Privacy Policy

Last updated: March 13, 2026

PrivacyTermsSubprocessorsAcceptable UseSupport

This privacy policy for CardMeet, Inc. ("CardMeet," "we," "us," or "our") describes how and why we collect, store, use, and share ("process") your information when you use our services ("Services"), including our mobile application (CardMeet.io), our website at cardmeet.io, and any related services. Questions? Contact us at privacy@cardmeet.io.

Privacy at a Glance

We never sell your personal data
Your data is encrypted in transit and at rest
You can export or delete your data anytime
You control what information you share
Speech recognition runs on-device — no audio is ever stored or transmitted
AI analysis requires your explicit consent before any data is sent

Contents

  1. 1. Information We Collect
  2. 2. How We Use Your Information
  3. 3. Information Sharing & Third Parties
  4. 4. AI-Powered Features & Third-Party AI
  5. 5. Data Security
  6. 6. Third-Party Integrations
  7. 7. Your Rights and Choices
  8. 8. Data Retention
  9. 9. Cookies and Tracking Technologies
  10. 10. International Data Transfers
  11. 11. Lawful Bases for Processing
  12. 12. Children's Privacy
  13. 13. California (CCPA) & European (GDPR) Rights
  14. 14. Changes to This Policy
  15. 15. Contact Us

1. Information We Collect

We collect your personal information in the following circumstances:

Account Information

When you register for an account (via email/password or Sign in with Apple), we collect your name, email address, phone number, profile photo, company name, job title, industry, social media links, and website URLs.

Usage Information

We automatically collect information about how you interact with the Service, including features used, pages visited, device information (device type, OS version, app version), IP address, log data, and analytics. We use this to improve the Service and troubleshoot issues.

Contact Information

Contacts you add or sync to CardMeet, meeting notes, calendar events, and communication preferences. When you scan a QR code or NFC tag, the contact data encoded in that card is saved to your account.

Payment Information

If you purchase a subscription, payment is processed by Apple (via In-App Purchase) or RevenueCat. We do not collect, store, or have access to your credit card number or payment details. We receive only a transaction confirmation and subscription status.

Voice Notes (AI Note Taker)

When you use the AI Note Taker, speech is transcribed entirely on-device using iOS Speech Recognition in real-time. No audio file is ever created, stored, or transmitted to any server. Only the resulting plain-text transcript is saved to your account. If you choose to analyse the transcript with AI, only the text is sent — see Section 4 for full details.

2. How We Use Your Information

We use the information we collect for the following purposes:

Provide the Service

  • ·Create and manage your account
  • ·Enable digital business card sharing via QR and NFC
  • ·Facilitate connections, meetings, and bookings
  • ·Send service-related notifications

AI-Powered Features

  • ·Analyse meeting transcripts to generate summaries (with your consent)
  • ·Extract contact details from business card photos
  • ·All AI features require explicit user action to trigger

Personalisation

  • ·Customise your experience
  • ·Provide relevant recommendations
  • ·Display personalised networking analytics

Communication

  • ·Service-related announcements
  • ·Respond to support enquiries
  • ·Marketing communications (with consent only — you may opt out at any time)

Security & Compliance

  • ·Detect and prevent fraud or abuse
  • ·Enforce our Terms of Service
  • ·Comply with legal obligations

Improvement

  • ·Monitor and analyse usage trends
  • ·Perform crash reporting and debugging
  • ·Improve the Service and user experience

3. Information Sharing & Third Parties

CardMeet does not sell your personal information. We do not rely on advertising. We may share information only in these circumstances:

Other Users You Connect With: The core functionality of CardMeet allows you to share your digital business card with other users via QR code, NFC, or a shareable link. When you share, your card information is provided to people who scan or access it. You control which fields appear on your card.
With Your Consent: When you explicitly choose to share data, connect with other users, enable third-party integrations, or opt in to AI-powered analysis.
Service Providers: We use third-party service providers to help operate the Service (see the table below). These providers are only given the information needed to perform their specific function, are contractually bound to protect your data, and may not use it for any other purpose.
Legal Requirements: We may disclose information if required by law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect our rights, safety, or property, or that of our users or the public.
Business Transfers: In connection with mergers, acquisitions, or asset sales, your data may be transferred to the successor entity. We will notify you before your data is subject to a different privacy policy.

For a complete list of our service providers including what data each processes and where they are located, see our Subprocessors page. All subprocessors are contractually bound to protect your data, use it only for the purposes we specify, and provide equal or greater data protection standards.

4. AI-Powered Features & Third-Party AI

We are transparent about every AI technology we use, exactly what data is sent, who receives it, and how your consent is obtained.

🍎

On-Device Speech Recognition

Provider: Apple · iOS Speech Framework via expo-speech-recognition

Used for: Transcribing your voice during AI Note Taker sessions

How it works: Runs entirely on your device. No audio file is created, stored, or transmitted to any server.

Data sent: None. All processing happens locally.

✓ No data ever leaves your device

AI

Anthropic Claude — Third-Party AI Service

Provider: Anthropic, PBC · anthropic.com

Used for: Generating meeting summaries, action items, key takeaways, and sentiment analysis from your meeting note transcripts.

What data is sent: Plain-text transcript only. No audio, no contact lists, no personally identifiable information beyond the spoken words in the transcript.

How data is collected: Speech is first transcribed on-device using iOS Speech Recognition (no audio leaves your device). Only the resulting plain-text transcript is eligible for AI analysis. The text is sent server-to-server via a secure Supabase Edge Function over TLS — it never passes through a public endpoint.

Who it is sent to: Anthropic, PBC, a US-based AI safety company. The data is sent exclusively to Anthropic's API endpoint for processing.

🔒 Consent: The app displays a full-screen consent dialog the first time you use AI analysis. The dialog clearly explains what data will be sent and to whom. You must explicitly tap "Agree & Analyze" before any transcript data is transmitted. If you tap "Cancel," no data is sent and your note is saved without AI analysis. You may revoke consent at any time in Settings.

Retention: Anthropic does not retain, store, or use API-submitted data to train its models. Data is processed in memory and discarded immediately after generating the response. See Anthropic's Privacy Policy.

Equal protection: Anthropic maintains SOC 2 Type II certification, applies encryption at rest and in transit, enforces strict access controls, and operates under data handling policies that provide equal or greater protection to the standards described in this privacy policy.

G

Google Cloud Vision API

Provider: Google LLC · cloud.google.com/vision

Used for: Extracting contact details from photos of physical business cards (OCR)

Data sent: Business card photo only. The image is processed transiently and not stored by Google beyond the API call per their API terms.

Consent: You initiate this action by tapping "Scan Card" and granting camera access.

5. Data Security

We use reasonable physical, technical, and administrative security measures to protect your personal information. No method of data transmission or storage is 100% secure, but we implement industry best practices:

Technical Safeguards

  • ·All data encrypted at rest (AES-256) and in transit (TLS 1.2+)
  • ·Authentication tokens stored in iOS Keychain, never in plain-text storage
  • ·Row-level security policies on all database tables
  • ·Secure authentication via Sign in with Apple and email/password with PKCE
  • ·Regular security audits and penetration testing

Organisational Measures

  • ·Access limited on a strict need-to-know basis
  • ·All third-party providers under confidentiality agreements
  • ·Incident response procedures in place
  • ·Regular policy reviews and updates
  • ·No sensitive data in application logs

6. Third-Party Integrations

The Service may connect with third-party platforms you authorise. We are not responsible for the privacy practices of third-party services.

Calendar Services: Apple Calendar and Google Calendar — we access only the calendar data needed to create events for booked meetings. Calendar access is requested only when you tap "Add to Calendar" and requires your explicit permission.
Contact Sync: Optional sync with your device contacts to find existing CardMeet users. Contact data is compared locally; contacts are not uploaded to our servers without your consent.
Sign in with Apple: We use Apple's authentication service for secure sign-in. Apple provides your name and email (which you may choose to hide). We do not receive your Apple ID password.
NFC: CardMeet uses NFC to read and write business card data to NFC tags and stickers. NFC data is processed locally on your device.
Social Platforms: We only store social media links you manually provide on your card. We do not access or scrape your social media accounts.
Crash Reporting (Sentry): Sentry collects anonymised crash and error reports including stack traces and device metadata. No personally identifiable information is included in crash reports.

7. Your Rights and Choices

Access & Portability

Request a copy of all data we hold about you, or export it in a portable format.

Correction

Update or correct inaccurate information at any time from the app Settings.

Deletion

Request deletion of your account and all associated data. We will delete your data within 30 days of your request.

Opt-Out

Unsubscribe from marketing, disable push notifications, or revoke consent for AI analysis at any time.

Withdraw Consent

You may withdraw consent for data processing at any time by contacting us. If you do so, some features may become unavailable.

Restrict Processing

Request that we limit how we use your data while a complaint or dispute is being resolved.

To exercise these rights, visit Settings in the app or contact privacy@cardmeet.io. We will respond within 30 days.

8. Data Retention

We retain information for as long as reasonably necessary to deliver the Service or fulfil the purposes described in this policy:

Data TypeRetention Period
Active account dataRetained while your account is active
Deleted accountsAll data deleted within 30 days of deletion request
Backup systemsPurged within 90 days of account deletion
AI transcripts sent to AnthropicNot retained by Anthropic — processed and discarded immediately
Crash / error logs (Sentry)Anonymised, retained for 90 days
Legal holdsRetained as required by applicable law

9. Cookies and Tracking Technologies

We use minimal tracking technologies:

Essential Cookies

Used to maintain your session and remember preferences. These are strictly necessary for the Service to function and cannot be disabled.

Analytics

We collect anonymised usage analytics to understand how the app is used and to improve it. We do not use analytics for advertising or cross-site tracking.

We do not use cookies for advertising. We do not use web beacons, pixel tags, or similar tracking for marketing purposes. We do not set any cookies outside of the cardmeet.io domain. You can control cookies through your browser settings.

10. International Data Transfers

CardMeet operates globally. Your information is processed in the United States, where our infrastructure (Supabase on AWS us-east-1) and third-party service providers are located.

Where we transfer personal information from the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum.

By using our Service, you acknowledge and consent to the transfer of your information to the United States and other countries where our service providers operate.

11. Lawful Bases for Processing

We only collect and process personal information where we have a lawful basis. Our lawful bases include:

Consent: Where you have given explicit consent, such as opting in to AI transcript analysis or marketing communications. You may withdraw consent at any time.
Contract: Where processing is necessary to perform our contract with you, such as providing the CardMeet Service, managing your account, and facilitating meetings.
Legitimate Interests: Where processing is necessary for our legitimate interests (such as improving the Service, ensuring security, and preventing fraud), provided these are not overridden by your rights.
Legal Obligation: Where processing is necessary to comply with applicable laws, regulations, or legal processes.

12. Children's Privacy

CardMeet is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If a parent or guardian becomes aware that their child has provided us with personal information, they should contact us at privacy@cardmeet.io. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information promptly.

13. California (CCPA) & European (GDPR) Rights

California Residents (CCPA)

  • ·Right to Know what personal information we collect, use, and disclose
  • ·Right to Delete your personal information
  • ·Right to Opt-Out of the sale of personal information (we do not sell your data)
  • ·Right to Non-Discrimination for exercising your rights
  • ·Right to Correct inaccurate personal information

We have not sold personal information in the preceding 12 months. We do not share personal information for cross-context behavioural advertising.

European Residents (GDPR)

  • ·Right of access to your personal data
  • ·Right to rectification of inaccurate data
  • ·Right to erasure ("right to be forgotten")
  • ·Right to restriction of processing
  • ·Right to data portability
  • ·Right to object to processing
  • ·Right to lodge a complaint with your supervisory authority

To exercise any of these rights, contact our Data Protection Officer: privacy@cardmeet.io. We will respond within 30 days (or 45 days for CCPA requests if an extension is needed).

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy with a new "Last Updated" date, sending an in-app notification, and/or emailing you at the address associated with your account. Your continued use of the Service after the changes take effect constitutes your acceptance of the revised policy. We encourage you to review this Privacy Policy periodically.

15. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

Email: privacy@cardmeet.io

Support: cardmeet.io/support

CardMeet, Inc. · San Francisco, CA

TermsSubprocessorsAcceptable UseSupport

© 2026 CardMeet.io · All rights reserved