Legal

Privacy Policy

CardEx (also referred to as AI Contact Vault in some technical contexts)

CardEx is a product developed by upGrad School of Technology.

Effective date: March 15, 2026Last updated: March 15, 2026View Terms

1. Introduction and Scope

This Privacy Policy (“Policy”) explains how CardEx (“we,” “us,” “our”) collects, uses, discloses, stores, and protects information when you use:

  • Our mobile applications for Android and iOS (collectively, the App);
  • Any websites or portals we operate that link to this Policy;
  • Related services that reference this Policy (together with the App, the Services).

By using the Services, you acknowledge this Policy. If you do not agree, please do not use the Services.

This Policy is intended to support transparency for users and compliance with platform rules (including Google Play and Apple App Store requirements). It does not replace legal advice; please consult counsel for jurisdiction-specific obligations.

2. Who Is Responsible for Your Data?

The entity named CardEx (as identified in app store listings or in correspondence we send you) is typically the controller of personal data processed through the Services for its own purposes.

Where we use processors (hosting, storage, AI providers), they process data on our instructions and subject to contractual safeguards.

Contact (privacy): noreply@upgradsot.com

3. Summary of What We Do

TopicSummary
Sell dataWe do not sell your personal information as that term is commonly understood.
Device contactsWe do not access your phone's built-in contact book (READ_CONTACTS / WRITE_CONTACTS).
Camera / photosWe use camera and photo library only when you choose features that need them (scanning cards, QR codes, picking images).
AIWe may send card images and search queries to AI providers (e.g. OpenAI) to extract text and answer natural-language searches.
HostingAccount and card data are processed on our backend and Supabase (or successor infrastructure).

4. Categories of Information We Collect

We collect information that falls into the following categories. Not every user provides every item.

4.1 Account and authentication

  • Full name
  • Email address
  • Phone number
  • One-time passwords (OTP) / verification codes sent to your email (we process these for authentication; we do not publish them)

Authentication is primarily email-based OTP. If we offer passwords or other methods in the future, we will describe them here.

4.2 Profile information

  • Job title, company name
  • Profile photo (optional)
  • Preferences such as light/dark theme (may be stored locally and/or synced)

4.3 Virtual business card (“CardEx card”) content

  • Name, email, phone, job title, company
  • Optional fields (e.g. card number, purpose/tagline)
  • Social links (e.g. LinkedIn, Facebook, Instagram, YouTube)
  • Profile photo and company logo URLs or references
  • Card theme selection
  • QR code and share identifiers associated with your card

4.4 Business cards you save (contacts in the app)

Information from cards you scan, upload, enter manually, or add via another user's CardEx QR:

  • Names, emails, phone numbers, addresses (if provided)
  • Company, role, websites, social links
  • Images of cards (when you capture or upload them)
  • Notes or edits you make in the app

4.5 Teams and organizations

  • Team names, descriptions, purposes/categories
  • Team banner and logo images
  • Organization names, descriptions, organization email (for verification), banners, logos
  • Organization virtual card content (where enabled)
  • Member lists (e.g. emails or identifiers of admins and members)
  • Invite or join codes / QR-related identifiers
  • Roles (e.g. team admin, organization admin)

4.6 Usage, device, and technical data

  • Device type, operating system version, app version
  • Approximate diagnostics (e.g. crash logs if enabled, error messages)
  • Log data such as timestamps of requests, IP address (as processed by our servers)
  • Features used (where we log events for security or improvement)

We generally do not collect precise GPS location for core functionality.

4.7 Communications with us

  • Email support tickets and contents
  • Feedback you voluntarily send

5. How We Collect Information

  • Directly from you when you register, verify OTP, complete profile setup, edit cards, create teams or organizations, join groups, or contact support.
  • Automatically when you use the App (technical logs, analytics where enabled).
  • From third-party AI services' responses when we send permitted inputs for extraction or search (outputs are processed and stored as needed to deliver the Services).

6. Purposes for Processing (Why We Use Data)

  1. Provide the Services: accounts, profiles, virtual cards, scanning, saving contacts, sharing via QR/link, teams, organizations.
  2. Authenticate and secure: OTP delivery and verification, fraud prevention, abuse detection, securing APIs.
  3. AI features: extract structured contact fields from images; answer natural-language queries over your permitted card dataset.
  4. Storage and media: host profile photos, logos, banners, and card-related images using infrastructure such as Supabase.
  5. Collaboration: show appropriate cards and member information within teams and organizations you belong to.
  6. Improve and maintain: debug, analyze aggregated usage, develop features (preferring aggregated or de-identified data where feasible).
  7. Communicate: service messages (OTP, account notices), responses to support requests, and-where permitted-product updates.
  8. Legal compliance: comply with law, respond to lawful requests, enforce our Terms, protect rights and safety.

7. Legal Bases (Where GDPR or Similar Laws Apply)

Depending on your region, we may rely on:

  • Performance of a contract - providing the Services you requested.
  • Legitimate interests - securing the Services, improving reliability, preventing fraud (balanced against your rights).
  • Consent - where required for specific processing (e.g. certain marketing cookies or optional analytics, if we use them).
  • Legal obligation - where the law requires retention or disclosure.

You may withdraw consent where processing is consent-based, without affecting prior lawful processing.

8. AI Processing (Important Notice)

8.1 Card extraction

When you scan or upload a business card image, we may send that image (or derived representations) to OpenAI or similar providers to extract text such as name, email, and company. Results are shown for your review before saving where the App provides review steps.

8.2 Natural-language search (“AI Search”)

When you submit queries, we may send your question and relevant stored card text (or embeddings derived from permitted data) to an AI provider to generate answers or rankings within your authorized dataset.

8.3 Accuracy and human review

AI outputs can be incorrect or incomplete. You are responsible for verifying information before relying on it professionally or legally. We do not guarantee AI accuracy.

8.4 Provider policies

OpenAI and other providers maintain their own privacy notices and terms. We encourage you to read them at openai.com/policies (or the applicable URLs).

9. Mobile App Permissions (Android)

Our Android manifest declares permissions consistent with the features below. You can deny optional permissions; affected features may not work.

PermissionPurpose
INTERNETCommunicate with our backend, deliver OTP-related flows, sync cards/teams/orgs, AI extraction and search, upload images to storage.
CAMERACapture physical cards and scan QR codes (team/org join, CardEx virtual card scan). Used only when you open those flows-not continuous background access.
READ_EXTERNAL_STORAGEAndroid 12 and below: image picker for gallery selections (card photos, profile, logos).
READ_MEDIA_IMAGESAndroid 13+: image picker for photos you explicitly select.

iOS

On Apple devices, access to camera and photo library is requested via system prompts with usage descriptions (e.g. camera for QR/card scan; photo library for selecting images). We follow Apple's permission model.

What we do not request for core CardEx functionality

We do not require access to your device's Contacts app, precise location, SMS, or microphone as standalone permissions for core features (microphone may be involved only indirectly through OS camera behavior where applicable).

10. Cookies and Similar Technologies (Web)

If you use our website, we may use cookies or similar technologies for:

  • Essential site operation (e.g. session, security)
  • Analytics (if enabled and where legally required, with consent)

The mobile App does not use browser cookies in the traditional sense but may use local storage on your device (e.g. preferences, tokens). See our security practices for credential storage.

11. How We Share Information

We share personal information only as described below.

11.1 Service providers (processors)

  • Cloud hosting and APIs
  • Supabase (or successor) for database and file storage
  • OpenAI (or successor) for AI features
  • Email delivery for OTP and transactional messages
  • Analytics or crash reporting tools if we integrate them (we will list major providers here when used)

We bind processors by contract to protect data and use it only for defined purposes.

11.2 Other users (by design of the product)

  • Your virtual card content may be visible to people you share it with (QR, link).
  • Team members may see cards and information shared within that team according to product behavior.
  • Organization members and admins may see organization-scope content as implemented in the App.

11.3 Legal and safety

We may disclose information if we believe in good faith that disclosure is necessary to:

  • Comply with law, regulation, legal process, or governmental request
  • Enforce our Terms or investigate violations
  • Protect the rights, property, or safety of CardEx, our users, or the public

11.4 Business transfers

If we merge, are acquired, or sell assets, personal information may transfer as part of that transaction. We will seek appropriate safeguards and notify you where required.

12. International Transfers

Our servers and processors may be located in countries other than yours. Where required (e.g. EEA/UK), we use appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms.

13. Retention

We retain personal data as long as your account is active and as needed to provide the Services, unless:

  • You delete specific content or request deletion (subject to backend delays and backups)
  • Longer retention is required by law, dispute resolution, or legitimate security/audit needs

Backup copies may persist for a limited period before overwriting.

After account deletion, we aim to delete or irreversibly anonymize personal data within a reasonable period (e.g. 30-90 days), except where retention is required.

14. Security

We implement technical and organizational measures appropriate to the risk, including:

  • Encryption in transit (HTTPS/TLS) for network communications
  • Encryption at rest where supported by our infrastructure
  • Access controls and authentication for administrative systems
  • Vendor diligence for subprocessors

No method is 100% secure. Please use a strong, unique email account and protect your device.

15. Your Rights and Choices

Depending on where you live, you may have rights to:

  • Access a copy of your personal data
  • Correct inaccurate data
  • Delete your account or certain data
  • Restrict or object to certain processing
  • Data portability (machine-readable export), where technically feasible
  • Withdraw consent where processing is consent-based
  • Lodge a complaint with a supervisory authority (EEA/UK)

To exercise rights, email noreply@upgradsot.com. We may verify your identity before fulfilling requests.

U.S. state privacy rights

Residents of certain U.S. states may have additional rights (access, deletion, opt-out of sale/sharing, appeal). We do not sell personal information in the conventional sense; contact us for requests specific to your state.

16. Children's Privacy

The Services are not directed to children under 13 (or the age required by your jurisdiction). We do not knowingly collect personal information from children. If you believe we have, contact us and we will delete it promptly.

17. Automated Decision-Making

AI-assisted extraction and search may influence what fields are suggested or which cards appear in results. These tools do not make legally significant solely automated decisions about you under typical use; you can review and edit extracted fields.

18. Third-Party Links and Features

The Services may contain links to third-party websites or profiles (e.g. social networks). Their privacy practices are governed by their policies, not ours.

19. Changes to This Policy

We may update this Policy periodically. We will post the new version with an updated “Last updated” date in the App and/or on our website. Where required, we will obtain consent or provide additional notice. Continued use after the effective date may constitute acceptance.

20. Contact Us

Privacy inquiries and data requests:

Email: noreply@upgradsot.com

General support:

Email: noreply@upgradsot.com

Mobile: +91 7317202906

21. Acknowledgment

By using CardEx, you acknowledge that you have read this Privacy Policy.

© 2026 CardEx. All rights reserved.