Short version: We collect only what we need to run your digital business card. We do not sell your data, show you ads, or share your information with third parties for marketing. You can download or delete all your data at any time.
OBCP (Online Business Card Platform) operates the OBCP service available at this domain. As the data controller, we are responsible for how your personal data is collected, used, and protected under the EU General Data Protection Regulation (GDPR) and applicable national laws.
For privacy questions or to exercise your rights, contact us at: privacy@obcp.io
| Data | Why we collect it | Legal basis (GDPR) |
|---|---|---|
| Name, email address | Create and identify your account | Art. 6(1)(b) — performance of contract |
| Profile photo, job title, company, bio, social links | Display your public business card | Art. 6(1)(b) — performance of contract |
| Phone number, website | Optional contact info on your card | Art. 6(1)(b) — performance of contract |
| Card view counts, link click counts | Show you how your card is performing | Art. 6(1)(f) — legitimate interest |
| Hashed (pseudonymised) IP address | Prevent duplicate view/click counting; rate limiting to protect the service | Art. 6(1)(f) — legitimate interest |
Session cookie (obc_session) | Keep you logged in | Art. 6(1)(b) — strictly necessary for the service |
| Google account ID and profile picture | Authenticate you via Google Sign-In | Art. 6(1)(b) — performance of contract |
| Saved cards list | Remember the cards you have saved | Art. 6(1)(b) — performance of contract |
What we do NOT collect: advertising identifiers, precise geolocation, device fingerprints, browsing history outside our platform, or any data for advertising purposes.
When your card is viewed or a link is clicked, we record a one-way hash of the visitor's IP address (SHA-256 with a server-side secret). The raw IP address is never written to our database. The hash allows us to count unique views without storing personal data, and it cannot be reversed to identify the original IP.
We use one cookie: obc_session. It is a strictly necessary session cookie used solely to keep you logged in. It is HttpOnly (not accessible to JavaScript), is set to Secure on HTTPS, and expires after 7 days of inactivity.
We do not use advertising cookies, analytics cookies (e.g. Google Analytics), or any third-party tracking cookies.
We use Google OAuth 2.0 for sign-in. When you authenticate with Google, Google processes your email, name, and profile picture under their own Privacy Policy. We have accepted Google's Data Processing Terms as required by GDPR.
Our servers are hosted on cloud infrastructure. Our hosting provider acts as a data processor under a Data Processing Agreement with us and may not use your data for any other purpose.
| Data type | Retention period |
|---|---|
| Account and profile data | Until you delete your account |
| Card view / click records | Until you delete your account |
| Notifications | Until you delete your account |
| Session cookies | 7 days from last activity (browser-managed) |
| Server logs | Up to 30 days (hosting provider standard) |
If you are in the EU/EEA, you have the following rights. You can exercise most of them directly from your account dashboard.
To exercise any right not available in the dashboard, email privacy@obcp.io. We will respond within 30 days.
You also have the right to lodge a complaint with your national data protection supervisory authority (e.g. the ICO in the UK, CNIL in France, BfDI in Germany).
We implement appropriate technical safeguards including: HTTPS-only transmission, HttpOnly and Secure session cookies, bcrypt password hashing, IP pseudonymisation, rate limiting to prevent automated abuse, and brute-force login protection. No system is 100% secure; if we detect a breach affecting your data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Art. 33.
OBCP is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us at privacy@obcp.io and we will delete the account promptly.
Our servers are located in the EU/EEA. If we transfer data outside the EEA (e.g. via Google's infrastructure), we ensure adequate safeguards are in place (Standard Contractual Clauses or adequacy decisions under GDPR Art. 46).
We will post updated policies on this page and update the date at the top. For material changes we will notify you via the in-app notification system at least 14 days before the change takes effect.
Data controller: OBCP
Privacy enquiries: privacy@obcp.io
For account deletion or data export: use the controls in your profile dropdown, or email us.