Privacy Policy

Cardtly is a digital business card platform registered in South Africa. We are the data controller for the personal information described in this policy.

For any privacy questions, contact us at andre@cardtly.com.

Account information. When you sign up we collect your name, email address, and a hashed password.

Card content. Anything you put on your business card is stored by us, including your job title, company, phone number, WhatsApp number, business address, website, profile photo, company logo, bio, certifications, and social media links. This information is published at your card URL and is intentionally public.

Contacts you collect. When someone uses the Save Contact button or fills out a lead form on your card, their name, email, phone number, and any message they send are stored in your Cardtly contacts list so you can follow up with them.

Payment information. If you subscribe to Cardtly Pro, our payment processor Paystack handles your card details directly. We never see or store your card number. We only store your subscription tier, status, and a Paystack customer identifier.

Usage data. We log basic interaction data such as card view counts, page requests, IP address, browser type, and approximate location at country level. This helps us run the service and show you analytics on your own card.

Device and app data. If you use the Cardtly Android app, we collect the same data as above plus your device model, Android version, and a Play install identifier. We do not access your phone contacts, photos, camera, or NFC tags unless you explicitly tap a feature that needs them.

Cookies. We use first-party cookies for authentication and to remember your settings. We do not use third-party advertising cookies.

• To create your account and serve your business card to the public.
• To process subscription payments and manage your Pro plan.
• To send transactional emails such as sign-up confirmations, password resets, and billing receipts.
• To show you analytics about how your card is being viewed.
• To improve the product based on aggregated usage patterns.
• To respond to support requests.
• To prevent fraud, abuse, and security incidents.
• To meet our legal obligations.

We do not sell your personal information. We do not use it to train AI models. We do not show you third-party advertising.

We use a small number of trusted service providers to run Cardtly. Each one is named below with a link to their own privacy policy.

• Supabase hosts our database and handles authentication. supabase.com/privacy
• Vercel hosts the website and serves card pages. vercel.com/legal/privacy-policy
• Paystack processes subscription payments. paystack.com/privacy
• Resend delivers transactional email from noreply@cardtly.com. resend.com/legal/privacy-policy
• Google Play if you install our Android app, Google may collect install and crash data subject to their own policy.

We may also disclose information when required by law, to enforce our terms of service, or to protect the rights, property, or safety of Cardtly, our users, or others.

Our service providers operate data centres in multiple countries, including the United States and the European Union. By using Cardtly you understand that your information may be processed outside of South Africa. Where the law requires it, we rely on standard contractual clauses and equivalent safeguards to protect your data during these transfers.

We keep your account and card data for as long as your Cardtly account is active. If you delete your account we remove your personal information from our active systems within 30 days, except where we are required to keep it for legal, tax, or fraud-prevention reasons.

Backups are retained for up to 90 days before being permanently deleted.

Depending on where you live, you have the following rights over your personal information:

• Access. Ask us for a copy of the data we hold about you.
• Correction. Ask us to fix data that is inaccurate or incomplete.
• Deletion. Ask us to delete your account and personal information.
• Portability. Ask us for your data in a machine-readable format.
• Objection. Object to certain types of processing.
• Withdraw consent. Withdraw consent at any time where processing is based on consent.
• Complain. Lodge a complaint with the South African Information Regulator (inforegulator.org.za) or your local data protection authority.

To exercise any of these rights, email andre@cardtly.com. We respond within 30 days.

You can also delete your account at any time from Dashboard, Settings.

We protect your data with encryption in transit (HTTPS everywhere), encryption at rest (Supabase managed Postgres), hashed passwords (handled by Supabase Auth), and strict access controls inside our team. No system is perfectly secure, but we take reasonable steps to keep your information safe.

If we ever become aware of a data breach that affects you, we will notify you and the relevant regulators as required by law.

Cardtly is built for adults using it as a professional networking tool. We do not knowingly collect personal information from anyone under the age of 18. If you believe a child has created an account, contact us and we will delete it.

When you install the Cardtly Android app it may request the following permissions. Each one is optional and is only used for the feature it describes.

• NFC. Used so you can tap a blank NFC tag to write your card URL to it, or read a Cardtly NFC tag someone hands you. We do not scan tags in the background.
• Contacts. Used only when you tap Save Contact, so we can add the card you are viewing to your phone address book. We never read your existing contacts.
• Internet. Required so the app can talk to our servers.
• Camera. Optional, used only if you choose to update your profile photo from inside the app.

We may update this policy from time to time. When we make material changes we will email registered users and display a notice on the website. Continued use of Cardtly after a change means you accept the updated policy.

Cardtly
South Africa
andre@cardtly.com