Start your 7-day free trial now. No credit card needed. [Try it now]
Homepage
Card.tel digital business card maker

Card.tel and GDPR Compliance

The General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) has applied since May 25, 2018, and has extraterritorial effect for organizations processing personal data in the EU and EEA. As a digital business card and link aggregation SaaS platform for businesses and individuals, Card.tel follows GDPR requirements for lawfulness, transparency, minimization, and security when delivering multilingual card pages, lead capture, visit analytics, and team collaboration features.

This page explains how we implement GDPR requirements in day-to-day platform operations and helps you understand the rights and management options available to you.

What this page covers

To help you understand Card.tel's data processing approach quickly, this page focuses on:

  • Our role and responsibilities in data processing
  • The types of personal data we may collect and process
  • Processing purposes and corresponding legal bases (Article 6)
  • Data retention periods and deletion rules
  • Third-party processors, subprocessors, and cross-border transfer mechanisms
  • >The data subject rights you have under GDPR
  • How to access, export, update, or delete your information
  • How to contact the platform and supervisory authorities

What is GDPR?

The core goal of GDPR is to give individuals greater control over their personal data and require platforms to stay explainable, auditable, and accountable across the data lifecycle. Its core principles include lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability (Article 5).

This means GDPR may apply even if a company is not established in the EU, as long as it offers services to EU users or monitors their behavior.

How Card.tel implements GDPR requirements

Guided by ongoing recommendations and enforcement practice from the European Commission and the EDPB, Card.tel continues advancing compliance across products, processes, and contracts, so the platform maintains a balance between growth and security.

We have established the following mechanisms:

  • Privacy-by-default design for features and permissions (Article 25), minimizing displayed and collected data by default
  • Records of processing activities (Article 30), processor agreements (Article 28), and access control audit workflows
  • DPIAs for high-risk scenarios (Article 35) and appointment of a DPO when legally required (Articles 37-39)
  • Technical and organizational measures such as encryption, tiered authorization, least privilege, and audit logs (Article 32)
  • A breach response mechanism that notifies supervisory authorities within 72 hours when legally required and informs individuals when needed (Articles 33-34)
  • A rights request channel with responses delivered within legal deadlines (Articles 12 and 15-22)

Personal data we may process

  • Account and identity information: Such as name, company name, email address, phone number, login credentials, and account role details.

  • Card and page business data: Information you publish voluntarily, such as profile photos, job titles, company information, links, contact details, booking slots, and lead form fields.

  • Device and usage logs: Such as IP address, device and browser information, access time, activity logs, error logs, and anti-fraud and security monitoring records.

  • Billing and transaction data: Such as orders, subscriptions, invoices, and payment status. Sensitive payment data such as bank card details is usually handled by licensed payment providers, and Card.tel does not store full card numbers.

  • Support and communication data: Such as ticket content, email exchanges, troubleshooting records, and service feedback.

Purposes of processing and legal bases (Article 6)

  • Providing core services such as account registration, login, card publishing, and lead management: legal basis is performance of a contract
  • Meeting tax, audit, anti-fraud, and security obligations: legal basis is legal obligation or legitimate interest
  • Product improvement, performance monitoring, and service quality optimization: legal basis is legitimate interest, supported by a necessary balancing assessment
  • Marketing outreach, analytics, and optional cookies or tracking technologies: consent is obtained first where required by law, and may be withdrawn at any time

Third-party services and cross-border transfers

  • Processor management (Article 28): We work only with cloud, communication, payment, and analytics providers that pass security and compliance review, and we sign data processing agreements with them.

  • Cross-border transfers (Chapter V): If data is transferred outside the EU or EEA, we prioritize adequacy decisions (Article 45). Where no adequacy decision exists, we use EU Standard Contractual Clauses, SCC (2021/914), together with supplemental measures such as encryption, access control, and transfer risk assessments where needed.

  • EU-US transfer note: Where applicable, transfers may rely on the European Commission's adequacy framework. We continue monitoring regulatory reviews and adjust compliance measures accordingly.

Your GDPR rights

  • Right of access (Article 15): Receive a copy of the personal data we process about you and an explanation of that processing

  • Right to rectification (Article 16): Correct inaccurate data or complete incomplete data

  • Right to erasure (Article 17): Request deletion of personal data where legal conditions are met

  • Rights to restriction and objection (Articles 18 and 21): Restrict processing or object to processing based on legitimate interests, and object to direct marketing at any time

  • Right to portability (Article 20): Obtain and transfer the data you provided in a structured, commonly used, machine-readable format where applicable

  • Withdrawal of consent and right to complain: You may withdraw consent at any time and lodge a complaint with the competent data protection authority

Data retention, children's data, and security incidents

  • We follow a shortest-necessary-retention principle: personal data is kept only for the period needed to achieve business purposes and meet contractual and legal obligations, then deleted or anonymized.
  • If a service is directed at minors and consent is the legal basis, we apply the relevant member-state age threshold and guardian authorization checks under GDPR Article 8.
  • If a personal data breach occurs, we document it, assess the risk, notify regulators and users where required by GDPR, and retain the evidence trail of our response.

How to manage, export, or delete your data

  • You can update card details, contact information, and marketing preferences at any time in your account dashboard.
  • To request data access, portability, deletion, or restriction of processing, submit a ticket through the platform support page. To protect account security, we may need to verify your identity first.
  • We usually respond within 1 month. In complex or high-volume cases, the response period may be extended by up to 2 more months where legally permitted, and we will explain why. You may also complain to the competent data protection authority.