Privacy Policy | Cardixx

Pursuant to Article 13 & 14 GDPR

Cardixx e.U. · Vienna, Austria

1. Identity and Contact Details of the Controller

Controller	Cardixx e.U.
Contact Person	Cihan Yasa (Founder & CEO)
Email	info@cardixx.com
Address	Vienna, Austria
Website	www.cardixx.com

Cardixx e.U. (hereinafter "Cardixx" or "we") is the controller responsible for the processing of your personal data as described in this document. For any questions or requests regarding your personal data, please contact us at info@cardixx.com.

2. Purpose of Processing: Creating a Business Card

Description

When you register on the Cardixx platform and create your digital business card, we collect and process the personal data you provide. This data forms the foundation of your professional identity on the platform and is used to create, display, and share your digital business card with other users. Users may create multiple cards and customise each one independently.

Authentication Data

Depending on your chosen registration method, we process the following authentication data:

Sign-in via Apple: Apple ID, name, and email address provided by Apple
Sign-in via Google: Google account name and email address provided by Google OAuth
Sign-in via Email: Email address and one-time password (OTP) verification code

Personal Details

The following personal details are collected during card creation:

Profile picture: PNG or JPG, up to 2 MB — optional
First name: mandatory
Last name: mandatory
Middle name: optional
Prefix: e.g. Dr., Prof., Mr., Ms. — optional
Suffix: e.g. Jr., Sr., III — optional
Preferred name: optional
Pronoun: e.g. he/him, she/her, they/them — optional
Maiden name: optional

Role Details

Job title: mandatory
Work email address: mandatory
Department: optional
Headline: a short personal or professional tagline — optional

Company Details

Company information is optional and may include:

Company logo (Card Front Side): PNG or JPG, up to 2 MB — optional
Company logo (Card Back Side): PNG or JPG, up to 2 MB — optional
Company name: optional
Company website: optional
Company phone number: optional
Company address: optional
About: a short company description — optional
Industry: optional
Specialties: optional
Location: company location separate from address — optional
Company size: optional

Communication Channels

Users may optionally add alternative communication channels to their card:

WhatsApp
Telegram
Discord
WeChat
Line
Signal
Email (additional)
Phone (additional)

Social Media

Users may optionally link their social media profiles:

LinkedIn
YouTube
Instagram
Facebook
X.com (formerly Twitter)
Pinterest
Behance
Dribbble
TikTok
Snapchat
Threads
GitHub
Patreon
Spotify
SoundCloud
Apple Music

Conferencing and Booking

Users may optionally add links to conferencing or booking platforms:

Microsoft Teams
Google Meet
Zoom
Webex
Calendly
Bookings

Video

Users may optionally add video links to promote their work (e.g. YouTube, Vimeo, or direct video URLs). Multiple video links can be added.

File Upload

Users may optionally upload files to share via their business card (e.g. portfolio, brochure, CV). Accepted formats: JPG, PNG, PDF, up to 2 MB per file. Multiple files can be uploaded.

Card Design Preferences

The following design preferences are stored as part of the card configuration:

Card theme and template selection
Corner roundness (Smooth, Modern, Sharp)
Font selection and font pairing
Text alignment (Left, Center, Right)
Logo alignment (Left, Center, Right)
Primary font colour
Secondary colour

Display Settings (Visibility Toggles)

Users control which fields are visible on the front and back of their card. The following display toggles are stored per card:

Front Side: Company Logo, Company Name, Full Name, Job Title, Work Email, Company Phone, Company Website, Company Address.

Back Side: Company Logo, Company Name, Full Name, Job Title, Links (max 6, selectable from: Website, Email, LinkedIn, Instagram, and other linked platforms), QR Code.

Card Sharing Methods

The following sharing methods generate or transmit card data:

QR code — dynamically generated from card data, scannable by other users
NFC — card data transmitted via near-field communication tap
Share via link — a unique URL linking to the card profile
Print card — card data formatted for physical printing (Plus plan feature)

Purpose	Creation, storage, customisation, display, and sharing of the user's digital business card(s) on the Cardixx platform
Legal Basis	Article 6(1)(b) GDPR — processing is necessary for the performance of the contract (provision of the Cardixx service); Article 6(1)(a) GDPR — consent, for all optional data fields voluntarily added by the user
Mandatory Fields	First name, last name, job title, work email — required to create a business card. Failure to provide these will prevent creation of a card and use of the core service.
Optional Fields	All other fields listed above (name extensions, company details, communication channels, social media, conferencing links, videos, files, design preferences) — voluntary. Non-provision does not affect access to core features.
Multiple Cards	Users may create more than one business card (subject to plan limits). Each card is stored and managed independently and is subject to this same legal basis and retention policy.
Design Data	Card design preferences (theme, font, colours, layout) are stored solely to render the card correctly and are not used for any other purpose.

Company Logo Retrieval (Brandfetch)

When a user adds a company name or website to their business card, Cardixx may use an external service called Brandfetch to automatically retrieve the corresponding publicly available company logo. This helps users complete their card without needing to manually upload a logo file.

The company name or website domain entered by the user may be sent to Brandfetch in order to identify and return the matching logo. Brandfetch provides this data via its API based on publicly available brand information.

This feature is used solely to enrich the visual presentation of the business card. It does not involve the processing of sensitive personal data, and the data sent to Brandfetch relates to the company, not the individual user.

Legal Basis: Article 6(1)(f) GDPR — legitimate interest in improving the user experience by automatically populating company branding where available.

For more information on how Brandfetch processes data, please refer to Brandfetch's privacy policy at brandfetch.com/privacy.

3. Purpose of Processing: Wallet (Saving Received Business Cards)

Description

When another user shares their business card with you via QR code, NFC, or link, and the exchange is completed, Cardixx stores a copy of that card in your personal Wallet. The Wallet allows you to manage and revisit your professional contacts, add personal notes, apply tags, and search and filter your saved contacts within the app.

Card Data Stored at Time of Exchange

The Wallet stores all information that the contact had included and set to visible on their business card at the time of exchange. This may include:

Full name (first name, last name; and optionally middle name, prefix, suffix, preferred name, maiden name)
Profile picture
Job title, department, headline
Work email address
Company name, company logo (front and/or back side)
Company website, company phone, company address
About text (personal bio and/or company description)
Industry, specialties, company size, location
Communication channels (WhatsApp, Telegram, Discord, WeChat, Line, Signal, additional email, additional phone)
Social media profiles (LinkedIn, YouTube, Instagram, Facebook, X.com, Pinterest, Behance, Dribbble, TikTok, Snapchat, Threads, GitHub, Patreon, Spotify, SoundCloud, Apple Music)
Conferencing and booking links (Teams, Meet, Zoom, Webex, Calendly, Bookings)
Video links
Uploaded files (JPG, PNG, PDF)
QR code (as displayed on the card)

Exchange Metadata

In addition to the card content, Cardixx records the following metadata at the time of exchange:

Date and time of exchange (e.g. June 25, 2025 at 3:30 PM)
Location of exchange — the Networking Hub or event where the exchange took place (if the user was checked in at the time)
Last contact date (updated each time the contact is interacted with)

User-Added Data (Receiver Only)

The user who received the card may add the following personal data to the saved contact. This data is visible only to that user and is not shared with the contact:

Personal notes — free-text field, date-stamped, updatable and deletable
Tags — user-defined labels applied to the contact (e.g. Tech, Marketing, B2B, Finance, Design, Development)

Search and Filter Metadata

The following metadata is generated and stored to enable Wallet search and filter functionality:

Sort preference: Recent, Name, or Company
Filter by time added: All time, Last 3 months, This month
Filter by location (hub or event where the card was exchanged)
Filter by tags applied by the user

Purpose	Storing received digital business cards and associated metadata to enable users to manage their professional contacts, add personal notes and tags, and search their contact list within the Cardixx platform
Legal Basis	Article 6(1)(b) GDPR — processing is necessary for the performance of the Cardixx service contract; Article 6(1)(f) GDPR — legitimate interest of the user in maintaining an organised digital contact list
Data Source	Wallet data originates from the contact's own business card as shared at the time of exchange. Cardixx does not independently verify or supplement this data. If the contact updates their card after the exchange, the stored version in the Wallet will not automatically update unless a new exchange takes place.
User-Added Data	Notes and tags added by the receiver are stored solely for that user's personal contact management. They are never visible to the contact and are not used by Cardixx for any other purpose.
Retention	Wallet data is retained for the duration of the user's account. Upon account deletion, all wallet data is retained for 1 year and then permanently deleted.

4. Purpose of Processing: Digital Business ID (Public Profile)

Description

Your Digital Business ID is your public-facing profile on the Cardixx platform. It is visible to other users when you are checked in at a Networking Hub or when your card is shared. It combines your personal and professional information into a unified digital identity.

Mandatory Profile Data

First name and last name
Job title
Work email address

Optional Profile Data

In addition to the mandatory fields, users may choose to add the following optional information to enrich their profile:

Profile picture
Company name
Company logo
Company website
Company phone number
Company address
Networking intent / tags (e.g., "Pitching an idea", "Looking for a co-founder", "Open to job offers", "Business Partners")
Short personal or professional bio

Visibility Settings

Users control who can see their Digital Business ID:

Visible to all users checked in at the same Networking Hub
Visible when a card is shared via QR code, NFC, or link
Users may choose to limit visibility or go offline at any time

Purpose	Creating and displaying a unified digital professional identity that can be shared with other users on the platform
Legal Basis	Article 6(1)(b) GDPR — necessary for performance of the Cardixx networking service; Article 6(1)(a) GDPR — consent, for optional data fields and visibility settings chosen by the user
User Control	Optional fields are entirely voluntary. Users can update, hide, or delete optional profile data at any time through their account settings.

5. Purpose of Processing: Personal Profile Analytics

Description

Cardixx provides each user with a personal analytics dashboard showing how their digital business card(s) and profile are performing. Analytics are available in two tiers: a basic overview for Free users and a full analytics dashboard for Plus plan users. This data helps users understand the reach and impact of their professional networking activity.

Basic Analytics (All Users — Dashboard Overview)

Total card views in the last 30 days (with percentage change vs. previous period)
Trend graph (total views over time)

Full Analytics (Plus Plan — Analytics Screen)

Plus plan users have access to a comprehensive analytics dashboard covering the following metrics, all shown with month-on-month or week-on-week comparisons:

Performance Metrics

Total Views — total number of times the card was viewed, compared to last month
Unique Viewers — number of distinct individuals who viewed the card, compared to last month
Share Views — number of views generated via shared card links, compared to last month
Link Clicks — total number of clicks on links within the card, compared to last month
Exchanges — number of completed card exchanges, compared to last month
New Connections — number of new contacts added to the Wallet by others after viewing the card, compared to last month

Monthly and Weekly View Trends

Line graph showing total card views over time (monthly or weekly toggle)
Per-card breakdown when the user has multiple cards (e.g. My First Card, My Second Card)

Views by Location

Geographic map showing where card views originated
Top locations list with view counts (e.g. Vienna, Austria — 67; Lower Austria — 36)
Available for This Month and This Week

Link Clicks by Type

Breakdown of which link types were clicked most (e.g. LinkedIn, Website, Instagram, Phone)
Total clicks count for the period
Available for This Month and This Week

Viewers Industrial Distribution

Breakdown of viewers by industry sector (e.g. Venture Capital, Information Technology, Financial Services, Others)
Shown as percentage distribution
Available for This Month and This Week

Viewer Insights

Follow-up Rate — percentage of viewers who viewed the card again after an exchange
Engagement Rate — percentage of viewers who interacted with card content (reach that converts)

Card Management Actions (processed in relation to analytics)

Set as Primary Card — designates which card is the default
Duplicate Card — creates a copy of an existing card
Delete Card — permanently removes a card and its associated analytics data

Menu and Settings Data

The following account and application preference data is processed when users interact with the Menu and Settings sections:

Account information displayed: name, email address, current subscription plan
Default card selection — which card is set as primary
Sync wallet preference — whether the Wallet is synced across devices
App theme preference (appearance setting)
Automatic brightness preference
Permissions settings — location, notifications, and other device permissions granted to the app
Notification settings — which types of notifications the user has enabled or disabled
Import Contacts — if used, contact data from the device address book is processed to import contacts into the Wallet
Export Contacts — if used, Wallet contact data is exported to a file for the user to download

Purpose	Providing users with insights into the performance of their digital business card(s) and networking activity; storing user account preferences and application settings
Legal Basis (Analytics)	Article 6(1)(b) GDPR — processing is necessary for the performance of the Cardixx service, specifically the analytics features included in user plans; Article 6(1)(f) GDPR — legitimate interest in enabling users to measure and improve their networking effectiveness
Legal Basis (Settings)	Article 6(1)(b) GDPR — processing is necessary to provide the app functionality selected by the user
Legal Basis (Contact Import)	Article 6(1)(a) GDPR — consent; contact import requires explicit user action and device permission. Imported contact data is processed only to populate the Wallet and is not stored on Cardixx servers independently.
Data Scope	Analytics are generated exclusively from the user's own activity and interactions on the platform. Location data used for 'Views by Location' reflects the geographic origin of card viewers' sessions and is derived from their IP address or device location — it is aggregated and not linked to individual viewer identities.
Plan Differences	Full analytics (Unique Viewers, Share Views, Link Clicks, Exchanges, New Connections, Location Map, Link Breakdown, Industry Distribution, Viewer Insights) are available to Plus plan users only. Free users see basic total views only.
Retention	Analytics data and account settings are retained for the duration of the user's account. Upon account deletion, all analytics data is retained for 1 year and then permanently deleted. Card analytics associated with a deleted card are removed within 30 days of card deletion.

6. Purpose of Processing: Networking

Description

The core networking functionality of Cardixx enables users to discover other professionals nearby, check in to Networking Hubs, signal their networking intent, send and receive connection requests, and communicate via in-app chat. To enable this, Cardixx processes location, presence, and communication data as described below.

Location Data

Precise geolocation (GPS coordinates) — used to identify the user's position, detect nearby Networking Hubs, and calculate proximity to other checked-in users
City and district-level location — displayed on the Networking screen (e.g. Penzing, Vienna, Austria)
Approximate distance to other checked-in users (e.g. 2km away) — shown in connection requests and notifications; precise coordinates are never shared with other users
Distance to nearby Networking Hubs (e.g. 150m away, 250m away)

Card Selection at Check-In

If a user has created more than one business card, they must select which card (and therefore which professional identity) they wish to use during the networking session. The selected card determines which job title and company name are displayed to other users in the hub.

Selected card identifier (which card is active during the session)
Job title and company name of the selected card — displayed to other users

Check-In Data

Selected Networking Hub name and address
Hub type (e.g. Public Location, Networking Hub)
Check-in timestamp (date and time)
Planned stay duration selected by the user (1hr, 2hr, 3hr, 4hr)
Live check-in duration counter (time elapsed since check-in)
Check-in status (active / ended) — visible to other users at the same hub

Networking Intent Data

At check-in, users select their networking intent and may add a free-text message. This information is visible to other checked-in users in the hub:

Networking intent category (one or more selected): General Networking, Mentoring, Looking for a co-founder, Looking for clients, Pitching an idea, Looking to Invest, Open to job offers, Hiring/Recruiting
Free-text networking message — max 200 characters (e.g. Looking for a CTO for my fintech startup, Hiring React developers for our team, Seeking Series A investors)

What Other Users See in the Hub

When a user is checked in, the following data is visible to other users in the same Networking Hub. The full business card is NOT shown until a card exchange takes place:

Job title and company name (from the selected card)
Networking intent tags
Free-text networking message
Time since check-in (e.g. 15 mins ago, 5 hours ago)

Connection Requests and Notifications

Chat request sent / received (including sender name, title, tags, message, and distance)
Chat request status: pending, accepted, or denied
Push notification data: sender name, networking intent, distance, timestamp

Advanced Filter Data

Users may filter other checked-in professionals using the following criteria. Filter preferences are processed to return relevant results and are not stored permanently:

Maximum distance filter (slider, e.g. up to 1km)
Looking for filter: Seeking Investment, Mentoring, Business Partners, Looking to Hire, Looking to Invest, General Networking, Seeking Opportunities, Finding Customers

In-App Chat

Text messages exchanged between connected users
Message timestamps
Chat request and conversation history
Users may delete a conversation at any time — deleted conversations are removed immediately from both parties' views
Conversations not deleted by the user are automatically deleted by Cardixx after 1 year

Safety Features

Report and Block actions — if a user reports another user, the report reason (e.g. Harassment) and the reported user identifier are recorded for trust and safety review
End Conversation action — terminates the chat session

Purpose	Enabling location-based professional networking: discovering nearby professionals, signalling networking intent, facilitating card exchange, in-app communication, and maintaining platform safety
Legal Basis	Article 6(1)(b) GDPR — processing is necessary for the performance of the Cardixx networking service; Article 6(1)(a) GDPR — consent, for access to device location (requested explicitly at app level)
Location Consent	Access to precise device location requires explicit user consent via the device operating system (iOS/Android location permission). Users can revoke location access at any time through device settings, which will disable hub discovery and check-in functionality. The rest of the app remains accessible.
Visibility	Only job title, company name, networking intent tags, free-text message, and time since check-in are visible to other hub users. The full business card is only shared upon a completed QR/NFC/link card exchange. Precise GPS coordinates are never shared with other users.
Card Selection	The user has full control over which card identity they present during each networking session. This selection is per session and can be changed at each check-in.
Chat Retention	Chat messages are retained until the user deletes the conversation, or for a maximum of 1 year from the date of the last message, whichever comes first. Deleted conversations are permanently removed. Note: the in-app label 'Conversations will be deleted after 24 hours' refers to a UI display period for message previews in the Messages list, not the actual data retention period.
Safety Data	Report and block records are retained as long as necessary for trust and safety review and to prevent repeated abuse, in accordance with Cardixx's legitimate interest under Article 6(1)(f) GDPR.

7. Purpose of Processing: Networking Hub Profile

Description

Coworking spaces, business cafes, restaurants, hotel lounges, event organizers, and other venue operators (Networking Hub operators) can apply to register their space on the Cardixx platform. Once approved and contracted, the hub receives a public profile in the Cardixx app and on the Cardixx website, enabling professionals to discover, check in to, and network at the space. Each Networking Hub operates under an individual written contract agreed between Cardixx and the hub operator, which specifies the contract duration, pricing, data collected, and services provided.

A. Hub Application Data

When a venue applies to become a Networking Hub, the following data is collected as part of the application process:

Venue Location and Identity

Venue location selected via map pin drop or address search (auto-filled from map data)
Venue name
Venue type (e.g. Cafe, Restaurant, Co-working Space, Hotel Lounge, Networking Cafe)
Short description of the venue

Venue Address

Country
City / District
State / Province
Address Line 1
Address Line 2 (optional)
ZIP / Postal Code

Contact Person Details

First name
Last name
Phone number
Email address

Venue Signage Photo

Exterior photo of the venue where the venue name is clearly readable — submitted for verification purposes

Upon submission of the application, Cardixx reviews the details and conducts an online meeting with the applicant. A written contract is then prepared and signed individually with each hub. The contract governs the terms of the relationship, including data processing, pricing, and services.

B. Hub Profile Data (Post-Approval)

Once approved, hub operators can manage their profile via the Hub Settings in the app. Any changes to the profile must be submitted as update requests, which are reviewed and applied by the Cardixx team.

Hub Details

Venue name
Venue type
Short description

Hub Address

Country, City/District, State/Province, Address Line 1, Address Line 2 (optional), ZIP/Postal Code

Contact Information

Venue website
Venue phone number
Instagram handle
Additional social media profiles: Facebook, X.com, Pinterest, Behance, Dribbble, TikTok, Snapchat, Threads, GitHub, Patreon, Spotify, SoundCloud, Apple Music

Amenities

Hub operators may specify which amenities their venue offers, grouped as follows:

Workspace: Wi-Fi, Private desks, Meeting rooms, Power outlets, Phone booths, Quiet Zone
Comfort and Space: Pet Friendly, Lounge Area, Outdoor Seating, Air Conditioning
Food and Drink: Vegan Options, Vegetarian Options, Specialty Coffee, Full Bar
Accessibility: Wheelchair Accessible, Free Parking, Bike Parking

Business Hours

Open/closed toggle per day of the week (Monday through Sunday)
Opening and closing times per day (e.g. 09:30 to 20:00)

Hub Photos

Up to 6 photos: 1 main photo and up to 5 additional photos
Photos are submitted as update requests and reviewed by Cardixx before publication

Pricing

Price range displayed on the public profile (e.g. EUR 20 to EUR 50)

C. Public Hub Profile

The hub profile is publicly visible in the Cardixx app and on the Cardixx website (cardixx.com/hub/[hub-name]). The hub receives a Verified Networking Hub badge. The following data is displayed to all app users and website visitors:

Hub name, venue type, short description
Verified Networking Hub status badge
Photos gallery (up to 6 photos)
About section: description text
Services section: pricing range, working hours per day, amenities list
Contact sidebar: phone, email, website, address, map, social media links (WhatsApp, Instagram and others if provided)
Open Now / Closed status
Get Directions button (links to external maps)
Contact button
Comments section: publicly visible reviews left by app users (including reviewer job title, review type, review text, and date)

D. Hub Analytics — App

Hub operators have access to an in-app analytics dashboard. All analytics are aggregate and do not identify individual users. The following metrics are provided:

Hub Traffic

Weekly Check-ins: total number of user check-ins during the week, with percentage change vs. last week
Average Stay Duration: estimated average time visitors spend at the hub, based on check-in data, with percentage change vs. last week
Total App Visitors: number of unique users who viewed the hub profile in the app, with percentage change vs. last month
Returning Visitors: number of users who visited the hub more than once, with percentage change vs. last month

Activity Trends

Peak and Quiet Hours: graph showing the busiest and least busy times of day based on check-in timestamps
Check-in by Day: daily breakdown of check-in activity throughout the week
Peak Check-in Window: the busiest two-hour block of the day (e.g. 14:00 to 16:00)

Networking and Engagement

Profiles Viewed: number of professional profiles viewed by users while checked in at the hub, with percentage change vs. last week
Cards Exchanged: number of digital business cards exchanged by users while at the hub, with percentage change vs. last week

Top Interactions

Breakdown of the most frequent actions taken by users on the hub profile: Get Directions, Photo Gallery, Contact/Call — with individual click counts

Visitors Insights

Visitors Engagement Rate: percentage of users who actively interacted with the hub profile

Audience Demographics

Visitors Job Titles: breakdown of the professional roles of users who visited the hub profile (e.g. Sales Representative 36%, Marketing Manager 18%) — shown as aggregated percentage distribution, no individual identification

E. Hub Analytics — Web

Hub operators also have access to web analytics for their dedicated Cardixx webpage. All web analytics are aggregate. The following metrics are provided:

Web Overview

Total Page Views: total number of times the hub webpage has been viewed, with percentage change vs. last week
Unique Visitors: number of distinct individuals who visited the webpage, with percentage change vs. last week
Total Clicks: overall number of clicks made by visitors, with comparison vs. last week
Average Time on Page: average duration a visitor spends on the page before leaving
Bounce Rate: percentage of visitors who left without clicking any links or taking any action
Returning Visitors: number of users who visited the webpage more than once, with percentage change vs. last month

Conversion Insights

Conversion Rate: percentage of visitors who completed a desired action (e.g. getting directions or contacting the hub)

Traffic Trends

Web Traffic graph: daily timeline comparing page views and user interactions on the webpage
Peak Traffic Hours: the most visited hours of the day on the webpage

Behavior and Acquisition

Top Interactions: most frequent actions visitors take on the webpage — Get Directions, Photo Gallery, Contact/Call — with click counts
Traffic Sources: breakdown of how visitors arrived at the webpage — Direct (%), Google Search (%), Social Media (%)

Audience Demographics

Visitors by Location: geographic regions and cities where webpage visitors are located (e.g. Vienna 67, Lower Austria 36, Upper Austria 21)

F. Hub Menu and Account Data

The following data is processed in connection with the hub operator account and settings:

Hub operator account: name, email address, current subscription plan (Networking Hub)
Manage subscription: subscription status and plan management
Hub Analytics access: the operator views aggregated hub performance data as described above
Contact Hub support: support requests submitted by the hub operator
Send feedback: feedback messages submitted by the hub operator

G. Contractual Basis and Termination

Each Networking Hub operates under an individual written contract between Cardixx and the hub operator. The contract specifies: contract duration, subscription price, data categories collected and processed, services provided by Cardixx, and termination conditions. Termination of the hub relationship is governed exclusively by the terms of the individual contract. Upon termination, the hub profile is removed from the Cardixx app and website, and hub data is handled in accordance with the contract and applicable retention obligations.

Purpose	Processing hub application data; creating and displaying a public Networking Hub profile in the Cardixx app and website; providing hub operators with app and web analytics to understand visitor activity; managing the hub operator account and contractual relationship
Legal Basis (Application)	Article 6(1)(b) GDPR — processing is necessary for steps taken prior to entering into a contract at the request of the hub operator
Legal Basis (Profile and Analytics)	Article 6(1)(b) GDPR — processing is necessary for the performance of the individual Networking Hub contract
Legal Basis (Contact Person Data)	Article 6(1)(b) GDPR — the contact person data is necessary to manage the contractual relationship with the hub operator
Public Data	Hub name, type, description, address, hours, photos, amenities, pricing, contact details, and comments are publicly accessible in the Cardixx app and on the Cardixx website once the hub is live.
Individual Privacy	All hub analytics (app and web) are aggregate and anonymised. Individual user identities, names, and personal data are never disclosed to hub operators. Job title and location data shown in audience demographics are aggregated percentage distributions only.
Comments	Comments left by app users on the hub public page are visible to all website and app visitors. They include the reviewer job title, review type, and review text. No personal name or contact detail of the reviewer is displayed publicly.
Update Process	Changes to hub profile data are submitted as update requests and reviewed by Cardixx before being applied. This review process ensures data accuracy and quality on the public profile.
Termination	Upon termination of the Networking Hub contract, the hub profile is unpublished and hub data is retained or deleted in accordance with the individual contract terms and applicable legal retention obligations.
Retention	Hub profile and analytics data is retained for the duration of the active Networking Hub contract. Upon contract termination, all hub data is permanently deleted within a maximum of 1 month. Payment records and invoices are retained for 7 years in accordance with Austrian tax law (§ 132 BAO) regardless of contract termination.

8. Purpose of Processing: Payment

Description

Cardixx offers both free and paid subscription plans. Payment processing applies to users on the Plus Plan (B2C), Teams and Teams Pro plans (B2B), and the Networking Hub plan (B2B). Cardixx uses third-party payment service providers to handle all payment transactions securely.

Payment Methods Accepted

Credit card (Visa, Mastercard, American Express)
Debit card
Apple Pay
Google Pay

Payment Data Processed

Selected subscription plan and billing cycle
Invoice information (name, billing address)
Transaction reference and confirmation number
Payment status (successful, failed, pending)
Subscription start and renewal dates

Data NOT Stored by Cardixx

Cardixx does not store full payment card details (card number, CVV, expiry date) on its own systems. All sensitive payment data is processed and stored exclusively by our certified payment service provider in compliance with PCI-DSS standards.

Free Plan Users

Users on the Free Plan do not provide any payment data. No payment information is collected, stored, or processed for free accounts.

Purpose	Processing subscription payments for paid Cardixx plans (Plus, Teams, Teams Pro, Networking Hub)
Legal Basis	Article 6(1)(b) GDPR — processing is necessary for the performance of the subscription contract; Article 6(1)(c) GDPR — compliance with legal obligations (invoicing, tax records)
Payment Processor	Payment card data is handled exclusively by our third-party payment service provider (PCI-DSS compliant). Cardixx receives only transaction confirmation and billing reference data.
Retention	Payment records and invoices are retained for 7 years in accordance with Austrian commercial and tax law (§ 132 BAO).

9. Purpose of Processing: Visiting the Cardixx Website

Description

When you visit the Cardixx website (www.cardixx.com), including the dedicated Networking Hub pages hosted on the Cardixx domain, certain data is automatically collected by our web infrastructure and analytics tools.

Automatically Collected Tracking Data

IP address (anonymized after processing)
Browser type and version
Operating system
Device type (desktop, tablet, mobile)
Referrer URL (the page you visited before arriving at cardixx.com)
Pages visited and navigation path
Date and time of visit
Time spent on pages
Click interactions (buttons, links, CTAs)
Session duration

Cookies and Tracking Technologies

Essential cookies — required for the website to function correctly (session management, security)
Analytics cookies — used to understand how visitors interact with the website (e.g., Google Analytics or equivalent, with IP anonymization enabled)
Marketing/tracking cookies — only placed with explicit user consent via the cookie consent banner

Purpose	Operating and improving the Cardixx website; understanding visitor behaviour to optimize content and user experience; measuring marketing effectiveness
Legal Basis (Essential)	Article 6(1)(f) GDPR — legitimate interest in operating a functional and secure website
Legal Basis (Analytics)	Article 6(1)(f) GDPR — legitimate interest in understanding website usage; where required by national law (e.g., ePrivacy Directive), consent is obtained via the cookie banner
Legal Basis (Marketing)	Article 6(1)(a) GDPR — explicit consent via the cookie consent banner
Cookie Management	Users can manage their cookie preferences at any time via the cookie settings available on the website. Withdrawing consent does not affect the lawfulness of prior processing.
Retention	Web analytics data is retained for a maximum of 14 months before aggregation or deletion.

10. Purpose of Processing: Newsletter

Description

Cardixx may send marketing newsletters and product update emails to users who have opted in. Newsletter delivery and tracking are handled via a third-party email marketing platform.

Data Collected for Newsletter

Email address
First name (for personalisation, if provided)
Subscription date and opt-in confirmation record
Preferred language (if applicable)

Tracking Data via External Platform

Email open rate (whether the email was opened)
Click-through rate (which links within the email were clicked)
Unsubscribe actions and date
Bounce status (invalid or unreachable email addresses)
Device and email client used to open the newsletter (aggregated)

External Platform

Newsletter delivery and tracking are carried out through a certified third-party email marketing service provider (e.g., Mailchimp, Brevo, or equivalent). This provider processes email addresses and engagement data on behalf of Cardixx under a Data Processing Agreement (DPA) in accordance with Article 28 GDPR.

Purpose	Sending marketing communications, product updates, and networking tips to users who have opted in to the Cardixx newsletter
Legal Basis	Article 6(1)(a) GDPR — explicit consent (double opt-in). Consent is freely given, specific, informed, and unambiguous.
Opt-Out	Users can unsubscribe at any time by clicking the unsubscribe link in any newsletter email or by contacting info@cardixx.com. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.
Tracking	Email engagement tracking (open rates, clicks) is carried out via pixel tracking embedded in the email. This tracking is subject to the user's email client settings and consent.
Retention	Newsletter subscription data is retained until the user unsubscribes. Upon unsubscribe, the email address is removed from the active list within 30 days. Opt-in records are retained for compliance purposes for 3 years.

11. Recipients and Categories of Recipients

Cardixx does not sell personal data to third parties. Personal data may be shared with the following categories of recipients, strictly for the purposes described in this document:

Category	Description / Purpose
Payment Service Providers	Processing subscription payments securely (PCI-DSS compliant). They receive only transaction-relevant data.
Cloud Infrastructure Providers	Hosting, storage, and operation of the Cardixx platform and database infrastructure. Providers act as data processors under Article 28 GDPR.
Email Marketing Platforms	Delivering newsletters and transactional emails (e.g., OTP verification, account notifications). Subject to Data Processing Agreements.
Analytics Providers	Website and app analytics to measure usage and improve the service (e.g., anonymized web traffic data).
Authentication Providers	Apple and Google OAuth services, when users choose to sign in via Apple or Google. These providers process authentication data under their own privacy policies.
Other Users of the Platform	Business card data (as selected by the user) is shared with other Cardixx users during networking interactions (card exchange, check-in visibility). This is core to the service.
Networking Hub Operators	Aggregate, anonymized analytics about check-in activity at their hub. Individual user identities are never disclosed to hub operators.
Legal / Regulatory Authorities	Where required by applicable law, court order, or regulatory obligation, personal data may be disclosed to competent authorities.
Brand Data Provider (Brandfetch)	Automatically retrieves publicly available company logos based on the company name or website provided by the user, to enrich business card display. Brandfetch processes only company-related data, not individual personal data.

All third-party service providers acting as data processors are bound by Data Processing Agreements (DPAs) in accordance with Article 28 GDPR. Where data is transferred outside the European Economic Area (EEA), Cardixx ensures appropriate safeguards are in place (e.g., Standard Contractual Clauses).

12. Retention Periods

Personal data is retained only for as long as necessary for the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

Individual User Accounts

Data Category	Retention Period
Account and profile data (business cards, digital business ID, personal website)	For the duration of the active user account. Upon account deletion, all account and profile data is retained for 1 year from the date of deletion, after which it is permanently and irreversibly deleted.
Authentication data (email, OAuth tokens)	For the duration of the active user account. Deleted at the end of the 1-year post-deletion retention period.
Wallet data (saved contacts, notes, tags)	For the duration of the active user account. Deleted at the end of the 1-year post-deletion retention period.
Networking data (check-ins, networking intent, chat history)	For the duration of the active user account. Chat messages are deleted after 1 year of inactivity or upon user deletion of the conversation, whichever is earlier. Location session data is not retained beyond the active session. All remaining networking data is deleted at the end of the 1-year post-deletion retention period.
Personal analytics data	For the duration of the active user account. Deleted at the end of the 1-year post-deletion retention period.
Personal website (public profile)	Taken offline immediately upon account deletion. Data deleted at the end of the 1-year post-deletion retention period.
Payment records and invoices (individual users)	7 years, in accordance with Austrian commercial and tax law (§ 132 BAO). This retention obligation applies regardless of account deletion.
Website analytics data	Maximum 14 months, then aggregated or deleted.
Newsletter subscription data	Until unsubscribe. Opt-in records retained 3 years for compliance purposes.

Networking Hub Accounts

Data Category	Retention Period
Hub profile data (name, address, description, photos, amenities, hours)	For the duration of the active Networking Hub contract. Upon contract termination, the hub profile is unpublished immediately and all hub profile data is permanently deleted within a maximum of 1 month from the termination date.
Hub analytics data (app and web)	For the duration of the active Networking Hub contract. Permanently deleted within a maximum of 1 month from the termination date.
Hub application data (contact person details, venue signage photo)	Retained for the duration of the contract and deleted within 1 month of contract termination.
Payment records and invoices (Networking Hubs)	7 years, in accordance with Austrian commercial and tax law (§ 132 BAO). This retention obligation applies regardless of contract termination.
Hub comments (public reviews on hub page)	Removed from public display upon hub termination and deleted within 1 month of contract termination.

Legal / compliance records

As required by applicable law, up to 10 years.

After the applicable retention period, personal data is securely and permanently deleted or irreversibly anonymised so that it can no longer be attributed to an identified or identifiable individual.

The 1-year post-deletion retention period for individual user accounts is applied to allow for account recovery requests, dispute resolution, and compliance purposes. During this period, the data is not actively used and is not accessible to other users or third parties. Users who wish to request immediate deletion of their data before the end of this period may do so by contacting info@cardixx.com, and Cardixx will assess such requests in accordance with applicable GDPR obligations.

13. Your Rights as a Data Subject

Under the GDPR, you have the following rights with respect to your personal data processed by Cardixx:

Right of Access (Art. 15 GDPR): You have the right to obtain confirmation as to whether personal data concerning you is being processed, and if so, to receive a copy of that data along with supplementary information about the processing.

Right to Rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate personal data or the completion of incomplete personal data without undue delay.

Right to Erasure / Right to be Forgotten (Art. 17 GDPR): You have the right to request the deletion of your personal data where the data is no longer necessary for the purposes for which it was collected, where you withdraw consent (and no other legal basis applies), or where the data has been unlawfully processed.

Right to Restriction of Processing (Art. 18 GDPR): You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while you contest the accuracy of the data or have objected to processing.

Right to Object (Art. 21 GDPR): You have the right to object at any time to the processing of your personal data where processing is based on legitimate interests (Art. 6(1)(f) GDPR). Cardixx will cease processing unless it can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Right to Data Portability (Art. 20 GDPR): Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.

Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

To exercise any of the above rights, please contact us at: info@cardixx.com

We will respond to your request within 30 days. In complex cases, this period may be extended by a further two months, of which we will inform you.

14. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes the GDPR.

The competent supervisory authority for Cardixx e.U. is:

Authority	Austrian Data Protection Authority (Datenschutzbehörde — DSB)
Address	Barichgasse 40-42, 1030 Vienna, Austria
Website	www.dsb.gv.at
Email	dsb@dsb.gv.at
Phone	+43 1 52 152 0

You also have the right to lodge a complaint with the supervisory authority of the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

15. Statutory or Contractual Requirement to Provide Personal Data

The provision of certain personal data is a contractual requirement necessary to use the Cardixx service. The following applies:

Data Type	Requirement and Consequence of Non-Provision
First name, last name, job title, work email	Mandatory to create a Cardixx account and digital business card. Without this data, the service cannot be provided.
Email address (for authentication)	Mandatory when registering via email. Without it, account creation via this method is not possible. Alternative: sign in via Apple or Google.
Location data (for networking)	Required to use the location-based networking features (hub check-in, nearby professional discovery). Without location permission, these features will not function. The app remains usable for card management without location access.
Payment data (for paid plans)	Required only for paid subscription plans. The Free Plan requires no payment data. Failure to provide payment data means the paid subscription cannot be activated.
Newsletter email address	Voluntary. Required only if the user wishes to receive the Cardixx newsletter. Non-provision has no effect on app functionality.
Optional profile fields (company details, photo, etc.)	Voluntary. Non-provision does not affect access to core features but may limit profile visibility and networking effectiveness.

There is no legal statutory obligation to provide personal data to Cardixx. All data provision requirements are contractual, arising from the user's choice to use the Cardixx platform.

16. Purpose of Processing: Content Management

Description

Cardixx processes personal data in connection with the management of user-generated and platform content. This covers the creation, storage, modification, and deletion of content across four key categories within the platform.

Category 1 — Business Card Content

All data entered by the user to create and customize their digital business card(s), including text fields, visual elements (profile photo, company logo), and card design selections. Multiple card versions and templates are stored to allow users to manage and update their cards over time.

Category 2 — Networking Hub Content

Content submitted by Networking Hub operators to create and maintain their hub profile, including hub name, description, photos, contact details, and service listings. This content is stored and displayed publicly in the Cardixx app and on the Cardixx website.

Category 3 — Event Content

Content created by users or hub operators when creating and managing business networking events on the platform. This includes event name, description, date, time, location, organizer details, and attendee check-in data associated with the event.

Category 4 — Communication Content

In-app messages and chat content exchanged between users via the Cardixx platform. This includes text messages, chat request history, and message timestamps.

Content Management Processes

Creation — users and hub operators submit content via the app or web interface
Storage — content is stored on Cardixx's secure cloud infrastructure
Display — content is rendered within the app and/or on the Cardixx website as applicable
Modification — users and hub operators can edit their own content at any time
Deletion — users can delete their own content; account deletion triggers deletion of all associated content (subject to retention obligations)

Purpose	Managing, storing, displaying, and enabling modification or deletion of user-generated and platform content across business cards, hub profiles, events, and communications
Legal Basis	Article 6(1)(b) GDPR — processing is necessary for the performance of the Cardixx service contract; Article 6(1)(f) GDPR — legitimate interest in maintaining platform integrity and enabling content management functionality
User Control	Users retain full control over their own content and can edit or delete it at any time through the app or by contacting info@cardixx.com. Hub operators can manage hub content via the Networking Hub dashboard.
Retention	Content is retained for the duration of the user's account or Networking Hub subscription. Upon individual account deletion, content is retained for 1 year and then permanently deleted. Upon Networking Hub contract termination, all hub content is permanently deleted within 1 month.

This document was last updated: June 2026

Cardixx e.U. · info@cardixx.com · www.cardixx.com · Vienna, Austria