Privacy Policy

Last updated: 4 July 2026. Data controller: 12 Hobbies Studio, a business based in England and Wales. Contact: privacy@zappt.io.

1. Who we are

12 Hobbies Studio operates Zappt, a digital business card service linked to physical cards. We are the data controller for account and card data. For cards created by an organisation for its staff, the organisation is the controller and we act as processor.

2. What we collect

  • Account data: email, name, hashed password, role, company membership, security factors (2FA/passkey/certificate metadata - never private keys).
  • Card content: the details you put on a card (name, title, company, contact links, photo/logo/cover images).
  • Subscription/billing: plan, status and dates. Card payment details are handled entirely by our payment provider - we never see or store card numbers.
  • Analytics: privacy-preserving card view/scan counts. These hold no IP address, no user-agent and no cookies - only which card, when, how it was reached, and a coarse referrer host. Honours Do-Not-Track / Global Privacy Control.
  • Security logs: an audit log of privileged actions (IP + user agent) kept for security and accountability.

3. Lawful bases (UK/EU GDPR)

  • Contract: providing your account, cards and subscription.
  • Legitimate interests: securing the service, preventing abuse, basic non-identifying analytics.
  • Consent: optional marketing only (withdraw any time in Privacy & data).
  • Legal obligation: tax/accounting records.

4. Sharing

We share data only with processors needed to run the service: Stripe and/or Paddle (payment processing), our transactional email provider, our UK-based hosting provider, and - if configured - a Sentry-compatible error monitor. Each is bound by a data processing agreement. A public card is, by design, public to anyone with its link/QR.

5. International transfers

Some processors operate outside the UK/EEA - for example payment providers and, if you use social login, Google in the United States. Where data is transferred internationally, transfers rely on the UK IDTA / EU SCCs and adequacy decisions.

6. Retention

Account and card data are kept while your account is active. On deletion we erase your personal data (see your right to erasure below); non-identifying analytics rows are removed with the card, and minimal financial records are retained as legally required.

7. Your rights

You can access, export, rectify, erase and restrict your data, and object to processing. The app provides self-service export and account deletion under Privacy & data. You may complain to the ICO (or your local supervisory authority).

8. Security

Passwords are bcrypt-hashed; optional 2FA, passkeys and smartcard (PIV) sign-in are available; transport is HTTPS with strict security headers and a Content-Security-Policy. See our security practices summary (https://developers.google.com/terms/api-services-user-data-policy).

9. Children

The service is not directed at children under 16. We do not knowingly collect their data.

10. Changes

We will post changes here and, for material changes, notify account holders by email.