PRIVACY POLICY
Version 1.3
Last updated: 22 April 2026
In order to use our apps or websites, we may ask you to enter your name, email, job title, company, contact details, industry, and ask other onboarding questions depending on the app or web products you choose from our ecosystem. In some of our apps you are able to skip some of the onboarding questions by tapping on Skip or similar indication.
We also may automatically collect from your device: language settings, IP address, time zone, type and model of a device, device settings, operating system and other technical information. We need this data to provide our services, analyze how our customers use the app, and to serve ads. Most of the time, you can influence such processing by limiting it via our privacy features available on the websites and/or apps.
Please read our Privacy Policy below to know more about what we do with data (Section 3), what data privacy rights are available to you (Section 5). Depending on the region from where you access our Services and the choice of our product, we strive to provide you with various privacy control features and rights. For example:
- Influence online tracking via our cookie banner and e-Privacy settings in our apps or websites.
- Opt-out from sale/share of data (in the meaning of certain US laws).
- Request data and account deletion.
- Exercise other privacy rights.
When such features are available to you, this will be prominently displayed either in footers, menus, or profile sections of our products.
If any questions will remain unanswered or you would like to exercise your privacy rights, please contact us at privacy@digitalbusinesscard.com
This Privacy Policy explains and lists the transparency information regarding what personal data is collected when you use our mobile application "DBC: Digital Business Card", websites (including digitalbusinesscard.com) and the services provided through them (together "App" or "Service"), how such personal data will be processed. This policy is intended to comply with privacy regulations globally, including but not limited to the General Data Protection Regulation (GDPR) in the EU/EEA, the California Consumer Privacy Act (CCPA) in the United States, the Lei Geral de Proteção de Dados (LGPD) in Brazil, and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
By using the Service, you promise us that (i) you have read, understand and agree to this Privacy Policy and the data processing described, and (ii) you are over 18 years of age. If you do not agree, or are unable to make this promise, you must not use the Service. In such a case, you must (a) delete your account and contact us and request deletion of your data; (b) cancel any subscriptions using the functionality provided by Apple (if you are using iOS) or Google (if you are using Android), any other app stores that may be available from time to time, or by us if you purchased it directly from our websites; and (c) delete the App from your devices.
Any translation from the English version is provided for your convenience and transparency purposes only. In the event of any difference in meaning or interpretation between the English language version of this Privacy Policy available at digitalbusinesscard.com/privacy, and any translation, the English language version will prevail. The original English text shall be the sole legally binding version.
Contents
- Definitions
- Categories of personal data we collect
- What are the purposes and legal bases for processing your personal data
- With whom we share your personal data
- How you can exercise your privacy rights
- Lead Capture data and our role as a data processor
- Our use of artificial intelligence (AI)
- Account deletion
- Data breach notification process
- Age limitation
- International data transfers
- Changes to this Privacy Policy
- Data retention
- Personal data controller
- Contact us
1. Definitions
For the purpose of this Privacy Policy, the following terms have the meanings set out below:
"GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
"UK GDPR" means the GDPR as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018.
"EEA" includes all current member states of the European Union and the European Economic Area, plus, for the purpose of this Privacy Policy, the United Kingdom of Great Britain and Northern Ireland and Switzerland.
"CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (CPRA).
"LGPD" means the Lei Geral de Proteção de Dados (Law No. 13,709/2018), the Brazilian general data protection law.
"PIPEDA" means the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), the Canadian federal private-sector privacy law, together with applicable provincial legislation including Quebec's Law 25.
"AI" or "Artificial Intelligence" means technologies, including machine learning models and large language models, that perform tasks that traditionally require human intelligence, such as image recognition, natural language understanding, content generation, and decision support.
"Process" (in respect of personal data) means any operation or set of operations performed on personal data, whether or not by automated means, including to collect, record, organize, structure, store, adapt, alter, retrieve, consult, use, disclose, share, transfer, restrict, erase or destroy.
"Recipient" means an individual who provides personal data through a Lead Capture form on a DBC user's digital business card. The Recipient is not a registered user of our Service.
"Standard Contractual Clauses" or "SCCs" mean the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to GDPR Article 46(2)(c).
"EU-U.S. Data Privacy Framework" or "DPF" means the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. DPF, providing a legal mechanism for transferring personal data from the EEA and UK to certified U.S. organizations.
2. Categories of personal data we collect
We process data:
(i) you directly provide to us (for example, when you complete the onboarding quiz, create your digital business card, or contact our support team);
(ii) we receive about you from third parties (for example, when you sign in via Apple or Google);
(iii) automatically when you use our Service (for example, your IP address via cookies or SDK technologies).
2.1 Data directly provided by you
1. Identifiers
This may include your name, email address, and other contact information. You provide us with this information when you register for the Service, complete the onboarding quiz, subscribe to our services, or contact us by any other means.
2. Onboarding and product data
You provide us with this category of information when you register for the Service and/or go through the onboarding process and/or use the Service. This category, in particular, includes:
General information about you. For example, age range, industry, professional role or position, and your goals or challenges related to business networking (such as difficulties you experience with paper business cards).
Card content data. When creating your digital business card, you may provide information such as your first and last name, job title, company name, work email, phone numbers, office address, profile photograph, custom banners or logos, and links to various social media or web resources (which may include up to 50+ different link types, for example LinkedIn, Twitter/X, Instagram, Facebook, YouTube, TikTok, personal or company websites, scheduling tools, payment links, and similar). We use this information to generate and display your digital business card to recipients you share it with.
3. Commercial information
When you make payments through the Service, you need to provide financial account data, such as your credit card number, to our third-party service providers that serve us as data and payments processors. We do not collect or store, or have access to full credit card number data, though we may receive some limited information, for example, credit card-related data (including a secure token reflecting your payment method), data about products or services purchased, date, time and amount of the purchase, the type of payment method used, limited digits of your card number.
4. B2B Service data
We offer organizations an option to obtain the Service as a corporate or team solution. To create and manage a B2B account, the account administrator provides their name, company name, position and email address, as well as information about team members they wish to add to the account (such as team members' name, email, job title, department, and similar professional details).
If your employer grants you access to the Service, we process your email address, name and professional details provided by your employer to enable access. Your personal data is processed according to this Privacy Policy. General participation statistics may be shared with your employer through the admin tool.
5. AI Contact Scanner data
When you use our AI Contact Scanner feature to digitize paper business cards, you upload photographs of business cards through our App. These photographs are transmitted through our servers to our AI processing partner (OpenAI) for text extraction and contact information recognition. The extracted contact data and the original photographs are stored in your account so that you may access and manage the digitized contacts. You may delete the photographs and extracted data from your account at any time. For more information on our use of AI, please see Section 7 of this Privacy Policy.
Please note that the photographs you upload may contain personal data of third parties (the individuals whose business cards you are scanning). You represent and warrant that you have the legal basis to process such data, including where required by applicable law, their consent.
6. Comments and attachments you provide with your requests
You may also provide us with some personal information using our "Contact us" forms or by sending emails to our email addresses or through our in-app chat. This information may include any comments you log in when you send your inquiry.
2.2 Data provided by third parties
1. Apple ID account
When you sign in with Apple to register an account in the App, we get personal data from your Apple ID account. This data may include, in particular, your name and verified email address.
2. Google account
When you sign in with Google to register an account in the App, we may receive personal data from your Google account including your name and email address.
2.3 Data we collect automatically
1. Online activity
We record how you interact with our Service. For example, we log your interactions with certain areas of the interface, the features, and content, which digital cards you create, when and how often your cards are viewed or scanned by recipients, lead capture form submissions, how often you use the App, how long you are in the App, and your subscription orders.
2. Device and Geolocation data
We collect data from your mobile device and browser. Examples of such data include: language settings, Internet Protocol (IP) address, time zone, type and model of a device, device settings, operating system, Internet service provider, mobile carrier, hardware ID, browser type and version, screen resolution, and Facebook ID. Approximate geolocation data may be inferred from IP address for purposes such as fraud prevention and regional content customization.
3. Advertising IDs
We collect your Apple Identifier for Advertising ("IDFA") or Google Advertising ID ("AAID") (depending on the operating system of your device). You can typically reset these numbers through the settings of your device's operating system.
4. Cookies and similar tracking technologies
Our products employ technologies (cookies, SDKs, tag managers, pixels, session recording tools, etc.) to process your data to enhance your user experience, optimize ads, and analyze traffic. These technologies are activated when you interact with our services, visit our website, use our Apps, or enable certain features like chats. Disabling these technologies may affect the functionality of certain features, although our products will remain usable.
Strictly necessary. These technologies are typically activated when you request our service, for example, when you visit our website or open the App. By utilizing them, we can (i) remember your preferences as you navigate our products, (ii) ensure swift loading of the content you request, (iii) enhance the security of our products, and (iv) enable other functionalities of our products.
Functional. We use functional technologies to personalize and enhance your experience. By utilizing them, we can remember your choices (for example, custom design settings or storing your language preference for an extended period).
Performance and analytics. We use performance technologies to process information about how you and others interact with our products. This helps us understand user engagement with our products and features, and identify preferences or dislikes. We also use session recording technology to understand user experience issues and improve our products.
Targeting. We, and our partners, use targeting technologies to tailor ads and possibly even display them to you at relevant times.
If you are located in certain countries, you can adjust your tracking technology preferences in our cookie consent banner available on our websites.
3. What are the purposes and legal bases for processing your personal data
We collect and utilize your data primarily to provide our services, enhance the quality of our networking and business card services and to continuously improve them.
Purpose of processing | Description and examples | Categories | Lawful basis |
|---|---|---|---|
To provide our Service and administer your account | This includes verifying your identity, email verification, enabling you to access and use our Service in a seamless manner and preventing or addressing Service errors or technical issues, customizing your experience. | All categories | Performing our contract with you |
To communicate with you regarding your use of our Service | We communicate with you by email, in-app notifications, and push notifications. These may include transactional communications related to account verification, password resets, subscription renewals, billing, and security alerts. | Identifiers, Online activity | Performing our contract with you (or legitimate interest, when not strictly necessary for provision of our Service) |
To process and fulfill your transactions | For paid products and/or services, we use third-party services for payment processing. We do not store payment card details ourselves. | Identifiers, Commercial information, Device data | Performing our contract with you |
To provide the AI Contact Scanner feature | When you use our AI Contact Scanner, we process the photographs of business cards you upload and send them to our AI processing partner to extract contact information. | Identifiers, Onboarding and product data, Images uploaded through the AI Scanner feature | Performing our contract with you |
To research and analyze your use of the Service | This helps us to better understand our business, analyze our operations, maintain, improve, innovate, plan, design, and develop the Service and our new products. | All categories | Legitimate interest (unless it requires consent, e.g. the method of processing is covered under certain e-Privacy regulations) |
To send our marketing communications | We may add your email address to our marketing list, provided we receive consent or otherwise establish a legal basis. If you do not want to receive marketing emails from us, you can unsubscribe following instructions in the footer of the marketing emails. | Identifiers, Onboarding and product data | Consent or Legitimate interest (in jurisdictions that allow exception to consent requirements, including under the soft opt-in exception for existing customers under ePrivacy Directive Article 13(2) and similar national implementations) |
To personalize our ads | We and our partners use your personal data to tailor ads and possibly show them to you at relevant times. | Onboarding and product data, Online activity, Commercial information, Device data, Advertising IDs, Cookies | Consent (where required under e-Privacy regulations) or Legitimate interest |
To audit ad performances | To conduct auditing related to counting ad impressions, verifying positioning and quality of ad impressions, and auditing compliance. | Identifiers, Online activity, Commercial information, Advertising IDs, Cookies | Legitimate interest (unless consent is required) |
To communicate with you regarding possible cooperation | This includes being able to contact you to discuss possible forms of cooperation, such as partnership opportunities or B2B sales. | Identifiers, B2B Service data | Legitimate interest |
To enforce our Terms of Use and to defend our legal rights and interests | We collect and store personal data to the extent necessary to defend our legal rights and interests in the event of legal disputes or claims. | All categories | Legitimate interest |
To comply with legal obligations | We may use this data to comply with legal obligations, such as tax regulations, accounting standards, or other applicable laws and regulations. | All categories | Complying with legal obligations |
To prevent and combat fraud | We use personal data to enforce our agreements and contractual commitments, to detect, prevent, and combat fraud. | All categories | Legitimate interest |
Legitimate interests
Where we rely on legitimate interest as our legal basis, we have considered and balanced our interests against your rights and freedoms. Our legitimate interests include encouraging you to use our Service more often; maintaining business relationships with potential partners and clients; improving our Service through user research; promoting our Service in a measured and appropriate way; protecting ourselves from legal disputes; and preventing fraud and unauthorized use of the Service.
4. With whom we share your personal data
A. General classification
We engage partners to carry out specific services or business functions on our behalf using their technologies and resources, based on our instructions. We strive to conclude specific data processing agreements with all such parties to establish the rules for processing of your data specifically on our behalf and limited to it.
1. Third-party service providers
a. Cloud storage and hosting providers
Amazon Web Services (AWS). To host personal data and enable our Service to operate and be distributed we use Amazon Web Services. Data is hosted in the Frankfurt (eu-central-1) region.
b. Database providers
MongoDB Atlas (cloud.mongodb.com). We use MongoDB Atlas, a fully-managed cloud database service operated by MongoDB, Inc., as our primary database. Our Atlas cluster is deployed on Amazon Web Services in the Frankfurt (eu-central-1) region.
c. Email and communication service providers
SendPulse (api.sendpulse.com). We use SendPulse to send you transactional emails (such as account verification, subscription notifications, billing receipts) and marketing communications.
In-App Chat. We operate our own in-app chat functionality to provide customer support. When you use our chat, the messages and information you share are processed by us directly for support purposes.
d. Analytics and product monitoring providers
Google Analytics 4. To analyze how visitors use the Service and to measure the effectiveness of our Service and advertising.
Mixpanel. We use Mixpanel as a product analytics service to understand how customers use our Service.
Google Tag Manager. We use Google Tag Manager to deploy and manage various tracking and analytics tags. Google Tag Manager itself does not collect personal data but facilitates the loading of other tracking technologies.
Microsoft Clarity. We use Microsoft Clarity to record user sessions (including mouse movements, clicks, scrolls, and keystrokes for non-sensitive fields) and generate heatmaps to improve user experience.
Firebase (Google). We use a suite of Firebase services including Firebase Authentication, Firebase Cloud Messaging, Firebase Crashlytics, Firebase Remote Config, and Firebase Analytics.
e. Payment processing partners
We use various payment processing and payment gateway providers, in particular:
Stripe. For credit card and general payment processing.
PayPal. For PayPal payment processing.
Apple In-App Purchase. For subscriptions purchased through iOS apps.
Google Play Billing. For subscriptions purchased through Android apps.
f. AI processing partners
OpenAI. We use OpenAI's API to power our AI Contact Scanner feature. OpenAI processes this data on our behalf and, per OpenAI's API terms, does not use API data to train their models.
Anthropic. We use Anthropic's API to power certain AI-assisted features within our Service. Anthropic processes this data on our behalf and does not use API data to train their models.
For more details on our AI usage, including data flows, retention, accuracy disclaimers, and your rights, please see Section 7 of this Privacy Policy.
g. Marketing and advertising service providers
Meta (Facebook and Instagram). We use Meta Ads Manager together with Meta Custom Audience and the Meta Pixel.
Google Ads. Google Ads is an ad delivery service provided by Google. Google allows users to opt out of personalized ads and to prevent their data from being used by Google Analytics.
Apple Search Ads. We use Apple Search Ads to promote our App within the Apple App Store.
h. Third-party integrations you may connect to
Our Service offers integrations with various third-party business tools. When you choose to connect these integrations, data from your DBC account may be transmitted to these third-party services based on your configuration.
Salesforce. When you connect the Salesforce integration, DBC shares lead and contact data with your Salesforce CRM on your behalf. The connection uses OAuth 2.0 — DBC stores only the access and refresh tokens required to interact with the Salesforce API.
HubSpot. When you connect the HubSpot integration, DBC shares lead and contact data with your HubSpot CRM on your behalf. The connection uses OAuth 2.0.
Zoho CRM. When you connect the Zoho CRM integration, DBC shares lead data (name, email address, phone number, company name, and job title) with Zoho CRM on your behalf via OAuth 2.0.
Pipedrive. When you connect the Pipedrive integration, DBC shares lead data (name, email address, and phone number) with Pipedrive on your behalf via OAuth 2.0.
monday.com. DBC offers a monday.com app available through the monday.com marketplace. When you install and use this integration, DBC communicates with monday.com via the GraphQL API at api.monday.com to read and write boards, groups, and items as configured in your monday.com workspace, and via OAuth 2.0 at auth.monday.com to authenticate your account. The DBC frontend SDK (monday-sdk-js) also emits a valueCreatedForUser event to the monday.com platform for marketplace billing purposes. DBC does not store your monday.com credentials.
Google Workspace / Google Sheets. When you connect Google Workspace, DBC requests access to Google Sheets solely to export your captured lead contact data. We access only spreadsheets created by our application on your behalf. All data transmitted between our servers and Google Sheets is encrypted in transit using HTTPS/TLS. We do not share your Google account data or spreadsheet contents with any third parties. We do not use any data accessed through Google Workspace APIs for advertising, AI, or machine learning model training purposes.
Zapier. DBC offers a Zapier integration that you can use to connect DBC to thousands of other business tools via Zapier's automation platform.
Apple Wallet and Google Wallet. When you add your digital business card to Apple Wallet or Google Wallet, a pass file containing your card information is transmitted to Apple or Google.
When you connect any third-party integration listed above, the applicable third-party service's terms and privacy policies govern the processing of your data within that service. We are not responsible for how these third parties handle your data once transmitted.
2. Law enforcement agencies and other public authorities
We may use and disclose personal data to enforce our Terms of Use, to protect our rights, privacy, safety, or property, and to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities.
3. Third parties as part of a merger or acquisition
As we develop our business, we may buy or sell assets or business offerings. Customers' information is generally one of the transferred business assets in these types of transactions.
B. CCPA classification of service providers and third parties
In order to provide our services, we may share your personal information with other entities that perform functions on our behalf or assist us in fulfilling our purposes. Depending on their role and relationship with us, these entities may be classified as service providers (or contractors) and third parties under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
Category of Service providers | Purpose of sharing data | Categories of personal data shared |
|---|---|---|
Cloud storage and hosting providers | To store your personal data and enable provision of our Service | All categories of personal data mentioned in Section 2 |
Database providers | To store and manage your account and Service-related data | All categories of personal data mentioned in Section 2 |
Product monitoring and crash reporting providers | To prevent and/or address errors or technical issues | Device data, Online activity |
Communication service providers | To communicate with you regarding your account, subscriptions, and Service use | Identifiers, Onboarding and product data, Online activity |
Marketing and advertising service providers | To send you marketing communications and to deliver targeted ads | Identifiers, Advertising IDs, Onboarding and product data, Online activity, Commercial information |
Payment processors | To process and fulfill your transactions | Identifiers, Commercial information, Device data |
Data analytics providers | To research and analyze your use of the Service and audit ad performance | All categories of personal data mentioned in Section 2 |
AI processing partners | To provide the AI Contact Scanner and similar AI-assisted features | Images uploaded through AI Scanner, extracted contact information |
Third-party integrations (CRMs, automation, productivity tools) | To enable users to sync lead and contact data with their chosen external tools | Identifiers, Card content data, Lead Capture data |
The categories of third parties to whom personal information was disclosed that may be considered a "sale" or "sharing" under California law are: Marketing and advertising service providers, Data analytics providers.
5. How you can exercise your privacy rights
A. General privacy rights
To be in control of your personal data, you have the following rights:
Accessing / reviewing / updating / correcting your personal data. You have the right to review, edit, or change the personal data that you had previously provided to us. If you would like to receive a copy of data we process, please send us a data access request at privacy@digitalbusinesscard.com or use self-service features available in your account profile.
Deleting your personal data. You can request erasure of your personal data, as permitted by law. Please refer to Section 8 (Account Deletion) for details on how to delete your account and what happens to your data.
Getting to know the details of the processing. You have the right to be informed about the collection and use of your personal data.
Objecting to or restricting the use of your personal data. You can ask us to stop using your personal data or limit our use. For example:
Email marketing: you can unsubscribe from email marketing communication by following the unsubscribe link in every email or by contacting our support team.
Cookie preferences: you can manage your cookie preferences through our cookie banner available on our websites.
Push notifications: you can turn off push notifications in your device settings (iOS: Settings > Notifications > DBC: Digital Business Card; Android: Settings > Apps > DBC: Digital Business Card > Notifications).
Additional means to influence personalized advertising
iOS: On your iPhone or iPad, go to "Settings," then "Privacy" and tap "Advertising" to select "Limit Ad Track". You can also reset your advertising identifier in the same section.
Android: Open the Google Settings app on your mobile phone, tap "Ads" and enable "Opt out of interest-based ads". You can also reset your advertising identifier in the same section.
The right to lodge a complaint with supervisory authority. We would love you to contact us directly. Nevertheless, you have the right to lodge a complaint with a competent data protection supervisory authority.
The right to data portability. If you wish to receive your personal data in a machine-readable format, please submit a request to privacy@digitalbusinesscard.com. The data will be made available to you in JSON or CSV format.
Exercising your rights
To exercise any of the available privacy rights, please send a request to privacy@digitalbusinesscard.com or use the privacy features available in our products.
Verification. To process your request, we'll need to verify your identity. In most cases, this means confirming that the request comes from the email associated with your account.
An authorized agent. You may also designate an authorized agent to exercise your rights on your behalf. The authorized agent shall verify the identity of both themselves and the consumer.
B. United States privacy rights
If you are a resident of a US state where a specific state privacy law has been enacted (in particular, California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia), you may have specific rights in addition to the general privacy rights provided above. These rights include the right to opt out of the processing of the personal data for purposes of the sale of personal data; and the right to opt out of the processing of the personal data for purposes of targeted advertising or cross-contextual behavioral advertising.
We may share certain information about you with our partners for purposes of targeted advertising or data analytics, which could in certain circumstances be characterized as "selling," "sharing," or "targeted advertising" under US state laws. You have the right to opt-out of such sale/sharing.
Depending on the product you use, we will strive to provide a prominently linked "Your Privacy Choices" feature that would allow you to exercise this right. We will also strive to recognize and process your opt-out preference signal (including Global Privacy Control signals) as soon as possible after receiving it.
a. California privacy rights
CCPA and CPRA. California residents have the following rights:
Right to know what personal information is sold or shared and to whom. You have the right to request that we disclose to you the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the purposes for collecting it, and the categories of third parties with whom we have shared, sold, or disclosed it.
Right to limit the use of sensitive data. You have the right to direct us to limit our use of your sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.
Right of no retaliation following opt-out or exercise of other rights. You have a right not to be discriminated against for exercising any of your rights under the CPRA.
California's "Shine the Light" law. Under California Civil Code Section 1798.83, residents may ask companies once a year what personal information they share with third parties for those third parties' direct marketing purposes. To obtain this information, send an email to privacy@digitalbusinesscard.com with "Request for California Shine the Light Privacy Information" in the subject line.
b. Appeal
Under the US state privacy laws, if your privacy request is denied, you have the right to appeal. To appeal, contact us at privacy@digitalbusinesscard.com, clearly indicating "USA PRIVACY APPEAL REQUEST" in your message.
C. Brazilian residents — LGPD rights
If you are a resident of Brazil, you have rights under the LGPD, including those set out below.
Confirmation of processing. The right to obtain confirmation that we are processing your personal data.
Access. The right to access the personal data we process about you.
Correction. The right to request that we correct any inaccurate or incomplete information.
Anonymization, blocking, or deletion. The right to request anonymization, blocking, or deletion of unnecessary or excessive data, or data that is being processed in violation of the LGPD.
Data portability. The right to data portability to another service provider, subject to commercial and industrial secrets, in accordance with applicable regulations.
Deletion of personal data processed with consent. The right to request deletion of personal data processed on the basis of your consent, except as required by applicable law.
Information about sharing. The right to be informed about the public and private entities with which we have shared your data.
Information about non-consent. The right to be informed about the possibility of not providing consent and the consequences of refusal.
Revocation of consent. The right to revoke your consent at any time.
To exercise any of these LGPD rights, contact us at privacy@digitalbusinesscard.com. You also have the right to file a complaint with the Brazilian National Data Protection Authority (ANPD).
D. Canadian residents — PIPEDA rights
If you are a resident of Canada, you have rights under PIPEDA and, where applicable, equivalent provincial legislation (including Quebec's Law 25). These rights include those set out below.
Knowledge and consent. The right to be informed about the collection, use, and disclosure of your personal information and to give meaningful consent (except in limited circumstances permitted by law).
Access. The right to access the personal information we hold about you and to be informed of how it has been used and to whom it has been disclosed.
Accuracy. The right to request that we correct any inaccurate or incomplete personal information.
Withdrawal of consent. Subject to legal or contractual restrictions and reasonable notice, you may withdraw your consent at any time.
Challenging compliance. The right to challenge our compliance with PIPEDA by contacting our privacy contact and, if not satisfied, the Office of the Privacy Commissioner of Canada (OPC) or, where applicable, the Commission d'accès à l'information du Québec.
To exercise any of these rights, contact us at privacy@digitalbusinesscard.com.
6. Lead Capture data and our role as a data processor
Our Service includes a Lead Capture feature that allows our users (for example, professionals using DBC to network) to collect contact information from individuals who interact with their digital business card. When such an individual (the Recipient) submits a Lead Capture form, they provide personal data such as name, email address, phone number, company name, or other information configured by our user.
Roles and responsibilities. With respect to Lead Capture data, our user and DBC act in different capacities, as set out below.
Our user is the data controller of the Lead Capture data. Our user (the person operating the DBC digital business card) determines what information to collect, why, and how to use it after collection.
DBC is the data processor with respect to Lead Capture data. We (IT FOR TOMORROW LTD) store this data in our user's account, transmit it to third-party integrations (such as Salesforce, HubSpot, Zoho CRM, Pipedrive, monday.com, Google Sheets, or Zapier) as configured by our user, and otherwise process it strictly on the user's instructions.
If you are a Recipient who has submitted a Lead Capture form: we process your information on behalf of the DBC user you interacted with. For any requests regarding your data, please contact the DBC user directly — they are the controller of your data. If you are unable to identify the DBC user or reach them, you may contact us at privacy@digitalbusinesscard.com and we will use reasonable efforts to help you identify the appropriate contact.
Data processing responsibilities of our users. By using the Lead Capture feature, our users represent and warrant that they have established their own legal basis for collecting and processing Lead Capture data under applicable laws (including GDPR, CCPA, LGPD, PIPEDA, and similar regulations), that they have provided Recipients with the required privacy notices and disclosures, and that they have obtained any required consents. Where required, our users and DBC may enter into a separate Data Processing Agreement governing this relationship.
7. Our use of artificial intelligence (AI)
This section provides additional transparency on how we use AI in connection with our Service.
7.1 AI features in DBC
We currently use AI to power the following features:
AI Contact Scanner. Allows you to upload photographs of paper business cards and automatically extract the contact details (name, job title, company, email, phone number) into structured digital contacts saved in your account. The photograph is transmitted from your device to our servers, then forwarded to our AI processing partner (OpenAI) for image recognition and text extraction. Both the original photograph and the extracted contact data are stored in your account so that you may review, edit, or delete them.
AI-assisted customer support and content understanding. We may use AI to assist us in providing customer support and in understanding content submitted to the Service, for example to classify support inquiries, draft initial responses for human review, or summarize lead capture submissions. Where AI is used in customer support, a human agent reviews AI-generated suggestions before they are sent to you, unless we have explicitly disclosed that a specific interaction is fully automated.
7.2 AI processing partners and data flows
OpenAI. We use OpenAI's API (operated by OpenAI, L.L.C. in the United States) to power the AI Contact Scanner and certain other AI features. Our use of OpenAI is governed by OpenAI's API terms and a data processing agreement. Per OpenAI's API terms in effect as of the date of this Policy, OpenAI does not use data submitted through its API to train or improve their models, and OpenAI retains API data only for a limited period (typically up to 30 days) for abuse monitoring and legal compliance, after which it is deleted. Transfers are covered by Standard Contractual Clauses.
Anthropic. We use Anthropic's API (Claude models, operated by Anthropic PBC in the United States) to power certain AI-assisted features. Per Anthropic's terms in effect as of the date of this Policy, Anthropic does not use API inputs or outputs to train their models by default. Transfers are covered by Standard Contractual Clauses.
What we share with AI partners (and what we do not). For the AI Contact Scanner, we share with OpenAI only the photograph you upload and minimal technical metadata necessary for API processing. We do not share your DBC account identifiers, subscription details, contacts list, card content, or any other information beyond what is contained in the photograph and necessary for the API call. For AI-assisted support, we share only the content of the specific support inquiry or content being analyzed, not your full account history, payment details, or unrelated contacts.
Important note about third-party data. Photographs of business cards may contain personal data of the individuals whose cards you are scanning (Recipients). You represent and warrant that you have a legal basis to process such Recipients' personal data, including, where required by applicable law, their consent. We do not assume responsibility for your compliance with applicable law regarding the third-party data you submit.
7.3 Training and model improvement
We do not use your personal data to train AI models. We do not provide your inputs to AI features, AI-generated outputs, or other personal data to third parties for the purpose of training, retraining, fine-tuning, or improving general-purpose AI models. Our AI processing partners have contractually committed not to use API data to train their models, and we review these commitments periodically.
From time to time, we may perform aggregate or anonymized analysis of how AI features are used (for example, the number of contacts scanned per month, average accuracy of extracted fields, common error patterns) to improve our Service. Such analysis does not involve sharing identifiable personal data with third parties.
7.4 Accuracy and limitations of AI outputs
AI features may produce inaccurate, incomplete, or unexpected results. AI is a probabilistic technology and is not error-free. The accuracy of AI outputs depends on many factors, including the quality of the input (for example, the legibility of a scanned business card photograph), the language and formatting of the input, and the underlying capabilities of the AI models we use.
You acknowledge and agree that AI outputs are provided on an "as-is" basis without warranty of accuracy; that you are responsible for reviewing AI outputs before relying on them for business or legal decisions (for example, verifying that an extracted contact's fields are correct before adding it to your CRM or sending a message); that AI features are not a substitute for professional advice; and that AI outputs may reflect biases or limitations of the underlying training data of the AI models. To the maximum extent permitted by applicable law, we disclaim all liability for any decisions made or actions taken in reliance on AI outputs.
7.5 Your rights and choices regarding AI
Opting out of AI features. You can choose not to use AI features. The AI Contact Scanner is an optional feature — if you do not upload photographs to it, no image data will be sent to AI partners. AI-assisted customer support can be replaced by direct interaction with our human support team by contacting us at support@digitalbusinesscard.com.
Deleting AI-related data. You can delete photographs uploaded to the AI Contact Scanner and any extracted contact data from your account at any time. Such deletion removes the data from our active systems immediately. Backup retention and other deletion details are covered in Section 8 (Account Deletion).
Right to human review of AI decisions. Where required by applicable law (for example, under GDPR Article 22), you have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or significantly affects you. We currently do not use AI to make decisions that produce legal effects or significantly affect users (for example, AI is not used to determine pricing, eligibility, account suspension, or refund decisions). If we introduce such use of AI in the future, we will update this Policy and provide appropriate disclosures and opt-out mechanisms.
8. Account deletion
You can delete your account at any time using the self-service account deletion functionality available in your account settings in the App or on our website, or by sending a request to privacy@digitalbusinesscard.com.
Important: cancel your subscription first. Before deleting your account, you should cancel any active subscriptions to avoid any additional charges. For subscriptions purchased on our website, you may cancel through your account settings. For subscriptions purchased through Apple App Store or Google Play Store, you must cancel through the respective App Store account settings; deleting your DBC account does not cancel your App Store subscription.
What happens when you delete your account. When you initiate account deletion, the following takes place.
Your personal data is immediately removed from our active production systems.
Your digital business cards become inactive and will no longer be accessible to recipients who previously saved or scanned them.
Any third-party integrations you configured (such as Salesforce, HubSpot, Zoho CRM, Pipedrive, monday.com, Google Sheets, Zapier) will stop receiving data from your account. You should also revoke DBC's access from each respective integration's settings.
Data stored in our system backups is purged in accordance with our standard backup rotation, within 30 days.
What is retained after deletion. In some cases we may be legally required to retain certain information for a limited period after account deletion, as set out below.
Billing and transaction records are retained for 7 years to comply with tax and accounting obligations under applicable law.
Records of your privacy requests are retained to demonstrate compliance with applicable data protection laws.
Data necessary to defend against legal claims is retained for the duration of the applicable statutory limitation period.
Anonymized or aggregated data may be retained indefinitely for statistical and analytical purposes.
Account deletion is irreversible. Once you initiate the deletion, your account cannot be restored, and any content, contacts, or analytics history associated with your account will be permanently lost.
9. Data breach notification process
We have implemented technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Despite these measures, no data transmission or storage system can be guaranteed to be 100% secure.
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, in accordance with Article 33 of the GDPR and equivalent provisions of other applicable data protection laws.
Where the breach is likely to result in a high risk to your rights and freedoms, we will also communicate the breach to you without undue delay, in accordance with Article 34 of the GDPR. Our notification will describe the nature of the breach, the likely consequences, the measures taken or proposed to address the breach, and the contact details of our privacy contact.
If you believe that your personal data may have been compromised or you have observed suspicious activity related to your DBC account, please contact us immediately at privacy@digitalbusinesscard.com.
10. Age limitation
We do not knowingly process personal data from persons under 18 years of age. If you learn that anyone younger than 18 has provided us with personal data, please contact us at privacy@digitalbusinesscard.com.
11. International data transfers
Our primary data storage is located in the European Union (Amazon Web Services and MongoDB Atlas, both deployed in the Frankfurt eu-central-1 region). However, some of our service providers, including certain analytics, marketing, and AI processing partners, are located outside the European Economic Area, including in the United States.
Where we transfer personal data to countries that do not provide an equivalent level of data protection, we deploy appropriate safeguards under applicable data protection laws, as described below.
Standard Contractual Clauses (SCCs). We rely on the standard contractual clauses adopted by the European Commission for transfers to third countries pursuant to GDPR Article 46(2)(c).
Adequacy decisions. Where applicable, we rely on adequacy decisions issued by the European Commission for the relevant country.
EU-U.S. Data Privacy Framework (DPF) certification. For transfers to certified U.S. organizations, we may rely on the EU-U.S. Data Privacy Framework and its UK Extension as an additional safeguard, where applicable.
Specifically, our AI Contact Scanner feature transmits images and associated text to OpenAI's processing infrastructure (located in the United States) for contact extraction. This transfer is covered by Standard Contractual Clauses executed with OpenAI.
12. Changes to this Privacy Policy
We may modify this Privacy Policy from time to time. If we decide to make material changes to this Privacy Policy, you will be notified through our Service or by other available means and will have an opportunity to review the revised Privacy Policy. By continuing to access or use the Service after those changes become effective, you agree to be bound by the revised Privacy Policy.
13. Data retention
We will store your personal data for as long as it is reasonably necessary for achieving the purposes set forth in this Privacy Policy and our Terms of Use, which includes (but is not limited to) the period during which you have an account with the Service.
Indicative retention periods are set out below.
Active account data is retained for the duration of your active subscription and account.
Closed account data is removed from active systems immediately upon account deletion (see Section 8).
Backups are purged within 30 days of the original deletion.
Billing and transaction records are retained for 7 years to comply with tax and accounting obligations.
System logs are retained typically for 30 to 90 days for security and operational purposes.
Analytics data is retained according to each analytics provider's policies (Google Analytics data retention is typically set to 14 months).
We will also retain and use your personal data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
14. Personal data controller
IT FOR TOMORROW LTD (registration No. HE 466470, VAT No. CY60105017J), with registered office at 13 Myrtiotissis, Aqua Mansions, Apartment 1, 4041, Germasogeia, Cyprus, will be the controller of your personal data.
For Lead Capture data processed on behalf of our users, our users are the data controllers and we act as data processor, as described in Section 6 of this Privacy Policy.
15. Contact us
You may contact us at any time for details regarding this Privacy Policy, its previous versions, or our information practices. For any questions concerning your account or your personal data please contact us at privacy@digitalbusinesscard.com or via the chat functionality on our website.
To exercise any of the available privacy rights, you may also use the privacy features in our products.
IT FOR TOMORROW LTD
Registration No. HE 466470
VAT No. CY60105017J
Registered office: 13 Myrtiotissis, Aqua Mansions, Apartment 1, 4041, Germasogeia, Cyprus
Privacy email: privacy@digitalbusinesscard.com
Version 1.3 — Last updated: 22 April 2026