1. Overview

KastKard is committed to protecting your personal data and complying with the General Data Protection Regulation (GDPR) (EU) 2016/679. This page explains how we handle your personal data, what rights you have, and how you can exercise them.

If you are located in the European Economic Area (EEA) or the United Kingdom, the GDPR and UK GDPR apply to the processing of your personal data by KastKard.

2. Data Controller

KastKard acts as the data controller for personal data you provide when creating an account and using our services. As data controller, we determine the purposes and means of processing your personal data.

For any data protection enquiries, please contact us at [email protected]

3. Legal Bases for Processing

We process your personal data on the following legal grounds under Article 6 GDPR:

• Contract performance (Art. 6(1)(b)) — to create and manage your account, provide the KastKard service, and process payments
• Legitimate interests (Art. 6(1)(f)) — to maintain platform security, prevent fraud, and improve our services, where these interests are not overridden by your rights
• Legal obligation (Art. 6(1)(c)) — where we are required to process data to comply with applicable law
• Consent (Art. 6(1)(a)) — where you have given clear consent, such as for optional preference cookies. You may withdraw consent at any time

4. Personal Data We Collect

We collect only the data necessary to provide our service. This includes:

• Account information: email address, password (hashed), and profile details you choose to provide
• Digital card content: contact information, links, and media you add to your KastKard profile
• Device data: NFC device identifiers linked to your account
• Payment data: billing details processed securely via Stripe — we do not store card numbers
• Technical data: IP address, browser type, and session data for security and service delivery
• Preference data: language and display settings stored in functional cookies

We do not use cookies or third-party tools to track your activity across other websites for advertising or profiling purposes.

5. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights. You can exercise any of these by contacting us at [email protected]

Right of Access (Art. 15)

You have the right to request a copy of the personal data we hold about you, along with information about how and why we process it.

Right to Rectification (Art. 16)

You have the right to request correction of any inaccurate or incomplete personal data we hold about you. You can update most profile information directly within your account settings.

Right to Erasure (Art. 17)

You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent and no other legal basis applies. You can delete your account at any time from your account settings.

Right to Restriction of Processing (Art. 18)

You have the right to request that we restrict processing of your personal data in certain circumstances, such as while a dispute about accuracy is resolved.

Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible.

Right to Object (Art. 21)

You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your rights.

Rights Related to Automated Decision-Making (Art. 22)

We do not make decisions about you solely based on automated processing that produce significant legal or similarly significant effects.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account data is retained for the lifetime of your account
• Upon account deletion, personal data is deleted within 30 days, except where retention is required by law
• Anonymised or aggregated data that cannot identify you may be retained indefinitely for service improvement

7. International Data Transfers

Our infrastructure uses services that may process data outside the EEA. Where data is transferred internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, to maintain the protection afforded by the GDPR.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include encryption in transit (TLS), hashed password storage, and access controls limited to authorised personnel. However, no method of transmission over the internet is completely secure.

9. Children's Data

Our services are not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately so we can delete it.

10. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with your local supervisory authority. In the EU, you can find your national authority through the European Data Protection Board. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

11. Related Policies

For further detail on how we handle your data, please review our:

• Privacy Policy — full details on what data we collect and how we use it
• Cookie Policy — details on the functional cookies we use
• Terms of Service — the terms governing use of KastKard

12. Contact Us

To exercise any of your rights or for any data protection enquiries, please contact our team at [email protected]. We will respond to verifiable requests within 30 days as required by the GDPR.