GDPR & Data Protection Compliance
Last updated: January 27, 2025
At Prexmo, we are committed to protecting your personal data and ensuring compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws worldwide. This document outlines our compliance measures and your rights regarding your personal data.
This GDPR Compliance Policy should be read in conjunction with our Privacy Policy and Terms and Conditions.
1. Legal Basis for Processing
We process your personal data based on the following legal bases under GDPR:
- Consent: When you provide explicit consent for specific processing activities (e.g., marketing communications, analytics cookies)
- Contract Performance: To fulfill our contractual obligations when you use our digital business card service, create an account, or subscribe to premium features
- Legal Obligation: To comply with legal requirements, such as tax obligations, fraud prevention, and data retention requirements
- Legitimate Interests: For business operations, security, fraud prevention, and service improvement, where our interests do not override your rights
2. Types of Personal Data We Collect
2.1 Account and Registration Data
When you register or sign up for our service, we collect:
- Email address
- Name (first and last)
- Phone number
- Password (encrypted and hashed)
- Profile picture
- Authentication tokens (for social login: Google, Facebook, etc.)
2.2 Digital Business Card Data
When you create a digital business card, we collect and store:
- Contact information (name, phone, email, address)
- Professional information (company, job title, bio)
- Social media links and profiles
- Website URLs and portfolio links
- Profile images and company logos
- Custom fields and additional information you choose to add
- Card design preferences and customization settings
- QR code data and sharing analytics
2.3 Payment and Subscription Data
For payment processing and subscriptions, we collect:
- Billing address
- Payment method information (processed securely by third-party payment processors)
- Subscription plan details
- Transaction history
- Invoice information
Note: We do not store full credit card numbers. Payment processing is handled by secure, PCI-DSS compliant third-party payment processors.
2.4 Usage and Analytics Data
We collect technical and usage information:
- IP address
- Browser type and version
- Device information
- Operating system
- Pages visited and time spent
- Referral sources
- Card view analytics (for premium users)
- Click and interaction data
3. Your Rights Under GDPR
As a data subject, you have the following rights regarding your personal data:
3.1 Right of Access
You have the right to request access to your personal data and receive a copy of the data we hold about you. You can access most of your data through your account dashboard.
3.2 Right to Rectification
You can correct, update, or modify your personal data at any time through your account settings or by contacting us directly.
3.3 Right to Erasure ("Right to be Forgotten")
You can request deletion of your personal data. We will delete your data unless we have a legal obligation to retain it (e.g., for tax purposes, fraud prevention, or legal disputes).
3.4 Right to Restrict Processing
You can request that we limit how we use your personal data in certain circumstances.
3.5 Right to Data Portability
You can request a copy of your data in a structured, machine-readable format. You can export your digital business card data through your account dashboard.
3.6 Right to Object
You can object to processing of your personal data for direct marketing purposes or based on legitimate interests.
3.7 Right to Withdraw Consent
Where processing is based on consent, you can withdraw your consent at any time. This includes cookie preferences and marketing communications.
3.8 Right to Lodge a Complaint
You have the right to lodge a complaint with your local data protection authority if you believe we have violated your data protection rights.
4. How to Exercise Your Rights
You can exercise your rights by:
- Accessing your account dashboard to view, update, or delete your data
- Using the cookie consent preferences to manage cookie settings
- Contacting us directly at support@prexmo.com
- Visiting our Contact Us page
We will respond to your request within 30 days (or as required by applicable law).
5. Data Processing and Storage
5.1 Data Location
Your personal data is processed and stored on secure servers. While our primary servers may be located outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Other appropriate safeguards as required by GDPR
5.2 Data Retention
We retain your personal data for:
- Account Data: For the duration of your account and up to 7 years after account closure for legal and tax purposes
- Digital Business Card Data: Until you delete your card or account
- Payment Data: As required by law (typically 7 years for tax and accounting purposes)
- Analytics Data: Aggregated and anonymized data may be retained indefinitely
- Marketing Data: Until you unsubscribe or withdraw consent
6. Data Sharing and Third Parties
6.1 Service Providers
We share data with trusted service providers who help us operate our platform:
- Cloud Hosting Providers: For secure data storage and hosting
- Payment Processors: For secure payment processing (PCI-DSS compliant)
- Email Service Providers: For transactional and marketing emails
- Analytics Providers: For website analytics (only with your consent)
- Customer Support Tools: For providing customer support
6.2 Data Processors and Subprocessors
All third-party processors are bound by data processing agreements that comply with GDPR requirements. They are only permitted to process your data for specified purposes and must implement appropriate security measures.
6.3 List of Subprocessors
The following is a list of our subprocessors that may process your personal data:
| Subprocessor | Purpose | Location | Data Processed |
|---|---|---|---|
| Appwrite Backend-as-a-Service | User authentication, database storage, file storage, serverless functions | EU/US (configurable) | Account data, digital business card data, user files, authentication tokens |
| Payment Processors Stripe, PayPal, or similar | Payment processing, subscription management | Global (PCI-DSS compliant) | Billing information, payment method details (encrypted), transaction history |
| Google Analytics Analytics Platform | Website analytics, user behavior tracking | US (with EU Standard Contractual Clauses) | Usage data, IP addresses, device information (only with consent) |
| Email Service Providers SendGrid, Mailgun, or similar | Transactional emails, marketing communications | US/EU | Email addresses, email content, delivery status |
| Cloud Storage Providers AWS S3, Google Cloud Storage, or similar | File storage, image hosting, backups | Global (configurable regions) | Profile images, company logos, uploaded files, backup data |
| Customer Support Tools Intercom, or similar | Customer support, live chat, help desk | US/EU | Support tickets, chat transcripts, user contact information |
| Social Media Platforms Google, Facebook, LinkedIn | Social login, OAuth authentication | Global | Authentication tokens, basic profile information (with your consent) |
Subprocessor Updates: We may update this list from time to time. When we add a new subprocessor, we will update this page and notify you if required by law. You can object to the use of a new subprocessor by contacting us at support@prexmo.com.
6.4 Digital Business Card Sharing
When you share your digital business card, the information you include in your card is visible to anyone who accesses it through your shared link or QR code. You control what information to include and can update or remove it at any time.
8. Security Measures
We implement comprehensive security measures to protect your data:
- Encryption in transit (SSL/TLS)
- Encryption at rest for sensitive data
- Secure authentication and password hashing
- Regular security audits and updates
- Access controls and authentication
- Data backup and disaster recovery
- PCI-DSS compliance for payment processing
- Regular penetration testing
- Employee security training
- Incident response procedures
9. International Data Transfers
Your data may be transferred to and processed in countries outside the EEA. We ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions by the European Commission
- Binding Corporate Rules where applicable
- Other mechanisms approved by GDPR
All data transfers are conducted in accordance with GDPR requirements and include appropriate technical and organizational measures to protect your data.
10. Children's Privacy
Our service is not intended for children under 13 (or 16 in the EU). We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at support@prexmo.com.
11. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours
- Notify affected users without undue delay
- Provide information about the nature of the breach
- Explain the measures taken to address the breach
- Provide recommendations for affected users
12. Changes to This Policy
We may update this GDPR Compliance Policy from time to time. We will notify you of significant changes by posting the updated policy on this page and updating the "Last updated" date. For material changes, we may also notify you via email or a prominent notice on our Service.
13. Contact Information
For questions, concerns, or to exercise your rights regarding your personal data, please contact us:
- Data Protection Officer/General Support: support@prexmo.com
- Contact Page: Contact-us
Company Address: Prexmo, Gujarat, India
14. Additional Rights for Specific Regions
14.1 California Residents (CCPA)
California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete personal information, and the right to opt-out of the sale of personal information. We do not sell your personal information.
14.2 Other Jurisdictions
We comply with applicable data protection laws in all jurisdictions where we operate, including but not limited to:
- GDPR (EU/EEA)
- CCPA (California)
- PIPEDA (Canada)
- LGPD (Brazil)
- PDPA (Singapore)
- Other regional data protection regulations