Privacy Policy.
On this page
1. The short version
Cardfolio (“we”, “us”) is an app that scans business cards, turns them into structured contacts, and lets you sync those contacts to the CRM of your choice. To do that, we hold onto your email, the cards you scan, and the access tokens you grant for any CRM you connect. We don’t sell any of it. We don’t use your cards to train AI. If you delete your account, your data goes with it.
The long version is below. If anything is unclear, write to support@usecardfolio.com.
2. Who we are
Cardfolio is operated by the publisher of usecardfolio.com. For privacy questions in the EU, UK, or California, you can reach our data team at the address above. For GDPR/UK GDPR purposes, we act as a data controller for your account data and as a data processor for the contact data you choose to push to third-party CRMs.
3. What we collect and why
Account data
- Email address — to identify your account, verify it, and send transactional emails (password resets, receipts).
- Name — for the greeting and your profile screen.
- Password (hashed) — stored as a bcrypt hash. We can’t see your password.
- Sign-in provider data — if you use Apple Sign-In or Google, we receive only the identifiers those services give us.
Card & contact data
- The images of business cards you choose to scan.
- The extracted fields: name, title, company, phone, email, website, address.
- Any notes, tags, or categories you add.
Subscription & billing data
- Plan, status, renewal date.
- For web purchases, payment is handled by Stripe. For App Store / Play Store purchases, by Apple or Google. We never see your card number.
Usage data
- Anonymous analytics (page views, taps, errors) via PostHog, used to find bugs and improve the app.
- Device type, OS version, app version, IP address — standard server logs, kept short-term.
4. Your business cards and AI processing
When you scan a card, the image is sent to a third-party vision model (currently Google Gemini) for OCR. The model returns the extracted fields, which we store in your account. We do not retain card images for longer than necessary to process them, and we do not use your cards to train any AI model. Google’s API terms prohibit them from training on customer data in this configuration.
The cards belong to you and to the people who handed them to you. You are responsible for how you use the contact information — in most jurisdictions, business cards exchanged in a professional setting carry an implied permission to follow up, but local laws vary.
5. CRM connections
If you connect a CRM (Hubspot, Salesforce, Zoho, Outlook, Google Contacts), we store the OAuth access token you authorize. We use it only to push the contacts you choose to push. We don’t read or modify other data in your CRM. You can disconnect a CRM at any time in Settings, which revokes our access on our side; you can also revoke from the CRM’s own dashboard.
6. Device permissions
- Camera — only used while you’re actively scanning. We never access the camera in the background.
- Photo library — only when you tap “import from photos”.
- Contacts — only requested if you choose to sync to your phone’s native contacts. We never read your existing contacts without that explicit action.
- Push notifications — optional; used for sync status and account alerts only.
7. Who we share data with
We share only what’s necessary, only with these processors:
- MongoDB Atlas — database hosting.
- Google Cloud (Gemini API) — OCR processing of card images.
- Stripe — subscription billing (web only).
- Apple App Store / Google Play — subscription billing (mobile).
- Resend — transactional email delivery.
- PostHog — product analytics.
- The CRM you connect — only contacts you choose to push.
We do not sell your personal data, ever. We do not share it with advertisers. (The free tier of the mobile app shows ads served by Google AdMob, but we do not pass your personal data to AdMob beyond what the SDK collects under its own privacy policy.)
8. How long we keep things
- Account & cards: as long as your account is open. Delete your account from Settings and we wipe within 30 days.
- Card images: removed shortly after OCR completes.
- Server logs: 30 days.
- Billing records: 7 years (legal requirement for tax records).
9. Your rights
Depending on where you live, you have the right to:
- Access a copy of your data (export from Settings or email us).
- Correct anything inaccurate (you can edit fields directly in-app).
- Delete your account and all data (Settings → Delete account).
- Object to processing or withdraw consent.
- Lodge a complaint with your local data protection authority.
Email support@usecardfolio.com for any of these — we’ll respond within 30 days.
10. Children
Cardfolio is a business tool. It’s not designed for, marketed to, or intended for anyone under 16. We don’t knowingly collect data from minors. If we learn that we have, we delete it.
11. Changes to this policy
If we change anything material, we’ll email registered users and post a notice in the app at least 14 days before the change takes effect. The “last updated” date at the top of this page always reflects the current version.
12. Contact
Questions, requests, complaints — all welcome.
Email: support@usecardfolio.com
Web: usecardfolio.com