PRIVACY POLICY
Cardixx FlexKapG Vienna, Austria
Last Updated: 01.01.2026
1. INTRODUCTION AND SCOPE
This Privacy Policy explains how Cardixx FlexKapG, a company incorporated in Austria with its principal place of business in Vienna ("Cardixx", "we", "us", "our"), collects, processes, and protects your personal data in connection with the Cardixx Services. The Cardixx Services consist of a website at www.cardixx.com, which provides information about Cardixx and links to download the mobile application, and the Cardixx mobile application, which enables users to create digital business cards, discover professional contacts through location-based networking, check in to events and networking venues, and access analytics regarding their networking activities.
This Privacy Policy applies to both the website and the mobile application. We process your personal data in accordance with the General Data Protection Regulation (GDPR), the Austrian Data Protection Act (Datenschutzgesetz 2018), and other applicable laws.
If you do not agree with this Privacy Policy, you should not use the Cardixx Services. If you have questions or concerns, please contact us at info@cardixx.com.
2. DATA CONTROLLER
The data controller responsible for processing your personal data is Cardixx FlexKapG, Vienna, Austria. You may contact us regarding your personal data or to exercise your rights by emailing info@cardixx.com. We will respond to all inquiries within five business days and to all formal GDPR requests within thirty days.
3. PERSONAL DATA WE COLLECT
3.1 Account Registration Data
When you create a Cardixx account, you must provide your name, email address, and a password. You may also optionally provide a phone number for account recovery purposes. This information is necessary to create and manage your account and is processed based on Article 6(1)(b) GDPR (contractual necessity).
3.2 Digital Business Card Profile
To use Cardixx, you create a digital business card containing professional information that you control and choose to share. This may include your name, job title, company name, work email address, phone number, office location, website URL, social media profile links, and a professional photograph. You have full control over what information appears on your card and who can see it. This data is processed based on Article 6(1)(b) GDPR (contractual necessity) and Article 6(1)(a) GDPR (consent) for any optional information you voluntarily add.
3.3 Networking Connections and Interactions
When you use Cardixx to connect with other users, we collect and process data about your connections, including the list of users you have connected with, connection requests you send and receive, and any messages or notes you exchange with other users within the platform. This data is processed based on Article 6(1)(b) GDPR (contractual necessity) as it is essential to provide the networking functionality of the service.
3.4 Location Data
Cardixx offers location-based networking features that help you discover professionals nearby. We collect location data in two ways. If you enable GPS location on your device and grant permission within the Cardixx app, we receive your precise GPS coordinates. This is processed based on Article 6(1)(a) GDPR (your explicit consent through device settings). We also collect approximate location derived from your IP address, which is processed based on Article 6(1)(b) GDPR (contractual necessity for the service to function).
Location data is used to show you nearby professionals, enable event check-ins, and generate location-based analytics. You control precise location tracking through your device settings and can disable it at any time. Real-time location data is not stored permanently; it is used to generate recommendations and then discarded.
3.5 Event Check-in Data
When you check in to an event or networking venue using Cardixx, we record the event name, check-in timestamp, your location at the time of check-in, and any other users you connected with at that event. This data is processed based on Article 6(1)(b) GDPR and is used to provide event functionality and generate analytics. Event check-in data is retained for twenty-four months.
3.6 Website Analytics Data
When you visit our website, your browser automatically transmits your IP address, browser type and version, operating system, pages accessed, time of access, referrer URL, and general geographic location derived from your IP address. This data is processed based on Article 6(1)(f) GDPR (legitimate interest in understanding website usage and ensuring functionality). Website log data is retained for thirty days.
3.7 Device Information
When using the Cardixx app, we collect your device type, operating system version, app version, unique device identifier for analytics purposes, and push notification preferences. This data helps us optimize app performance and provide technical support. It is processed based on Article 6(1)(f) GDPR (legitimate interest in app functionality and improvement) and is retained for sixty days.
3.8 Email Communications
If you contact us via email at info@cardixx.com, we collect your email address, name, message content, and timestamp. Support emails are retained for two years for customer service records. This is processed based on Article 6(1)(b) GDPR (pre-contractual and contractual communication).
If you subscribe to our newsletter, we collect your email address and track whether you open emails and click links within them using web beacons. This is processed based on Article 6(1)(a) GDPR (your consent to receive marketing communications). You may unsubscribe at any time using the link in any newsletter, and your email is deleted within thirty days of unsubscribing.
3.9 Cookies
Our website uses essential cookies necessary for basic functionality and security, including session management, CSRF protection, language preferences, and cookie consent tracking. These do not require consent. We may also use optional analytics cookies with your consent. You may manage cookie preferences through our cookie banner. All essential cookies expire when you close your browser or after one year depending on the cookie type. Optional analytics cookies are retained for up to two years.
4. HOW WE USE YOUR DATA
We use your personal data to provide and improve the Cardixx Services, including creating and managing your account, displaying your digital business card to other users, facilitating connections with other professionals, enabling location-based networking features, recording event check-ins, and generating analytics regarding your networking activity. We use your data to respond to support inquiries, provide customer service, and communicate important updates about the service. We process your data to detect and prevent fraud or misuse of the platform, to comply with legal obligations, and to understand how users engage with the service so we can improve the product.
5. LEGAL BASES FOR PROCESSING
We only process your personal data where we have a lawful basis under Article 6 of the GDPR. We rely on Article 6(1)(b) (contractual necessity) for account creation, provision of the core service, networking features, and event management. We rely on Article 6(1)(a) (consent) for optional cookies, newsletter subscriptions, precise location tracking, and any third-party integrations you authorize. We rely on Article 6(1)(f) (legitimate interest) for website analytics, fraud detection, app performance optimization, and service improvement. We rely on Article 6(1)(c) (legal obligation) for data retention required by tax or accounting law.
6. WHO WE SHARE YOUR DATA WITH
Your personal data is shared with other users of Cardixx to the extent you make information visible on your business card and through networking interactions. Within Cardixx, data may be accessed by customer support staff responding to your inquiries, engineering team members fixing technical problems, and management as necessary for business operations.
Cardixx engages third-party service providers who process data on our behalf, including cloud hosting providers storing our infrastructure, email service providers sending transactional and marketing emails, and analytics providers measuring usage patterns. All service providers are contractually bound by Data Processing Agreements to protect your data. Cardixx does not sell your personal data to any third party.
If required by law, court order, or legal process, we may disclose your data to comply with legal obligations or to protect safety and rights. If Cardixx is acquired or merged with another company, your data may be transferred to the acquiring company, which will be bound by similar privacy protections.
7. DATA RETENTION
Account information is retained for the lifetime of your account. If you delete your account, personal data is removed from active systems within thirty days, though backup copies may be retained for ninety days for disaster recovery. Professional profile information, networking connections, and messages are deleted when you delete your account, subject to the ninety-day backup period.
Location history is retained for twelve months or until you choose to delete it, whichever occurs first. Event check-in data is retained for twenty-four months for analytics purposes. Website server logs are retained for thirty days. Customer support emails are retained for two years. Marketing email records are retained as long as you are subscribed; after unsubscribing, your email is retained for thirty days then deleted. Tax and invoice records, if applicable, are retained for seven years as required by Austrian law.
8. DATA SECURITY
Cardixx implements technical and organizational security measures to protect your personal data. All communications between your device and our servers use TLS 1.2 or higher encryption. Passwords are hashed using industry-standard algorithms and are not stored in plaintext. Sensitive data is encrypted in our databases. We implement access controls limiting employee access to data necessary for their role, maintain activity logs, conduct regular security audits, and have implemented an incident response plan for data breaches.
No system is completely secure. Cardixx is not liable for unauthorized access due to user negligence such as sharing passwords, security breaches resulting from user actions, or interception of data during transmission where best security practices have been followed.
9. YOUR RIGHTS
You have the following rights under the GDPR. You have the right of access to confirm whether we process your data and to obtain a copy of your data. You have the right to rectification to correct inaccurate or incomplete information in your profile. You have the right to erasure to request deletion of your account and associated data, except where retention is required by law. You have the right to restrict processing if you dispute accuracy or contest processing. You have the right to data portability to receive your data in a structured, commonly-used format such as CSV. You have the right to object to processing based on legitimate interests and to opt out of marketing communications.
To exercise any of these rights, contact us at info@cardixx.com with a clear statement of which right you are exercising. We will verify your identity and respond within thirty days. You may also withdraw consent for cookies, location tracking, and marketing at any time through your account settings or by clicking unsubscribe in emails.
If you believe we have violated your rights, you may lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde) at Wickenburggasse 8, 1080 Vienna, Austria, by telephone at +43 1 52 152-0, by email at dsb@dsb.gv.at, or at https://www.dsb.gv.at.
10. THIRD-PARTY LINKS AND INTEGRATIONS
Our website contains links to the Apple App Store and Google Play Store. When you access these third-party platforms, their privacy policies apply, and Cardixx has no control over their data practices. Cardixx may offer optional integrations with third-party professional networks such as LinkedIn. These integrations require your explicit authorization, and you control which information is shared. Third-party platforms act as independent data controllers for their data.
11. INTERNATIONAL DATA TRANSFERS
Cardixx operates primarily within the European Union and stores data on EU servers. Where we use service providers outside the EU/EEA, we ensure appropriate safeguards including adequacy decisions where available or Standard Contractual Clauses under Article 46 GDPR. You may request information about safeguards for any data transfer outside the EU/EEA.
12. CHILDREN
The Cardixx Services are not directed to individuals under age sixteen. We do not knowingly collect personal data from children under sixteen. If we become aware we have collected data from a child under sixteen, we will delete it promptly.
13. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy to reflect changes in our practices, new features, legal requirements, or security improvements. Material changes will be communicated via email or prominent notice on our website with at least thirty days' notice before taking effect. Your continued use of the Services after changes become effective constitutes acceptance of the updated policy. This policy was last updated on the date shown at the top.
14. CONTACT US
For questions regarding this Privacy Policy or to exercise your rights, contact Cardixx FlexKapG at info@cardixx.com or www.cardixx.com. For complaints, you may contact the Austrian Data Protection Authority at the address provided in Section 9 above.