Qardly Privacy Policy

Last updated: April 16, 2026

1. Information We Collect

Qardly collects the following information to provide our digital business card service:

• Account Information: Name, email address, phone number (via Firebase Authentication)
• Business Card Data: Name, title, company, email, phone, website, social media links, bio, and profile photo that you choose to include on your card
• Analytics Data: Card view counts, share counts, link click events, and device types of viewers
• Camera Access: Used only for QR code scanning and business card OCR scanning. Images are processed locally and never stored or transmitted to our servers.
• Bluetooth/NFC: Used for nearby device discovery during events and NFC card sharing. No location data is collected through these features.
• Subscription Data: Purchase history and subscription status managed through RevenueCat. We do not store payment card details.

2. How We Use Your Information

• Display your digital business card to people you share it with
• Provide card analytics (views, shares, link clicks)
• Enable event mode for networking at events
• Send push notifications when someone views or saves your card (if enabled)
• Manage your subscription and in-app purchases
• Improve our service through anonymized usage analytics

3. Web Card Viewer Analytics

When someone views your shared card on the web (qardly.app/c/...), we collect:

• IP Address: Used to determine approximate geographic location (country and city)
• User-Agent: Browser and device type information
• Referrer: The website or source that led to your card
• Link Clicks: Which contact links (email, phone, social) the viewer tapped

This data is shown to the card owner in their analytics dashboard. Card owners can disable location tracking via the "Track viewer location" toggle in their card's privacy settings. Viewers cannot be personally identified from this data.

4. Contact Information Protection

By default, email addresses and phone numbers displayed on web card pages are obfuscated (Base64-encoded) to prevent automated scraping by bots. The information is decoded by JavaScript when a real user views the page. Card owners can control this via the "Hide email from bots" toggle.

5. Search Engine Indexing

By default, shared card pages are not indexed by search engines (noindex, nofollow). Card owners can opt in to search engine indexing via the "Allow search engine indexing" toggle if they want their card to appear in Google results.

6. PIN Protection

Card owners can protect their web card with a 6-digit PIN. PIN verification is rate-limited (maximum 5 attempts per 15 minutes per IP address). After successful verification, a signed HTTP-only cookie is set for 1 hour so the viewer does not need to re-enter the PIN. The PIN is never transmitted in the URL.

7. Data Sharing

We do not sell your personal data. Your business card information is only shared with people you explicitly share your card with. We use the following third-party services:

• Firebase (Google): Authentication, Firestore database, Cloud Storage, Cloud Functions, Hosting, Analytics, Crashlytics
• RevenueCat: Subscription and in-app purchase management
• Google Fonts: Web font delivery for card themes (loaded via CDN when viewing web cards)
• ipapi.co: IP geolocation for viewer analytics (when geo headers are unavailable)

8. Data Storage and Security

Your data is stored securely using Google Firebase infrastructure with encryption at rest and in transit. We implement industry-standard security measures including:

• Firestore security rules restricting data access to authenticated owners
• HTTPS-only communication
• HTTP-only, Secure, SameSite cookies for PIN sessions
• Rate limiting on all public endpoints
• Content Security Policy headers

9. Your Rights

You can:

• Edit or delete your business cards at any time
• Control which fields are visible on your web card (hidden fields)
• Enable or disable web card rendering (app-only mode)
• Control search engine indexing, contact obfuscation, and viewer location tracking
• Set or remove PIN protection on individual cards
• Delete your account and all associated data
• Control push notification preferences
• Request a copy of your data by contacting us

10. Children's Privacy

Qardly is not intended for children under 13. We do not knowingly collect data from children under 13 years of age.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes through the app or via email.

12. Contact Us

If you have questions about this privacy policy or wish to exercise your data rights, contact us at: support@qardly.app