Privacy Policy

1. Introduction

Tag My Link ("we", "us", or "our") is committed to protecting your personal data and your right to privacy. This Privacy Policy explains how we collect, use, and share information when you use our marketing website, our web application (the platform), and our digital business card services.

2. Scope

This policy applies to all information collected through:

• Our marketing website: tagmylink.com
• Our web application and platform: tagmy.link
• Interactions with Tag My Link NFC tags or QR codes.

3. Information Collected

a. Account Data

When you register for an account, we collect your full name, email address, company name, job role, and phone number. If you register via social login (Google or LinkedIn), we collect identifiers from those providers.

b. Profile Content

We collect content you choose to include on your digital business cards, such as images (profile picture, logos), links, social media handles, and business descriptions.

c. Transaction Data

If you purchase a premium plan, we collect billing information. Payment processing is handled by our third-party payment provider. We do not store your full payment card details.

d. Usage and Analytics Data

We automatically collect information about how you interact with our services, including page views, feature usage, and device information, primarily through Google Analytics.

e. NFC/QR Scan and Card Interaction Data

When someone views or interacts with a Tag My Link digital card (via NFC tap, QR scan, or direct link), we collect the timestamp of the interaction, the viewer's IP address (used to count unique visits), and which buttons or links were clicked on the card. We do not request device permissions (camera, location) from the person viewing the card. This data powers the card owner's analytics dashboard.

If the person viewing the card is a logged-in Tag My Link user, their user ID is also associated with the interaction.

If a corporate account is used, the organization's administrators may also have access to interaction data associated with their team members' cards, as part of their team management capabilities.

f. Contact Details Shared via Digital Cards

When someone shares their contact details through a Tag My Link digital card (e.g., by submitting a contact exchange form), those details are stored and associated with the card owner's account. By sharing their details, the person consents to their information being stored and shared with the card owner and, if applicable, their organization. We do not add these contacts to marketing lists or send them unsolicited communications. The card owner is responsible for using collected contacts in accordance with applicable law.

Where AI-assisted contact scanning is used (e.g., scanning a physical business card via the in-app camera), the captured image is processed by a GDPR-compliant AI service solely for the purpose of extracting contact information. The AI service does not retain the image after processing. The extracted contact data and image may be saved to your contact record within the app.

g. Contact Form Submissions (Website)

Information submitted via our website contact forms is processed via Netlify Forms and synchronized with Brevo for communication management.

4. Legal Basis for Processing

Under the GDPR (Article 6), we process your data based on:

• Contractual Necessity: To provide the services you signed up for (account management, profile hosting, payment processing).
• Legitimate Interest: To improve our platform, ensure security, analyze service performance, and provide card owners with interaction analytics.
• Consent: For marketing communications and the use of non-essential cookies. You can withdraw consent at any time.

For non-registered users who interact with a digital card: we process their IP address and interaction data on the basis of our legitimate interest in providing card owners with meaningful analytics, while minimizing the data collected to what is strictly necessary for that purpose.

5. How We Use Data

We use your information to:

• Provide and maintain our services.
• Process transactions and manage subscriptions.
• Provide card owners with analytics on their card performance.
• Process contact information shared via card exchange forms.
• Analyze usage patterns to improve user experience.
• Send technical notices, updates, and support messages.
• Communicate with you about products, services, and events (with your consent).

6. Cookies

We use essential cookies for session management and functional cookies for preferences. We use Google Analytics for performance tracking, which is only activated after you provide explicit consent via our cookie consent banner (powered by Cookiebot). You can manage or withdraw your cookie preferences at any time via the Cookiebot settings panel.

7. Data Sharing & Subprocessors

We share data with the following categories of third-party service providers to deliver our services. All processors are contractually bound to handle data in compliance with GDPR:

• Website hosting: EU-based cloud infrastructure provider
• Application hosting: EU-based cloud infrastructure provider
• Email & marketing communications: Brevo (Sendinblue)
• Analytics: Google Analytics
• Payment processing: Stripe
• Social authentication: Google, LinkedIn
• Bot protection: Google reCAPTCHA
• AI contact extraction: GDPR-compliant AI service (image processed for contact extraction only; not retained after processing)

8. International Transfers

Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission. All our subprocessors are either based in the EEA, covered by an EU adequacy decision, or bound by SCCs.

9. Data Retention

We retain account data for as long as your account is active. You may request deletion at any time by contacting us at info@tagmylink.com. Analytics and interaction data is retained for up to 2 years. Upon a valid deletion request, we perform permanent removal of your personal data from our systems.

10. User Rights (GDPR)

You have the following rights regarding your personal data:

• Access: Request a copy of your data.
• Rectification: Correct inaccurate or incomplete data.
• Erasure: Request deletion of your data (Right to be Forgotten).
• Portability: Request transfer of your data to another service.
• Object / Restrict: Object to or restrict certain processing activities.
• Withdraw Consent: Revoke consent previously given for processing.

To exercise any of these rights, contact us at dpo@tagmylink.com. We will respond within 30 days.

11. Children

Our services are not intended for individuals under the age of 16. We do not knowingly collect data from children.

12. Security

We implement industry-standard security measures to protect your data, including encrypted data transmission, access controls, hashed credential storage, and token-based authentication. We regularly review our security practices to maintain appropriate protection.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information and Data Protection Commissioner (IDPC) within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights, we will also notify you directly without undue delay.

14. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

15. Data Processing Agreements

Enterprise customers who require a Data Processing Agreement (DPA) as part of their compliance obligations can request one by contacting info@tagmylink.com.

16. Changes to This Policy

We may update this policy from time to time. Significant changes will be notified via email or a prominent banner on our website.

17. Contact Us

For any privacy-related questions or to exercise your rights, contact us at:

Email: info@tagmylink.com or dpo@tagmylink.com

18. Supervisory Authority

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information and Data Protection Commissioner (IDPC) in Malta (idpc.org.mt).

19. Governing Law

This Privacy Policy is governed by the laws of Malta.