Cardturf, accessible at https://cardturf.com/ , is committed to safeguarding the privacy of its visitors. This Privacy Policy outlines the categories of information collected and recorded by Cardturf, as well as the purposes for which such information is used

If you have any further questions or require additional information regarding this Privacy Policy, please contact us without hesitation.

This Privacy Policy applies solely to our online activities and governs the information that visitors to our website share with, or that is collected by, CardTurf. It does not apply to any information gathered offline or through channels other than this website.

Introduction and Scope of This Policy

This Privacy Policy explains how CardTurf (“CardTurf”, “we”, “us”, “our”) collects, uses, discloses, and safeguards personal data when you use cardturf.com and any related services (the “Service”). It also sets out the scope of our responsibilities as a data controller or processor under applicable laws, including the GDPR. By accessing or using the Service, you acknowledge and agree to the terms set out in this Policy.The Policy applies solely to our online activities and governs the information that visitors to our website provide to us, as well as information collected by us in the course of offering our digital platform. It does not apply to data collected offline or through any channels other than this website and related services. Any personal data collected outside this context will be subject to separate terms or policies where applicable. Where required by law, we will seek your consent before processing certain categories of data, such as marketing preferences or the placement of specific cookies. Where consent is the lawful basis for processing, you may withdraw your consent at any time without affecting the lawfulness of processing conducted prior to your withdrawal. This Policy should be read in conjunction with any other notices or disclosures provided by CardTurf in relation to specific services, features, or contractual arrangements. In cases where additional terms apply, such as a Data Processing Addendum for enterprise customers, those terms will prevail where they are more specific. If you have any questions or require additional clarification regarding this Policy or our data practices, you may contact us at info@cardturf.com . Users located within the EEA or UK also have the right to raise concerns with their local supervisory authority, such as the Data Protection Commission in Ireland.

Our Identity and Legal Role Under GDPR

CardTurf operates from Ireland and provides services to users globally, subject to applicable data protection and privacy laws. For most of the processing activities described in this Privacy Policy, CardTurf acts as the “data controller” as defined under Article 4(7) of the General Data Protection Regulation (“GDPR”). This means that we determine the purposes and means of processing your personal data. In certain limited situations, CardTurf instead acts as a “data processor” as defined under GDPR. This occurs when a business customer uploads or manages contact information, digital card details, or similar data into the platform, and we process that data strictly in accordance with the customer’s documented instructions. In those cases, the business customer remains the controller and CardTurf’s processing is governed by a Data Processing Addendum (“DPA”), which is available on request.

Understanding whether CardTurf is acting as a controller or processor is important for determining your rights and our obligations under data protection laws. As a controller, we are responsible for ensuring that the collection and use of personal data is lawful, fair, and transparent. As a processor, we act only under the instructions of the controller and do not determine the purposes for which the data is used.

When CardTurf operates as a controller, our processing is supported by specific legal bases, including the necessity of processing for the performance of a contract, compliance with legal obligations, legitimate interests pursued by CardTurf, or your consent where required by law. In processor situations, our legal obligations are primarily defined by the controller’s instructions and the terms of the DPA. By using our Service, you acknowledge the dual role we may play depending on the nature of the processing activity. If you are unsure whether CardTurf is acting as controller or processor in relation to your data, please contact us for clarification.

Nature of Our Services and Business Practices

CardTurf is a digital platform that provides tools for creating, hosting, sharing, and analysing digital business cards, landing pages, QR codes, and related templates or digital assets. These tools may integrate with third-party services such as payment processors, messaging applications like WhatsApp, analytics tools, and affiliate or referral platforms. It is important to note that CardTurf is not a seller of physical products such as NFC tags or plastic business cards. We are a purely digital service provider, and all optional integrations with third parties are managed by you, the user. For example, if you connect your digital card to a payment processor such as Stripe, any collection or storage of payment information will be handled directly by that third party.

CardTurf does not collect, store, or have access to your full payment instrument details, such as complete credit card numbers. We receive only limited transactional and billing data, such as the plan tier, billing country, VAT numbers (if applicable), subscription status, and invoice records. Our role in processing financial information is administrative, and we do not control the flow of funds. If you encounter issues with payments, refunds, chargebacks, settlements, or other financial disputes, you must contact the relevant payment processor directly and review its terms and privacy policy. CardTurf cannot intervene in such matters as we do not have control over payment processing systems. Our platform is designed to respect the principle of data minimisation. We collect only the data necessary to provide and improve the Service and integrate with third-party providers only where this is required for functionality or compliance.

Personal Data We Collect From You

We collect personal data directly from you when you create an account, contact support, upload content, or participate in our affiliate or referral programme. This may include identifying details such as your name, email address, company name, hashed password, and optional profile information. It may also include the logos, images, text, links, and contact details you choose to upload into your digital business cards. If you upload information relating to other individuals into your digital cards or landing pages, you confirm that you have a lawful basis for doing so under applicable data protection laws. You remain responsible for ensuring that such sharing of personal data is lawful and that those individuals are informed about how their data will be used. We receive limited transactional and billing data as part of your subscription. This includes plan tier, billing country, VAT number if applicable, subscription status, and invoice records. Full payment details, such as complete credit card numbers, are not visible to us and are processed exclusively by your chosen payment processor acting as an independent controller.

In addition to information you provide, we also collect technical and usage data when you interact with our Service. This may include IP addresses, device and browser details, operating system, time zone, language preferences, referring URLs, pages viewed, clickstream data, session duration, error logs, diagnostic information, and feature usage data such as template previews, QR code scans, and share actions. If you take part in our affiliate or referral programme, we collect data required for participation, such as referral links or codes, cookie-based identifiers where permitted, payout details, and tax or KYC information where required by law. This ensures compliance with financial regulations and proper attribution of referrals.

How We Obtain Personal Data

We obtain personal data directly from you when you register for an account, upload content, submit a support request, or engage in programmes such as our affiliate or referral initiatives. These direct interactions provide us with the core information required to operate your account and deliver the Service. In addition to direct collection, we also obtain data automatically through the use of our platform. This includes the use of logs, cookies, and analytics technologies that capture information about how the Service is accessed and used. Such data may include IP addresses, browser and device identifiers, and diagnostic information. These automated processes enable us to secure the Service, improve performance, and understand usage trends. We may also obtain information indirectly from third-party sources. For example, payment processors provide us with confirmation of your payment status, subscription details, and related billing information. Similarly, affiliate platforms may provide attribution data to ensure that referrals and commissions are accurately recorded and processed.

We do not intentionally collect special category data within the meaning of GDPR, such as information relating to health, political opinions, religious beliefs, or biometric identifiers. Likewise, we do not intentionally collect data relating to criminal offences or convictions. Should such data be inadvertently provided, we will take steps to limit its processing and, where appropriate, delete it. By combining direct, automated, and third-party sources of data, we are able to maintain a complete and accurate record of your use of the Service. However, our collection is always limited to what is necessary for the purposes set out in this Policy and is consistent with the principles of fairness, transparency, and proportionality.

Purposes of Processing and Legal Bases

We use personal data to deliver, maintain, and improve the Service. This includes administering user accounts, enabling digital card features, and supporting integrations with third-party applications. Without processing your personal data, we would be unable to provide you with core platform functionality. Another key purpose is ensuring the security and integrity of the Service. We process personal data to detect and prevent fraud, monitor suspicious activity, apply security controls, and investigate errors or service disruptions. These activities are necessary to maintain a safe and reliable platform for all users.

We also process personal data for communication purposes. This includes responding to support requests, notifying you about product updates or policy changes, and, where permitted by law, sending promotional information or offers. For direct marketing activities, we rely on your consent where required, and you may withdraw this consent at any time. Analytics and product development are further important purposes. We analyse aggregated usage data to understand how features perform, identify areas for improvement, and develop new services. Such processing is typically based on our legitimate interest in operating a competitive and user-friendly platform.

Our legal bases for processing include the performance of a contract (when providing the Service), compliance with legal obligations (for tax and record keeping), our legitimate interests (for security, analytics, and product improvement), and, where applicable, your consent (for marketing or cookies). Where we rely on consent, you retain the right to withdraw it at any time.

Use of Cookies and Tracking Technologies

We use cookies, pixels, tags, and similar technologies to ensure the proper functioning of the Service. These tools enable us to keep you logged in, secure the Service, and measure performance. Without such technologies, many essential functions of the platform would not operate correctly. Essential cookies are strictly necessary for the core functionality of the Service. These cannot be disabled as they are fundamental to the secure delivery of features such as account access and navigation. Disabling them may significantly impair your use of the Service. Analytics cookies are used to gather information about how the Service is used. These cookies allow us to understand usage trends, measure performance, and make improvements to features. The information collected is typically aggregated and used for statistical analysis, though it may include identifiers such as IP addresses for diagnostic purposes.

Marketing and affiliate attribution cookies may also be deployed, subject to your consent where required by law. These cookies help us recognise referrals, attribute commissions to affiliates, and tailor communications. Where legislation requires a consent banner, we will provide you with a clear choice to accept or reject these cookies. You can manage cookie settings through your browser or through on-site preference centres where available. Blocking certain categories of cookies may affect your ability to use the Service, particularly where cookies are necessary for login or security purposes.

Sharing of Personal Data

We share personal data with trusted service providers that assist in delivering the Service. These providers may include hosting companies, content delivery networks, analytics platforms, customer support systems, email and SMS delivery services, log management tools, and payment partners. Each provider is contractually required to process data only as instructed by CardTurf and to implement appropriate safeguards.

Payment processors, such as Stripe, receive personal data necessary to authorise and settle transactions, manage subscriptions, and process refunds or chargebacks. These processors generally act as independent controllers of payment data, meaning they determine their own purposes and means of processing in accordance with their privacy policies.

Where you participate in our affiliate or referral programme, we may share limited information with affiliates or referrers in order to confirm eligibility for payouts. Such sharing is strictly limited to what is necessary and does not include sensitive or unrelated personal data.

If CardTurf is involved in a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to the acquiring entity. In such circumstances, the terms of this Privacy Policy or a substantially similar policy will continue to govern the handling of your data.

We may also disclose data to regulators, courts, or law enforcement where required by law or where disclosure is necessary to protect rights, safety, and security or to enforce our contractual obligations. We do not sell personal data under any circumstances.

Data Transfers, Security, and Retention

Your personal data may be processed or transferred to jurisdictions outside the European Economic Area (EEA) or the United Kingdom.

In such cases, we implement safeguards such as European Commission adequacy decisions, Standard Contractual Clauses (SCCs), and supplemental security measures to ensure data protection. Transfers from the UK may be subject to the International Data Transfer Agreement (IDTA) or Addendum.

We employ technical and organisational measures to protect personal data. These include encryption in transit, secure storage, access controls, least-privilege permissions, auditing, and confidentiality obligations for staff.

While we take reasonable steps to secure data, no system is entirely immune to breaches, and we cannot guarantee absolute security.

Data is retained only as long as necessary for the purposes outlined in this Policy. Account and billing data may be retained for up to six years to comply with tax and accounting requirements.

Support communications may be retained for two to three years, while analytics logs are retained for twelve to twenty-four months. Aggregated or anonymised statistics may be kept for longer periods.

Affiliate and referral records are retained for as long as you participate in the programme and thereafter as required by financial or tax law.Marketing preferences and consent records are retained for the duration of your subscription and for a reasonable period thereafter to evidence compliance with legal requirements.

Where feasible, we take steps to anonymise or aggregate personal data so that it no longer identifies you directly. Such data may be retained indefinitely for research or statistical purposes, provided it cannot reasonably be used to re-identify individuals.

Your Rights, Children’s Privacy, Third Parties, and Other Legal Notices

As a user of the Service, you may have a number of rights under applicable data protection laws, including the GDPR in the European Union and the UK GDPR. These rights may include the right to access your personal data, the right to correct inaccurate or incomplete information, the right to request the deletion of data in certain circumstances, the right to restrict processing, the right to object to processing (including processing carried out on the basis of legitimate interests or for direct marketing purposes), and the right to request a portable copy of your data in a structured, commonly used, and machine-readable format. Where processing is based on consent, you also have the right to withdraw that consent at any time, without affecting the lawfulness of prior processing.

To exercise these rights, you can contact us at info@cardturf.com . We may need to verify your identity before acting on your request to ensure that we are dealing with the correct individual. In some cases, we may be unable to comply with your request if doing so would conflict with legal obligations, contractual requirements, or the rights and freedoms of others. If you are not satisfied with our response, you may also lodge a complaint with your local supervisory authority. In Ireland, the supervisory authority is the Data Protection Commission. Our Service is intended for adults aged eighteen and over. We do not knowingly collect personal data from children. In Ireland, the digital age of consent is sixteen, and users under that age must not provide personal data through our Service without verified parental consent. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please notify us at info@cardturf.com so that we can take appropriate action. The Service may contain links to, or integrations with, third-party websites and services, including payment processors, messaging applications, printing vendors, or analytics platforms. These third parties have their own terms and privacy notices, which we encourage you to review carefully. CardTurf does not endorse and is not responsible for the privacy practices, content, or policies of third-party providers. Any personal data you provide directly to such third parties will be governed by their respective terms, and we disclaim responsibility for how such third parties handle your data. CardTurf does not engage in solely automated decision-making, including profiling, that produces legal effects concerning you or that similarly significantly affects you within the meaning of Article 22 GDPR. While we may use limited profiling or automated tools for analytics, service optimisation, or communication tailoring, these processes do not override your rights and freedoms and are subject to applicable legal requirements. Any significant automated processing would only occur with your explicit knowledge and, where required, your consent. Some web browsers offer “Do Not Track” (DNT) signals intended to allow individuals to opt out of certain tracking across websites. However, there is no established industry standard for how DNT signals should be interpreted or applied. At CardTurf, we treat DNT signals in a manner consistent with applicable law and with any cookie preference mechanisms that we make available on our site. Where local law requires explicit user consent for cookies or tracking, we will honour those preferences regardless of DNT signals. We reserve the right to update this Privacy Policy from time to time in order to reflect changes in our practices, technologies, legal obligations, or other operational reasons. When we make significant updates, we will revise the “Last updated” date at the top of this Policy and, where required by law, provide you with additional notice such as by email or in-Service announcements. Your continued use of the Service following the effective date of an updated Policy constitutes your acceptance of the changes. If you have questions about this Privacy Policy, our data practices, or wish to exercise your rights, you may contact us at info@cardturf.com . If you are based in the EEA or UK and remain unsatisfied with our response, you may escalate the matter by contacting your local supervisory authority. In Ireland, this is the Data Protection Commission. Finally, please note that this Privacy Policy is provided for the purpose of transparency and compliance and does not constitute legal advice. CardTurf may issue additional disclosures for specific features, integrations, or programmes, such as a Data Processing Addendum for processor scenarios or a detailed Cookies Policy. In the event of any conflict between this Privacy Policy and mandatory data protection law, the mandatory provisions of law will prevail. By continuing to use our Service, you confirm that you have read and understood this Privacy Policy in full and accept its terms.