Privacy Policy

The controller responsible for processing personal data through Contacly is:

If the controller is established outside the EU/EEA but offers the service to people in the EU/EEA, its EU representative under GDPR Art. 27 is: [[name and EU address, or state “not required because…”]].

Data Protection Officer (if appointed / required under GDPR Art. 37): [[contact, or “no DPO is required for our processing”]].

Contacly is a platform for controlled exchange of contact data through profiles, links, QR codes, identity/phone verification, and traceable approvals. This policy explains what personal data we process, why, on what legal basis, with whom we share it, and the rights you have.

We process personal data about two groups:

• Account users — the people who register and operate Contacly profiles.
• Contacts — third parties whose contact details are entered, requested, exchanged, or stored through the service by a user.

The categories we process are:

• Identity & contact data: name, email address, phone number, company, role, profile information.
• Account & content data: profile content, notes, decisions/approvals, vCard exports, language and settings.
• Verification data: phone-verification and OTP records, verification status and timestamps.
• Technical data: access tokens, device and browser information, IP address, and security/system logs.
• Audit data: request, approval, decision, and download events, with timestamps (the audit trail).
• Billing data (Premium): plan, transaction status and the limited payment metadata returned by our payment provider. We do not store full card numbers.

We do not intentionally collect special-category data (e.g. health, religion, political opinions) under GDPR Art. 9, and you should not enter such data into free-text fields.

Most data is provided directly by you when you register, build a profile, verify your phone, or make and approve requests. Some data is generated automatically when you use the service (e.g. logs, tokens, timestamps).

Where a user enters or shares the contact details of another person, we receive that person’s data from the user, not from the person directly. In that case the user is responsible for having a lawful basis to share it, and we make the information in this policy available to the affected person on request and, where required, proactively, in line with GDPR Art. 14.

We process personal data for the following purposes, each under the stated legal basis (GDPR Art. 6):

Where we rely on legitimate interests, you have the right to object (see Section 9). Where we rely on consent, you may withdraw it at any time without affecting processing already carried out.

Recipients. We share personal data only with service providers acting as our processors under GDPR Art. 28, bound by data-processing agreements, in these categories: hosting/cloud infrastructure, database, email delivery, SMS/OTP delivery, payment processing, monitoring/error-logging, and customer support tooling. We do not sell personal data, and we do not share it for advertising (see Section 12).

International transfers. Some of these providers process data outside Switzerland/the EU/EEA. Where that happens, we rely on an adequacy decision or on appropriate safeguards — EU Standard Contractual Clauses (and the Swiss addendum where Swiss data is involved) — a copy of which is available on request.

We keep personal data only as long as necessary for the purpose it was collected for:

• Account/profile data: for the life of the account.
• Free accounts: not deleted automatically; after 60 days without a new phone verification, the account is deactivated and stops accepting requests. After a further [[period, e.g. 12 months]] of inactivity, deactivated free accounts and their profile data are deleted.
• Premium profiles: retained while the subscription is paid; on downgrade they revert to the free-tier rules after 30 days.
• Billing/tax records: retained for the statutory period ([[e.g. 10 years]] under applicable accounting/tax law).
• Audit trail: retained after account deletion for [[defined period, e.g. 24 months / the applicable limitation period]], then deleted or irreversibly anonymised. We keep it because it evidences that contact exchanges were properly authorised (our legitimate interest and, where applicable, a legal obligation).

We apply appropriate technical and organisational measures under GDPR Art. 32, including access controls, authentication, tokenisation, encryption of data in transit and at rest, logging, and least-privilege access. No system is perfectly secure, but we maintain procedures to detect, investigate and respond to personal-data breaches, and we will notify the competent supervisory authority and affected individuals where the law requires (GDPR Arts. 33–34).

Depending on where you live, you have the following rights, which you can exercise free of charge by contacting [[privacy@contacly.com]]. We respond within one month (GDPR Art. 12(3)).

• Access to your data, and a copy of it.
• Rectification of inaccurate data and completion of incomplete data.
• Erasure (“right to be forgotten”), subject to our retention duties in Section 7.
• Restriction of processing.
• Objection to processing based on legitimate interests.
• Data portability (for data processed by consent or contract).
• Withdrawal of consent at any time, without affecting processing already carried out.

You also have the right to lodge a complaint with a supervisory authority — in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC); in the EU/EEA, the authority in your country of residence.

California residents (CCPA/CPRA): you have the rights to know, delete, and correct, and the right to opt out of “sale” or “sharing.” We do not sell or share personal information as those terms are defined under the CCPA, and we will not discriminate against you for exercising your rights.

Contacly uses only strictly necessary cookies and local storage — for sessions, login state, language, security and PWA functionality. These are required to run the service and do not need consent. We do not use analytics, advertising, or tracking cookies. If we ever introduce non-essential cookies, we will request your consent first through a cookie banner.

We may update this policy when the service, our providers, or legal requirements change. We will update the “Last updated” date above, and for material changes we will notify account users in advance by email or in-app notice. The current published version governs.

Contacly uses no advertising trackers, advertising cookies, or behavioural profiling for advertising. We do not sell or share personal data, including for advertising. Technical logs are used only for operating, securing, troubleshooting and auditing the service.