region (Frankfurt, Germany).
  • Stripe Inc. (USA / Ireland) — payment processing. We never see your full card details; Stripe is PCI DSS Level 1 certified.
  • Resend Inc. (USA) — transactional email delivery (sign-up confirmation, password reset, team invitations, weekly digest).
  • Cloudflare Inc. (USA) — DNS, CDN, DDoS protection, and Turnstile bot-mitigation captcha on public forms. Cloudflare receives IP, request headers, and may set a bot-management cookie.
  • Functional Software Inc. dba Sentry (USA) — application error monitoring. Data for QuickCard.Digital is hosted in Sentry's EU region (Frankfurt). Stack traces, browser context, and IP are sent only when an error occurs.
  • Vercel Inc. (USA) — static hosting and CDN for the QuickCard.Digital frontend.
  • Google LLC (USA) — Google Sign-In identity provider. Used only if you choose "Sign in with Google"; we receive your Google email address and profile name.
  • BetterStack (Czech Republic / EU) — public-website uptime monitoring. Receives no user data; only HTTPS pings of our public homepage.

6.2 Team Members: With other members of your team (Team and Enterprise plans only)

6.3 Legal Requirements: When required by law or to protect our rights and safety

6.4 Business Transfers: In connection with a merger, acquisition, or sale of assets

7. Data Storage and Security

7.1 Storage Location: Account data, contact cards, uploaded files, and authentication records are stored in Supabase's EU region (Frankfurt, Germany) with automatic backups and redundancy. Application error reports are stored in Sentry's EU region (Frankfurt). Some support processors (Stripe, Resend, Cloudflare, Vercel, Google) are headquartered in the United States and may process related metadata (payment records, email delivery logs, request IPs, OAuth profile data) on US-based infrastructure under SCCs and the EU-US Data Privacy Framework. See section 10 for details.

7.2 Security Measures:

  • End-to-end encryption for data transmission (TLS/SSL)
  • Encrypted password storage
  • Regular security audits and updates
  • Access controls and authentication
  • Automated backup systems

7.3 Retention Period: We retain your personal data for as long as your account is active or as needed to provide services. Newsletter and product update preferences are retained until you unsubscribe or request deletion. After account deletion, account data is retained for 30 days for recovery purposes, then permanently deleted.

8. Your GDPR Rights

Under GDPR, you have the following rights:

8.1 Right to Access: Request a copy of your personal data

8.2 Right to Rectification: Correct inaccurate or incomplete data

8.3 Right to Erasure ("Right to be Forgotten"): Request deletion of your data

8.4 Right to Restrict Processing: Limit how we use your data

8.5 Right to Data Portability: Receive your data in a machine-readable format

8.6 Right to Object: Object to processing based on legitimate interests

8.7 Right to Withdraw Consent: Withdraw consent at any time

8.8 Right to Lodge a Complaint: You have the right to file a complaint with the Slovak supervisory authority:
Urad na ochranu osobnych udajov Slovenskej republiky (Office for Personal Data Protection of the Slovak Republic)
Hranicna 12, 820 07 Bratislava, Slovakia
dataprotection.gov.sk

To exercise any of these rights, please contact us at [email protected]

9. Cookies and Browser Storage

We use only essential cookies and browser storage:

  • Authentication tokens — stored in browser localStorage by Supabase Auth so that you stay signed in between visits
  • Cloudflare bot-management cookie (`__cf_bm`) — set by Cloudflare on every request to protect against automated abuse; expires within 30 minutes of inactivity
  • Cloudflare Turnstile may set a short-lived cookie during the bot-detection challenge on public forms (sign-up, login, password reset, contact-sales, newsletter)
  • Language preference — stored in browser localStorage to remember your selected interface language

We do not use third-party advertising cookies, behavioral tracking cookies, or product analytics cookies.

10. International Data Transfers

Your account data, contact cards, uploaded files, and application error reports are stored within the European Union (Supabase EU and Sentry Frankfurt). Several of our service providers — Stripe, Resend, Cloudflare, Vercel, and Google — are headquartered in the United States and may process related metadata (payment records, email delivery logs, request IP addresses, OAuth profile data) on US-based infrastructure.

For any transfer of your personal data outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework, to ensure your data receives an equivalent level of protection.

11. Children's Privacy

Our Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information.

12. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by email or through a notice on our Service. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions about this GDPR Privacy Policy or how we handle your personal data, please contact us:

Company: QuickCard.Digital s.r.o.

Registered office: Mlynské nivy 14, 821 09 Bratislava, Slovakia

Email:[email protected]

common.backToHome