Privacy Policy

1. Who We Are

CardScan is operated by Nörtti Paikalle Oy, Finland. We are the data controller for personal data collected about our users (account and billing data). For personal data contained in business card images you upload, you are the data controller and we act as your data processor.

2. What We Collect

We collect the minimum data necessary to operate the service:

• Account data — username, hashed password, and email address, stored securely in our database.
• Billing data — your payment method and billing history are held by Stripe. We store only your Stripe customer ID and subscription status.
• Usage data — a count of scans per day, used solely for billing.

We currently use the following third-party sub-processors:

• Stripe (Ireland / United States) — payment processing
• Anthropic, PBC (United States) — AI-based text extraction from card images
• Zapier, Inc. (United States) — automation routing, for customers on a managed integration only (see section 4)

This list will be kept up to date on this page. We will notify affected customers of material changes.

3. Images You Upload

Business card images are transmitted to the Anthropic API for processing and are not stored on our servers. Anthropic's data handling is governed by their privacy policy. Extracted contact data is returned to your browser and — if a webhook integration is enabled (see section 4) — transmitted onward to the configured endpoint. We do not otherwise log, retain, or share the extracted contact data.

4. Webhook Integrations

CardScan can POST scan results to a webhook endpoint. There are two modes:

a) Self-configured webhooks. In your profile you may paste a webhook URL of your choice — typically a Zapier, Make, or direct CRM endpoint. In this case:

• You remain the data controller for the contact data transmitted.
• The service you chose (e.g. Zapier, Make) is your sub-processor, not ours.
• You are responsible for ensuring it is lawful to route contact data there, for any DPA that service requires, and for any international transfer safeguards.
• CardScan acts only as the conduit that transmits the data on your instruction.

b) Managed integrations. In some cases we configure and run the webhook route on your behalf (for example, a managed Zapier flow). When we do, those third-party services become our sub-processors and are listed in section 2.

Note that Zapier, Make and similar automation tools are based outside the EU/EEA. Where we manage the route we rely on the provider's Standard Contractual Clauses; where you configure it yourself, the transfer mechanism is your responsibility. If you need a DPA to document this chain with your own controllers, see the template linked in section 10.

5. Legal Basis for Processing

We process your account and billing data on the basis of contractual necessity (to provide the service you have signed up for). We do not process your personal data for any purpose beyond operating the service.

6. How We Use Your Data

We use your data only to provide and bill for the service, and to send password reset emails when requested. We do not sell, share, or use your data for advertising or profiling.

7. Cookies & Sessions

We use a single session cookie to keep you logged in. No third-party tracking cookies are used.

8. Data Retention

Account data is retained until you request deletion. You may request full deletion by contacting us, after which your account and all associated data will be removed within 30 days.

9. Your Rights

Under the GDPR and applicable data protection law you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your account and associated data.
• Portability — request your data in a portable format.
• Objection — object to processing where we rely on legitimate interests.

To exercise any of these rights, contact us at the support address in your profile. You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi) if you believe we have handled your data unlawfully.

10. Downloadable Resources

If you need to provide the contacts whose cards you scan with a privacy notice explaining how you handle their data, you can start from our generic template:

⇩ Download privacy notice template (.rtf)

For the contractual side — the Data Processing Agreement you sign with your own controller — see the link in our Terms and Conditions. Both templates are provided as-is and are not legal advice; review with qualified counsel before use.

11. Changes

We may update this policy at any time. The date at the top of this page reflects the most recent revision.