Privacy

vcardonce processes only the minimum data required to create, publish, and share your digital business card. We do not run tracking or advertising. This page explains what we collect, why, who processes it, and how you can exercise your rights under the GDPR and the UK GDPR.

Data controller

vcardonce is operated by Black Sheep Digital Ltd, a company registered in England and Wales (Company No. 16989285), with registered address at 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

For any data-related enquiries, contact hello@blacksheepdigital.co.

Data we process

• Account email — used to authenticate you (email link or Google OAuth) and to associate your card and purchases with your account.
• Card content you enter — name, job title, company, bio, contact details, social and website links, optional avatar and logo images. This content is published at your chosen public URL when you mark the card as published.
• Payment metadata (transaction ID, plan, amount, status, Stripe customer ID) returned by Stripe. We never see or store your card number.
• Aggregate view count per card — a single counter, not per visitor.
• Minimal technical logs for security, reliability, and abuse prevention.

How we use it

We use your data to operate the service: store and render your card, generate its QR code, accept payments, send service emails (sign-in links, purchase confirmations), and enforce your plan limits.

We do not build behavioural profiles, do not use your data for marketing, and do not sell or share data for advertising.

Legal bases (GDPR / UK GDPR)

• Performance of contract — providing the service you signed up for.
• Legitimate interest — aggregate, non-identifying view counts and security logging.
• Legal obligation — retaining payment records for accounting and tax.

How sign-in works

vcardonce uses email-link and Google OAuth sign-in via our authentication provider. We do not store passwords. Your email address is used solely to deliver access links and essential service notifications.

Public profiles

When you publish a card it is reachable at a public URL (/c/<slug>) so it can be shared and so link previews unfurl when you share the URL. Public profile pages are served with a noindex meta tag by default and are not added to search engines unless you opt in.

Hosting

Our backend infrastructure is provided by Lovable Cloud and hosted in the European Union. Application traffic is served via a global CDN with EU-region origin.

Cookies and analytics

We do not use advertising cookies.

We do not use third-party tracking analytics. Any cookies used are strictly necessary for sign-in and service functionality.

Sub-processors

We share data only with the infrastructure providers required to operate the service:

• Lovable Cloud (EU) — hosting, database, authentication.
• Stripe — payment processing.
• Lovable Cloud email — transactional email delivery.
• Google — only if you choose to sign in with Google OAuth.

We do not sell personal data.

International transfers

Where personal data is transferred outside the UK or EEA (for example to Stripe), the transfer relies on appropriate safeguards such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum.

Retention

Card content and account data are retained for as long as your account exists. You can edit or unpublish your card at any time, and delete your account on request. Payment records are retained for the period required by applicable accounting and tax law. Technical logs are retained for a short period and then discarded.

Security

All connections use HTTPS encryption. Data is stored in row-level-secured tables, accessible only to your authenticated session or to operator-side administrative access.

Your rights

You have the right to request access, rectification, erasure, restriction, portability, and to object to processing, by writing to hello@blacksheepdigital.co. You also have the right to lodge a complaint with your local supervisory authority — in the UK, the Information Commissioner's Office (ICO).

Children

vcardonce is not directed to children under 16 and we do not knowingly collect their personal data.

Changes to this policy

We may update this policy from time to time. Material changes will be reflected by an updated effective date below.