Privacy Policy

1. Preamble

This Privacy Policy explains how Gainback GmbH (hereinafter referred to as “we,” “our,” or “the Company”) collects, processes, and protects personal data when you use the CAARD App. All terms are gender-neutral.

As CAARD is a product/service offered under Gainback GmbH, all legal responsibilities, including data protection compliance, are managed by Gainback GmbH.

2. Data Controller

If you have questions or concerns about this Privacy Policy or how we process your data, please contact us via the email provided above.

3. Data Collection and Processing

3.1 Types of Data Collected

• Personal Information: Full name, email address, phone number, company details.
• Usage Data: IP address, device model, operating system, app interactions, access times.
• Location Data: Geographic location (if enabled by the user).
• Media Access: Camera, photo library, and file manager (with explicit consent).
• Microphone Access: Audio data for speech-to-text functionalities (with explicit consent).
• Payment Data: Managed via Apple Pay and Google Pay.
• NFC Data: NFC tag scans, device identifiers, encrypted interaction logs.

3.2 How Data is Collected

• Direct Input: During registration, form completion, or content uploads.
• Automated Tracking: Analytics tools (e.g., Firebase Analytics).
• NFC Interactions: Scanning NFC tags.
• Device Permissions: Location, camera, photo library, file manager, microphone, NFC access.

3.3 Purpose of Data Collection

• Service Provision: To enable core functionalities of the CAARD App.
• Payment Processing: Secure transactions via Apple Pay and Google Pay.
• Location-Based Services: Personalized services based on your location.
• Media and Audio Features: Facilitating features that require camera, photo library, file manager, or microphone access.
• Security and Fraud Prevention: Ensuring platform integrity.
• User Engagement: Push notifications and updates.
• Service Improvement: Analyzing user behavior to improve app performance.
• NFC Functions: Secure NFC interactions.

4. Device Permissions and Data Access

4.1 Location Permission (Optional)

Location data is used only if you enable location-based services. Granting location permission is optional, and the app does not use location data for tracking purposes.

4.2 Photo Library and File Manager Access (Optional)

Used for uploading profile pictures or managing image-related features. Access to the file manager allows you to upload images from your device's storage.

4.3 Camera Access (Optional)

Used for profile photos, QR code scans, and app-specific features.

4.4 Microphone Access (Optional)

Used for speech-to-text functionalities within the app. Audio data is processed in real-time using your device's built-in speech recognition services.

• On Android: Utilizes Google's speech recognition service.
• On iOS: Utilizes Apple's Speech framework (SFSpeechRecognizer).

4.5 NFC Data Processing

NFC tags are scanned securely. No sensitive data is stored on NFC tags. All NFC interactions are encrypted.

Note: Permissions are optional but may limit app functionality if denied. You can revoke permissions anytime in your device settings.

5. Data Processing Location and Retention

5.1 Processing Location

User data is processed exclusively within data centers located in the European Union (EU). We ensure full compliance with GDPR for all data processing activities. No data is transferred outside the EU.

5.2 Data Retention

User data is retained only as long as necessary for its intended purpose or as required by applicable laws. After the retention period, all data is securely anonymized or deleted.

6. Data Sharing with Third Parties

We share personal data with trusted third-party providers for smooth operation, analysis, and service delivery. All data processing activities are strictly confined to the functionalities of the CAARD App.

6.1 Third-Party Services:

• Google Analytics for Firebase: App analytics and performance monitoring (Privacy Policy).
• Google Maps API: Location-based services (Privacy Policy).

6.2 NFC Data Sharing:

• All NFC interactions are encrypted.
• Sensitive personal data is not stored on or shared via NFC tags.

Note: We do not sell or rent your personal data to third parties.

7. Payment Processing

All financial transactions within the CAARD App are securely processed via:

• Apple Pay: Managed through Apple’s secure payment systems (Privacy Policy).
• Google Pay: Managed through Google Pay systems (Privacy Policy).

7.1 Processed Data for Payments:

• Payment details (e.g., card number, expiration, CVV).
• Billing address information.

We do not store any payment details. All payment information is processed through secure, PCI-DSS-compliant third-party providers.

8. User Rights

As a user of CAARD, you are entitled to the following rights under the General Data Protection Regulation (GDPR):

• Right of Access (Art. 15 GDPR): You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and relevant information.
• Right to Rectification (Art. 16 GDPR): You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay.
• Right to Erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data. Upon such a request, we will permanently erase your data from our systems, provided there is no legal obligation or overriding legitimate interest to retain it.
• Right to Restriction of Processing (Art. 18 GDPR): You have the right to request the restriction of processing your personal data under certain conditions.
• Right to Data Portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance.
• Right to Object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you.
• Right to Lodge a Complaint (Art. 77 GDPR): If you believe that the processing of your personal data violates GDPR, you have the right to lodge a complaint with a supervisory authority in your country of residence or where the alleged violation occurred.

Data Deletion Process

If you choose to delete your CAARD profile or account, please be aware of the following:

• Soft Deletion: When you delete your CAARD profile or account, your data will be deactivated and no longer accessible to you or others. However, we retain your data for 90 days to prevent fraudulent activity, ensure security, and allow for account recovery in case of accidental deletion.
• Permanent Deletion: After the 90-day retention period, your data will be permanently erased from our systems unless required for legal compliance, dispute resolution, fraud prevention, or enforcing our Terms of Service.
• Legal Basis for Retention: Our retention of data for 90 days is based on our legitimate interest (Art. 6(1)(f) GDPR) in preventing fraud, ensuring security, and allowing users to recover their accounts if deleted accidentally. After this period, data is permanently deleted unless required for legal or compliance reasons.
• Immediate Deletion Request: If you wish to have your data permanently deleted before the 90-day period, you can submit a request to our support team. We will process your request in accordance with GDPR’s Right to Erasure.
• Processing Time for Deletion Requests: We will process permanent deletion requests within 30 days in compliance with GDPR timelines.

Third-Party Data Processing

Some of your data may be processed by third-party service providers (such as hosting services, payment processors, and analytics tools) who act as data processors under GDPR.

We ensure that all third-party service providers handling your data comply with GDPR regulations and use appropriate security measures to safeguard your personal information.

Exercising Your Rights

To exercise any of your rights, including the permanent deletion of your data, please contact us at:

dhairya@caard.net

We will respond to your request without undue delay and in accordance with GDPR requirements.

9. Push Notifications

• Sent only with your consent.
• You can revoke consent anytime via device settings.

10. Data Security

We employ robust technical and organizational measures to ensure your data remains secure:

• SSL/TLS Encryption: For secure data transmission.
• Access Control: Restricted access for authorized personnel.
• Regular Audits: Continuous review of security protocols.

11. Changes to this Privacy Policy

We may update this Privacy Policy periodically. Significant updates will be communicated to users. Please review this page regularly for any changes.

12. Contact Information

For questions, complaints, or concerns regarding this Privacy Policy, please contact us:

• Gainback GmbH
• Business Address: Falkenstein 16a, 97499 Donnersdorf, Germany
• Contact Email Address: dhairya@caard.net