Privacy Policy

Who we are

KOCard is a digital business card service. KOCard is currently operated as a sole project and is not yet incorporated. This policy works alongside our Terms of Service. For privacy questions, email hello@ko-card.app.

Data we collect from account holders

When you create an account:

• Email address (for sign-in and notifications).
• If you sign in with Google: your name and email from your Google profile, returned by Google's OAuth flow.
• Profile fields you enter: display name, headline, bio, company, job title, phone number, public email, photo, slug, timezone.
• Subscription state: Stripe customer ID, plan, period end date.
• An HttpOnly session cookie so you stay signed in.

Data we collect from public visitors to your card

When your QR code is scanned or someone visits your /u/{slug} page:

• Approximate country (derived from request headers at the edge).
• Device kind (mobile, desktop, or bot).
• For QR scans: which link the visitor came through.
• For link clicks on a profile: device kind only.

We do not store IP addresses anywhere — not in our database, not in logs, not in error reports. Country and device kind are derived at the edge from request headers and the IP is discarded.

When someone fills out the “Reach out” form on a Pro profile, we collect what they type: name, an email or phone, and an optional note. This is shared with the profile owner (the lead recipient).

On the marketing site only, we use Plausible Analytics, which is cookieless and does not store IP addresses.

How we use it

To operate KOCard: render your public page, log scans for your analytics, deliver leads to your inbox, send emails you've opted into (per-event notifications, weekly digest, drip, billing), prevent abuse, and process payments.

Third parties we share data with

We use third-party processors to run the service:

We do not sell your data. We do not share it for advertising.

Retention

• Account data: retained until you delete your account.
• Account deletion: immediate and permanent. When you confirm deletion in Settings, your profile, links, QR token, scan history, link clicks, lead submissions, notification preferences, and slug history are removed and your QR stops working at once. Any active Pro subscription is canceled with Stripe in the same step so you are not billed again. There is no grace period and no restore; deletion cannot be undone.
• Scan and link-click events: 90 days from the event.
• Stripe records: retained as required by tax and financial law.

Your rights

You can access your profile and data anytime in the dashboard, correct it by editing, delete it via Settings → Delete Account, and export your leads as CSV from /dashboard/leads. Residents of the EU/UK have rights under GDPR; residents of California have rights under CCPA. Email us to invoke either.

Cookies

We use only the authentication session cookie (HttpOnly, Secure). We do not use analytics, advertising, or tracking cookies. The marketing site uses Plausible, which is cookieless.

Security

We maintain reasonable administrative, technical, and physical safeguards designed to protect your information. No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security. If a security breach affecting your personal information occurs, we will notify affected users as required by applicable law.

International transfers

Our infrastructure is primarily based in the United States. By using KOCard you consent to your data being processed in the United States.

Children

KOCard is not intended for users under 13. We do not knowingly collect data from children under 13.

Changes

We may update this policy. The “Last updated” date at the top will change. We will email active users about material changes.

Contact

hello@ko-card.app