Privacy Policy

Last updated: 18 April 2026

BCard ("BCard", "we", "us", or "our") respects your privacy. This Privacy Policy explains what personal data we collect when you use bcard.qa, our mobile experiences, NFC-enabled physical cards, and wallet passes (together, the "Service"), how we use it, who we share it with, and the rights you have over it.

By using the Service you agree to the practices described here. If you do not agree, please do not use the Service.

1. Who we are

BCard is a digital business card platform operated from Doha, Qatar. We comply with the Qatar Personal Data Privacy Protection Law (Law No. 13 of 2016, "PDPPL") and, where the Service is offered to users in the European Economic Area or the United Kingdom, with the EU General Data Protection Regulation ("GDPR") and the UK GDPR.

Data controller contact: [email protected].

2. Information we collect

2.1 Information you give us

  • Account data — name, email, password (hashed), phone number, profile photo.
  • Card content — full name, job title, company, biography, contact details, social links, and any other information you choose to publish on a card.
  • Payment data — billing name, address, and the last four digits of your card. Full card numbers and CVVs are handled exclusively by our payment processor, Stripe, and are never stored on our servers.
  • Order data — shipping address and phone number when you order a physical NFC card.
  • Support communications — any message you send to support, which we keep to improve the Service.

2.2 Information collected automatically

  • Device & usage data — IP address, browser type, operating system, device type, referring URL, pages viewed, and timestamps.
  • Card analytics — when a visitor views a card, taps a contact link, saves the card to a wallet, or scans the QR code, we record an aggregated event together with the approximate city-level location derived from the visitor's IP. Individual visitors are not identified.
  • Cookies and similar technologies — see Section 8.

2.3 Information from third parties

  • Social sign-in — if you sign in with Google, we receive your name, email, and profile photo from Google.
  • Payment confirmations — Stripe shares transaction status and tokenised identifiers with us to process subscriptions.

3. How we use your information

We use personal data to:

  • create and maintain your account, publish your cards, and deliver the Service;
  • process payments, subscriptions, and physical card orders;
  • provide customer support and respond to requests;
  • generate Apple Wallet, Google Wallet, and Samsung Wallet passes and keep them in sync with the card you edited (see Section 5);
  • show card owners analytics about how their own cards are performing (views, taps, saves), in aggregate and anonymised form;
  • detect fraud, abuse, or violations of our Terms of Service, and to secure the Service;
  • send transactional emails (password reset, receipt, shipping confirmation) and, with your consent, product updates you can unsubscribe from at any time;
  • comply with legal obligations.

4. Legal bases (EEA / UK users)

  • Performance of a contract — to provide the Service you signed up for.
  • Legitimate interests — to secure the Service, prevent fraud, and improve our product. We balance these against your rights.
  • Consent — for marketing emails and non-essential cookies. You may withdraw consent at any time.
  • Legal obligation — to meet tax, accounting, and regulatory requirements.

5. Wallet passes (Apple, Google, Samsung)

When you add a BCard to a mobile wallet, only the content you published on your card (name, job title, company, selected contact details, colours, logo text, and QR code linking to your public card URL) is embedded in the wallet pass. Your email address and password are never embedded in a pass.

Wallet pass distribution relies on the relevant platform provider:

  • Apple Wallet — passes are signed using our Apple Developer certificates and delivered as .pkpass files. Apple receives only the pass payload the device renders.
  • Google Wallet — we generate a short-lived signed JWT that tells Google to save the pass to the user's wallet. The JWT contains the card content described above, your card's public URL, and our issuer ID (3388000000023103984). We do not send Google your BCard account email or password.
  • Samsung Wallet — the same card-content principle applies.

Google, Apple, and Samsung each act as independent data controllers for the pass once it is installed on your device. Their privacy policies govern that stage: Google, Apple, Samsung.

6. How we share your information

We do not sell your personal data. We share it only with:

  • People you choose to share your card with — everything published on a card is public by design. Anyone who has your card URL or scans your QR can see the information on it.
  • Service providers acting under written instructions: Stripe (payments), our cloud hosting provider (servers and databases located within the European Union), transactional email provider, and NFC card fulfilment partner.
  • Wallet platform providers — as described in Section 5.
  • Legal authorities — when required by law, a valid court order, or to protect the rights, property, or safety of BCard or others.
  • Successors — in connection with a merger, acquisition, or asset sale, with notice to you.

7. International data transfers

Your data may be processed in Qatar, the European Union, or the United States depending on the service. When data is transferred outside your country, we rely on the recipient's adequacy decision (where applicable) or on Standard Contractual Clauses approved by the European Commission to safeguard your rights.

8. Cookies

We use a small number of cookies:

  • Strictly necessary — session, authentication, CSRF protection. These cannot be disabled.
  • Analytics — aggregated, privacy-friendly analytics to understand how cards are used. No cross-site tracking.
  • Preferences — to remember your language, theme, and consent choices.

You can manage cookies through your browser settings. Blocking strictly necessary cookies will break parts of the Service.

9. Data retention

  • Account and card data are kept for as long as your account is active.
  • Billing records are kept for ten (10) years to meet tax and accounting obligations.
  • Analytics events are kept in aggregated form for up to twenty-four (24) months.
  • Deleted accounts are purged from live systems within thirty (30) days; backups rotate out within ninety (90) days.

10. Your rights

Subject to applicable law, you have the right to:

  • access your personal data and request a copy;
  • rectify inaccurate data — you can edit most fields yourself in your account;
  • erase your data by deleting your account from your dashboard, or by writing to us;
  • restrict or object to certain processing;
  • port your data in a machine-readable format;
  • withdraw consent at any time where processing is based on consent;
  • lodge a complaint with the Qatar Ministry of Communications and Information Technology (MCIT) or, for EEA / UK users, your local data protection authority.

To exercise any of these rights, write to [email protected]. We will respond within thirty (30) days.

11. Security

We protect your data with industry-standard measures: TLS for data in transit, encryption at rest for sensitive fields, hashed passwords (bcrypt), network firewalls, principle-of-least-privilege access for staff, and regular security reviews. No online service can guarantee perfect security; if a breach occurs that is likely to result in a high risk to your rights, we will notify you and the relevant authority as required by law.

12. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Changes to this Policy

We may update this Policy from time to time. If the changes are material we will post a notice on the Service and, where required, notify you by email at least 14 days before they take effect. The "Last updated" date at the top shows when this Policy was last revised.

14. Contact us

BCard — Doha, Qatar
Privacy & data requests: [email protected]
General support: [email protected]