Privacy Policy

Veneer Cards (“we,” “us,” or “our”) operates the digital business card platform available at www.veneercards.com. We are committed to protecting the personal information of everyone who uses our platform.

This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and what rights you have regarding your data. It is written in plain English and complies with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and its ten fair information principles.

By creating an account or using our services, you consent to the practices described in this policy. If you do not agree, please discontinue use of the platform.

Veneer Cards is responsible for the personal information under its control. We have designated a Privacy Officer who is accountable for our compliance with PIPEDA.

If you have questions, concerns, or requests related to your personal information, please contact our Privacy Officer:

Private Account Data

Collected at sign-up and maintained to operate your account. This data is never displayed publicly.

• Email address — used for login and service communications
• Encrypted password — stored using industry-standard hashing; we never see your plain-text password
• Account creation timestamp and session tokens
• Payment information — collected and processed exclusively by our third-party payment processor (see Section 6); we do not store full card numbers on our servers

Public Profile Data

This is information you intentionally enter to build your digital business card. You control what you include, and everything in this category is publicly accessible via your card’s URL.

• Full name, job title, and company name
• Professional biography
• Phone number and contact email (if you choose to add them)
• Social media and website links
• Profile photo you upload
• Your chosen public profile URL slug (e.g., veneercards.com/yourname)

Usage & Analytics Data

We collect limited technical data to operate, maintain, and improve the platform.

• IP address and approximate geographic region (country/city level)
• Browser type and operating system
• Pages visited, time on site, and referral source
• Number of profile views and Google Wallet passes downloaded (aggregated, shown to you in your dashboard)
• Cookies and similar tracking technologies — see our Cookie notice below

Cookies

We use strictly necessary cookies to maintain your authenticated session. We may also use analytics cookies (e.g., via Vercel Analytics) to understand aggregate platform usage. We do not use advertising or cross-site tracking cookies. You can disable non-essential cookies in your browser settings without affecting core functionality.

Payment Data

Payments for premium features are handled entirely by our payment processor. We receive only a transaction confirmation and a masked payment reference (e.g., last four digits of a card). We never store or transmit full payment card data.

We collect personal information only for specific, legitimate purposes, and we identify those purposes before or at the time of collection, as required by PIPEDA.

• To create and authenticate your account
• To build, store, and serve your public digital business card
• To process payments for premium features
• To send transactional emails (e.g., password reset, billing receipts)
• To provide you with analytics about your card performance (views, downloads)
• To diagnose technical issues and improve platform reliability
• To comply with applicable laws and legal obligations
• To prevent fraud, abuse, and security incidents

We will not use your personal information for any new purpose without first identifying that purpose and obtaining your consent, unless required by law.

Your knowledge and consent are required for the collection, use, or disclosure of your personal information, except where the law provides otherwise.

By registering for an account, you expressly consent to the collection and use of your personal information as described in this policy. You may withdraw consent at any time by deleting your account (see Section 8), subject to legal or contractual restrictions and reasonable notice.

Withdrawing consent may mean we can no longer provide you with certain services. We will advise you of the implications before you withdraw.

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We share data only as necessary to deliver our services:

Infrastructure & Database

Supabase — Our database, authentication, and file storage are hosted on Supabase (PostgreSQL). Your account and profile data resides on Supabase-managed servers. Supabase operates data centres in North America and is bound by data processing agreements consistent with applicable privacy laws.

Hosting & Deployment

Vercel— Our platform is deployed on Vercel’s edge network. Web request metadata (IP addresses, headers) passes through Vercel’s infrastructure in accordance with their data processing agreement.

Payments

Third-party payment processor — Premium subscription payments are handled by a PCI-DSS compliant payment processor. Payment data is subject to their privacy policy. We receive only a payment confirmation and masked card reference.

Google Wallet

When you issue a digital business card to Google Wallet, your Public Profile Data (name, title, contact info, links) is transmitted to Google’s Wallet API to generate the pass. This data is governed by Google’s Privacy Policy once it resides in a user’s Wallet.

Legal Disclosure

We may disclose personal information without consent if required by a court order, warrant, or applicable law, or if necessary to prevent fraud, illegal activity, or a serious threat to safety.

Retention

We retain your personal information only for as long as necessary to fulfill the purposes identified in this policy, or as required by applicable law:

• Active account data — retained for the life of your account
• Analytics and usage logs — retained for up to 12 months, then aggregated or deleted
• Payment transaction records — retained for 7 years as required by Canadian tax law
• Deleted account data — permanently purged within 30 days of account deletion, except where legal retention obligations apply

Security Safeguards

We implement physical, organizational, and technical measures to protect your personal information against unauthorized access, disclosure, copying, use, or modification:

• All data in transit is encrypted using TLS 1.2 or higher
• Passwords are hashed using a strong one-way algorithm (bcrypt); we never store plain-text passwords
• Database access is controlled via Row Level Security (RLS) — users can only access their own data
• Supabase service keys are stored as environment secrets and never exposed client-side
• Authentication sessions use short-lived JWT tokens
• Access to production systems is restricted to authorized personnel only

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at privacy@veneercards.com.

Under PIPEDA, you have the following rights regarding your personal information. To exercise any of these rights, contact our Privacy Officer at privacy@veneercards.com. We will respond within 30 days.

Right to Access

You have the right to request access to the personal information we hold about you, including a description of its use and any third parties to whom it has been disclosed. We may charge a minimal fee to cover the cost of providing access.

Right to Correction

If you believe your personal information is inaccurate or incomplete, you may request that we correct it. Much of your profile data can be corrected directly in your Dashboard at any time.

Right to Deletion

You may request deletion of your account and associated personal information. Deletion requests will be fulfilled within 30 days, subject to legal retention obligations (e.g., financial records). Public Profile Data will be removed from public-facing URLs immediately upon account deletion.

Right to Withdraw Consent

You may withdraw consent for the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions. Withdrawing consent may prevent us from providing certain services to you.

Right to Data Portability

Upon request, we will provide you with a copy of your profile data in a machine-readable format (JSON) so you can transfer it to another service.

If you believe we have not adequately addressed your privacy concern, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC).

We encourage you to contact us first so we have the opportunity to resolve the matter directly. However, you may contact the OPC at any time:

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. When we make material changes, we will update the Effective Date at the top of this page and notify active account holders by email.

Your continued use of the platform after any update constitutes your acceptance of the revised policy. If you do not agree to the updated terms, you may delete your account before the changes take effect.