Privacy Policy
Last updated: February 16, 2026 · BETA
This Privacy Policy explains how My Nexus Card, a sole proprietorship operated by George Tabora (6550 Rock Spring Dr., Bethesda, MD 20817, USA), collects, uses, and shares information when you use the Service. Contact: georgeatabora@gmail.com.
1. Information we collect
From you directly:
- Account info — name, email, password hash (or Google OAuth profile).
- Profile info — title, company, phone, website, LinkedIn, bio, tagline, photo.
- Your Content — contacts you add or scan (names, emails, phones, companies, notes, tags, event assignments, interaction history), templates you write, campaigns you build, referrals you collect.
- Business-card images you upload or capture (processed via AI, then discarded — see §3).
- Payment info — handled directly by Stripe; we never see or store your card number.
Collected automatically:
- Log data — IP address, browser/device, timestamps, pages visited, errors.
- Authentication cookies / JWT tokens to keep you logged in.
- Aggregate usage analytics (no third-party trackers like Facebook Pixel).
2. How we use information
- To provide and operate the Service (store contacts, send emails/SMS on your command, run AI scans).
- To process payments and prevent fraud.
- To send transactional notifications (account changes, billing, security alerts).
- To respond to support requests.
- To improve the Service via aggregate, de-identified analytics.
- To comply with law and enforce our Terms.
We do not sell your data or Your Content. We do not train third-party AI models on Your Content.
3. AI processing of card images
When you scan a business card, the image is sent to Google LLC's Gemini API for text extraction. Google processes the image only to return structured contact data and (per Google's enterprise API policy) does not use it to train its models. The image is not stored on our servers; only the extracted text is saved (under your account, as a contact). AI message drafts work the same way: your prompt and a brief context are sent to Gemini and the response returned to you.
4. Third-party processors (sub-processors)
The Service depends on these vendors. Each has its own privacy policy:
- Stripe, Inc. — payments & billing
- Resend, Inc. — email delivery (recipient email + content)
- Twilio Inc. — SMS delivery (recipient phone + content)
- Google LLC — Gemini AI; Google OAuth (if you choose)
- MongoDB, Inc. — database hosting
- Cloud infrastructure provider (Kubernetes-based hosting)
5. Sharing of information
We share information only:
- With the sub-processors listed above, strictly to operate the Service.
- If you publish a public digital business card, the profile fields you elect to show (name, title, company, phone, website, LinkedIn, bio, tagline) are publicly accessible at the URL you share.
- If you enable "Referral mode," visitors of your public card may submit a referral that creates a contact in your account.
- If required by law, valid legal process, or to protect our rights, safety, or property.
- In connection with a future business sale or transfer; you'll be notified of any change in data controller.
6. Data retention
- Account & Your Content — retained while your account is active, plus 30 days after cancellation for recovery, then permanently deleted (except as required by law).
- Payment records — retained for 7 years for tax/accounting compliance.
- Log data — typically 90 days.
- Card images — not stored beyond the immediate AI extraction (seconds).
7. Your rights
Depending on where you live (US: CCPA/Maryland; EU/UK: GDPR; Canada: PIPEDA), you have the right to:
- Access — request a copy of the personal data we hold about you.
- Correction — fix inaccurate data (you can edit most of it directly in-app).
- Deletion — request erasure (subject to legal retention).
- Portability — receive your data in a portable format.
- Opt-out — of any non-essential communications.
- No-sale — we do not sell personal data; California residents have the right to confirm this.
To exercise any right, email georgeatabora@gmail.com. We respond within 30 days. We may verify your identity before processing the request.
8. Contacts you upload (third-party data)
When you scan or import contact information about another person, you act as the data controller for that information. You represent that you have a lawful basis to process it (e.g., they handed you a card, consented to follow-up, or another legitimate interest). If a person whose data you hold contacts us directly, we will refer them to you and may delete their record if required by law.
9. Security
We use HTTPS in transit, encrypted databases at rest, hashed passwords (bcrypt), JWT tokens, and least-privilege access. No system is 100% secure; you use the Service at your own risk. Report vulnerabilities to georgeatabora@gmail.com.
10. Children
The Service is not directed to children under 16. We do not knowingly collect data from anyone under 16. If you believe a minor has registered, contact us and we'll delete the account.
11. International users
The Service is hosted in the United States. By using it, you consent to the transfer of your data to the U.S. We rely on Standard Contractual Clauses or equivalent mechanisms for EU/UK data transfers handled by our sub-processors.
12. Cookies & tracking
We use essential cookies / localStorage for authentication only. We do not use advertising trackers, social-media pixels, or third-party analytics that profile you across the web.
13. Changes to this policy
We may update this Privacy Policy. Material changes will be announced via in-app notice or email at least 14 days before taking effect.
14. Contact
Privacy questions, requests, or complaints: George Tabora — georgeatabora@gmail.com — 6550 Rock Spring Dr., Bethesda, MD 20817, USA.