Privacy Policy

The data controller under GDPR is: Visipass UG (haftungsbeschränkt), Am Kreuzsteinacker 15D, 79117 Freiburg im Breisgau, Germany, represented by Managing Director Tim Landsberger. Email: admin@visipass.de

VisiPass ("we", "us", "our") operates the VisiPass digital business card service at visipass.de. This policy explains what data we collect, why we collect it, and how we protect it. We keep it simple because the product is simple.

Account data

When you sign up, we collect your email address and a hashed password. You may optionally sign in with a third-party OAuth provider (e.g. Google), in which case we receive your email and display name from that provider.

Business card data

The contact information you enter on your card — name, job title, company, email, phone, website, LinkedIn URL, and bio — is stored in our database. This data is what gets embedded into your Google Wallet pass and displayed on your public share page.

Wallet passes

Generated Google Wallet passes are stored in our cloud storage, linked to your account. Google passes are signed with a service account key. Google does not receive your personal data beyond what's embedded in the pass itself. Apple Wallet passes are generated on-demand and delivered directly to your device — Apple does not receive your personal data beyond what's embedded in the pass itself.

Billing data

Payment is processed by Stripe. We store your Stripe customer ID and subscription status in our database, but never store raw card numbers or sensitive payment details — those are handled entirely by Stripe.

Usage data

We may collect basic server logs (IP address, browser type, pages visited) for debugging and security purposes.

Analytics services (consent-based)

With your consent, we use the following third-party analytics services: (1) Google Analytics 4 (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland) — to analyze website usage and user behavior. Legal basis: Art. 6(1)(a) GDPR (consent). (2) Vercel Analytics and Vercel Speed Insights (Vercel Inc., 340 Pine Street Suite 900, San Francisco, CA 94104, USA) — to measure web performance metrics (Core Web Vitals) and page views. Legal basis: Art. 6(1)(a) GDPR (consent). No analytics tracking occurs before you give your consent via the cookie banner. You may withdraw your consent at any time.

Event lead capture

VisiPass provides an event lead capture feature. When another VisiPass user scans your QR code at an event, your card data (name, email address, phone number, job title, company) is stored in that user's contact list and linked to an event session. This processing is inherent to the nature of digital business cards — presenting your QR code at an event is the digital equivalent of handing over a physical business card. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in professional networking). You may request deletion of your stored contact data at any time by contacting admin@visipass.de.

Event campaigns — follow-up emails

VisiPass users may, as part of the event campaigns feature, send personalised follow-up emails to event contacts who have explicitly opted in to receiving such an email at scan time (opt-in checkbox). Data processed about the contact: name and email address. Legal basis: Art. 6(1)(a) GDPR (consent). Data processor for email delivery: Resend Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA — data transfer to the USA on the basis of Standard Contractual Clauses (Art. 46(2)(c) GDPR). Every follow-up email contains an unsubscribe link through which consent may be withdrawn at any time with effect for the future. Retention: until consent is withdrawn or the contact is deleted by the capturing user.

Enterprise SCIM provisioning (Business and Teams plans)

Organisations may synchronise their VisiPass user management with their internal identity provider (IdP) via SCIM 2.0 (System for Cross-domain Identity Management). In this case, employee data — specifically first and last name, work email address, job title, phone number, and an external identifier (externalId) from the IdP — is automatically provisioned into VisiPass. Categories of data: name, email address, job title, phone number, externalId. Source of the data: the organisation's identity provider (e.g. Okta, Microsoft Entra ID, Google Workspace). In this context, the organisation acts as the data controller under Art. 4(7) GDPR for the processing of its employees' data; VisiPass processes this data solely as a data processor under Art. 28 GDPR on the organisation's instructions. The legal basis for VisiPass as processor derives from the Data Processing Agreement (DPA) concluded with the respective organisation. The obligation to inform the affected employees under Art. 14 GDPR lies with the organisation as controller. Retention: employee data is deleted when the user is deprovisioned by the IdP or the organisation's subscription ends. Audit log entries — which may contain the action type, timestamp, and associated user identifiers (name, email address) — are retained for 90 days after deprovisioning for security and compliance purposes and are then automatically purged.

Contact import (CSV and vCard migration)

VisiPass users may import existing contact lists into their VisiPass contact list via CSV files or vCard files (.vcf) using the migration toolkit. This involves processing data belonging to the imported contact persons, who have no direct relationship with VisiPass (third-party data subjects under Art. 14 GDPR). Categories of data processed: name, email address, phone number, job title, company, and — where included — LinkedIn URL. Source of the data: CSV or vCard files exported by the importing user from another service. Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the importing user in professional contact management and network maintenance). The importing user bears responsibility for ensuring they have a sufficient legal basis to process the imported contact data (e.g. prior consent from the contact person or a legitimate interest arising from a professional exchange). Imported contact data is stored solely in the importing user's account and is not shared with other users. Retention: until deleted by the user or upon account deletion.

Contact export (CSV and vCard)

VisiPass users may download their stored contacts at any time as a CSV file or as a vCard file (.vcf) to their own device. Categories of data exported: name, email address, phone number, job title, company, LinkedIn URL, and optional notes. Purpose: data portability for the account holder (personal data management and continued use outside VisiPass). Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the account holder in the portability of their professional network data). Exported data is transferred solely to the user's own device; VisiPass does not transmit this data to any third party. The user is independently responsible for any further processing of the exported data. Affected contact persons may request deletion of their data stored in VisiPass at any time by contacting admin@visipass.de.

Contact Engagement Analytics (Pro users only)

VisiPass offers Pro users a contact engagement analytics feature. Stored scan events (scan_events) — specifically the scanner's email address (scanner_email) and the scan timestamp (scanned_at) — are matched against the card holder's contact list. For each contact whose email address corresponds to a scan event, the following metrics are calculated and displayed to the card holder: (1) total view count, (2) last viewed timestamp, (3) number of views in the last seven days, and (4) a "Hot Lead" indicator if a contact has viewed the profile three or more times in the last seven days. Purpose: to help the card holder prioritise their network contacts by engagement level. Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the card holder in analysing contact engagement with their digital business card). As the data subject (the contact whose profile visits are analysed), you have the right to object to this processing under Art. 21 GDPR by contacting admin@visipass.de. Retention: until the contact or the card holder account is deleted.

Follow-Up Email Tracking (Opens and Clicks)

When a card owner has enabled the automatic follow-up email feature and a follow-up email is sent, Resend (acting as a data processor for VisiPass) embeds a tracking pixel that records the time of the first email open (stored as opened_at), and tracked links that record the time of the first click (stored as clicked_at). These tracking data are stored in the VisiPass database and shown to the card owner exclusively as aggregated metrics (open rate, click rate) in their dashboard. Tracking data are not shared with third parties or used for advertising purposes. Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the card owner in measuring the effectiveness of their follow-up communication). As a data subject, you have the right to object to this processing under Art. 21 GDPR; please contact admin@visipass.de. Open tracking can be technically prevented by disabling automatic image loading in your email client. Retention period: until the follow-up email record is deleted or the card owner's account is closed.

Newsletter Signup

When you subscribe to our newsletter via the newsletter form or our exit-intent popup, we collect your email address and an anonymized hash of your IP address as proof of consent. Data is retained until you withdraw your consent. Legal basis: Art. 6(1)(a) GDPR (consent).

• Account creation and service delivery → Art. 6(1)(b) GDPR (contract performance)
• Wallet pass generation → Art. 6(1)(b) GDPR (contract performance)
• Payment processing via Stripe → Art. 6(1)(b) GDPR (contract performance)
• Transactional emails (password reset, receipts) → Art. 6(1)(b) GDPR (contract performance)
• Server logs / security monitoring → Art. 6(1)(f) GDPR (legitimate interest)
• Analytics (GA4, Vercel Analytics) → Art. 6(1)(a) GDPR (consent)
• Newsletter / marketing emails → Art. 6(1)(a) GDPR (consent)
• Event lead capture (card data of scanned contacts; for Teams users: additionally lead rating (hot/warm/cold) and answers to qualifier questions configured by the card owner — this constitutes profiling within the meaning of Art. 4(4) GDPR) → Art. 6(1)(f) GDPR (legitimate interest: professional networking and lead qualification)
• Trial emails (onboarding nudges and expiry notifications during the free trial period) → Art. 6(1)(b) GDPR (contract performance / pre-contractual measures)
• Follow-up reminders (automated notification emails to the user when a contact is due for follow-up; contact data included in email: the contact's name, job title, and company) → Art. 6(1)(b) GDPR (performance of contract)
• Outlook contact synchronization (if the Microsoft 365 integration has been enabled) → Art. 6(1)(b) GDPR (contract performance)
• Event campaigns — follow-up emails to event contacts (name, email address; only where consent has been given, with unsubscribe link in every email) → Art. 6(1)(a) GDPR (consent)
• Relationship Intelligence — automated categorisation of stored contacts (hot/warm/cold) based on the date of contact creation to help prioritise networking follow-ups (available from Pro tier) → Art. 6(1)(b) GDPR (contract performance)
• Enterprise SCIM provisioning (employee data provisioned by the organisation's IdP) → Art. 6(1)(b) GDPR (contract performance) — VisiPass processes this data as a processor; the controller is the respective organisation
• Contact import via CSV/vCard (data of imported third-party contacts; source: CSV or vCard files provided by the user) → Art. 6(1)(f) GDPR (legitimate interest: professional contact management and network maintenance)
• Contact export as CSV or vCard (stored contact data of the user; downloaded to their own device) → Art. 6(1)(f) GDPR (legitimate interest: data portability and independent contact management)
• Share page visits (interaction type, device info/user agent, referrer URL, country, city, pseudonymised IP address as SHA-256 hash; contact link clicks with link type, referrer, and country) → Art. 6(1)(f) GDPR (legitimate interest: usage analytics for the card owner; right to object under Art. 21 GDPR)
• Contact engagement analytics — Pro users only (scanner email from scan_events, scan timestamps; derived: total view count, last viewed, views in last 7 days, hot lead status) → Art. 6(1)(f) GDPR (legitimate interest of the card holder in engagement analytics; right to object under Art. 21 GDPR)
• Scan notification emails — notifications to the card owner when their digital business card is viewed (card owner email address; data transmitted per notification: timestamp of the view, scan source — QR code, NFC, wallet, or link — and, where available, city and country of origin from IP geolocation by Vercel) → Art. 6(1)(b) GDPR (performance of contract); opt-out available at any time via notification settings in the dashboard or the unsubscribe link in each email
• Follow-up email tracking — first-open and first-click timestamps per follow-up email (captured via Resend webhooks; shown exclusively as aggregated open rate and click rate in the card owner dashboard) → Art. 6(1)(f) GDPR (legitimate interest of the card owner in measuring follow-up communication effectiveness; right to object under Art. 21 GDPR)
• Newsletter signup — email address and anonymized IP hash (collected via newsletter form or exit-intent popup as proof of consent) → Art. 6(1)(a) GDPR (consent; can be withdrawn at any time via the unsubscribe link in each email)
• Weekly card performance digest — card owner's email address, aggregated card scan statistics for the past 7 days (total views, week-over-week delta, action type breakdown, top country for Pro users, per-card view counts) for weekly delivery of the performance report to active users → Art. 6(1)(f) GDPR (legitimate interest of the card owner in monitoring card performance; right to object under Art. 21 GDPR; opt-out at any time via notification settings in the dashboard or the unsubscribe link in each email)
• In-app notifications for contact downloads — when a visitor downloads the digital business card as a vCard file (saves contact), the card owner is notified via an in-app notification system in the dashboard. Data stored: timestamp of the download and, where determined by Vercel, the visitor's country of origin and device type (e.g. "iPhone" or "Android"). Pro users can view country and device type in the dashboard. The visitor is not individually identified; no personal details such as the visitor's name or email address are stored. Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the card owner in knowing when their contact is saved; right to object under Art. 21 GDPR). Retention: until deletion of the card owner's account.

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described in this policy.

Your card is accessible at visipass.de/p/[shareId] via a short, randomly-generated ID. This URL is public by design — sharing it is the core function of the product. If you delete your account, your public share page is removed. Optionally, you may choose a username to make your profile also accessible at visipass.de/u/[username]. This personalised profile page displays your username and display name publicly and may be indexed by search engines. Setting a username is an optional feature that you actively enable; you can remove your username at any time in your account settings. Legal basis: Art. 6(1)(b) GDPR (contract performance). — Visits to public share pages are recorded for the card owner's analytics purposes. The following data is collected: interaction type (e.g. page view, add to Google Wallet, download contact file, share via WhatsApp/SMS), device information (user agent, max. 512 characters), referrer URL (source page, max. 1,024 characters), country of origin (from Vercel geo-location header), city of origin, and a pseudonymised IP address (SHA-256 hash; the original IP address is not stored). Clicks on contact links (email, phone, website, LinkedIn) are also recorded with link type, referrer, and country. This data is accessible only to the card owner via the VisiPass dashboard and is not shared with third parties. Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the card owner in analysing how their card is used). As a data subject (visitor to the public share page) you have the right to object to this processing under Art. 21 GDPR; please contact admin@visipass.de. Retention: until the card owner's account is deleted.

We use a session cookie to keep you logged in, and a cookie to remember your cookie preference. We do not use tracking or advertising cookies. On your first visit, a consent banner is shown where you can actively accept or decline. Analytics cookies are only set after you have given explicit consent (TTDSG §25, Art. 7 GDPR).

Your data is retained as long as your account is active. When you delete your account, your data is removed within 30 days. Retention periods in detail: Account and business card data — until account deletion; Billing records — 10 years (HGB §257, AO §147); Server logs — max. 30 days; Newsletter consent — until unsubscribed; Analytics data — per provider policy (Google: 14 months); Event lead capture contacts (stored in other users' accounts) — until deleted by the capturing user or upon their account deletion; Business card photos (Card Scanner) — deleted immediately after AI processing, not permanently stored; Share page scan and click data (card_scans, card_clicks, scan_events) — until the card owner's account is deleted.

The following processors have access to your data: (1) Supabase (Supabase Inc.) — database hosting in region eu-central-2 (Zurich, Switzerland); data transfer to Switzerland based on the EU Commission adequacy decision pursuant to Art. 45 GDPR; DPA available at supabase.com/legal/dpa. (2) Stripe (Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland / Stripe Inc., San Francisco, USA) — payment processing; data transfer to the USA based on EU Standard Contractual Clauses (SCC); DPA available at stripe.com/legal/dpa. (3) Vercel Inc. (340 Pine Street, San Francisco, CA 94104, USA) — hosting and analytics; data transfer to the USA based on SCC; DPA available at vercel.com/legal/dpa. (4) Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland) — (a) Google Analytics 4; (b) Google AI (Gemini) for AI-assisted generation of follow-up email content (when the automated follow-up email feature is enabled); data transferred for (b): business card owner's profile data (name, job title, company, email address, phone, website, LinkedIn where provided), the recipient's name and email address, and any optional user-defined custom context; (c) Google AI (Gemini) for AI-assisted contact extraction from business card photos (Card Scanner, Pro users only): when scanning a physical business card, the captured photo is transmitted to Google AI to extract contact details (name, email address, phone number, job title, company, website — as printed on the card); the photo is deleted immediately after processing, not permanently stored; legal basis: Art. 6(1)(f) GDPR (legitimate interest of the user in digitising received business cards); data transfer to the USA based on SCC; DPA available at business.safety.google/gdprcontrollerterms. (5) Resend Inc. (2261 Market Street #5039, San Francisco, CA 94114, USA) — sending of transactional and marketing emails to VisiPass users (welcome email, onboarding, newsletter confirmation, product updates) and automated follow-up emails to the user's networking contacts (when the follow-up feature is enabled) and follow-up reminder emails to the user themselves (when follow-up reminders are configured; contact data included in these emails: the contact's name, job title, and company); data transferred: recipient email address and — for reminder emails — the contact's name, job title, and company; data transfer to the USA based on SCC; DPA available at resend.com/legal/dpa. (6) Apple Inc. / Google LLC — wallet passes; only the contact data embedded in the pass is transmitted. (7) Proxycurl Inc. (Wilmington, DE, USA) — AI contact enrichment (Pro feature only): when a contact form is submitted on a Pro user's card page, the submitted email address may be sent to Proxycurl to retrieve LinkedIn profile data (job title, employer); data transferred: email address; legal basis: Art. 6(1)(f) GDPR (legitimate interest of the card owner in lead qualification); data transfer to the USA based on EU Standard Contractual Clauses (SCC); DPA available at proxycurl.com/dpa. (8) User-configured webhook integrations (e.g. Zapier, HubSpot, Salesforce) — when a user configures a webhook or REST hook integration in their settings, VisiPass forwards contact scan event data (name, email address, scan timestamp, and — where set — the contact lead rating (hot/warm/cold)) to the URL specified by the user. The user acts as an independent data controller under Art. 4(7) GDPR in this context and bears responsibility for the data-protection-compliant use of these integrations. VisiPass acts solely as a technical transmitter in this regard. (9) Microsoft Corporation (One Microsoft Way, Redmond, WA 98052, USA) — Outlook contact synchronization (if the user has enabled Microsoft 365 integration): Contact data (name, job title, company, email address, optionally phone number) transmitted via Microsoft Graph API to the user's Outlook address book; stored: Microsoft OAuth access token, refresh token, and Microsoft contact ID per contact; data transfer to USA on basis of EU Standard Contractual Clauses (SCCs); DPA available at microsoft.com/en-us/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.

You have the following rights: Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Restriction of processing (Art. 18), Data portability (Art. 20), Objection (Art. 21), and Withdrawal of consent (Art. 7(3)). To exercise your rights, contact us at admin@visipass.de. We will respond within 30 days.

You also have the right to lodge a complaint with the competent supervisory authority: Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Königstraße 10a, 70173 Stuttgart, www.baden-wuerttemberg.datenschutz.de.

All data is stored in a cloud database with encryption and strict access controls. Connections are encrypted with TLS. Credentials are stored securely, never in source code.

Questions? Email us at admin@visipass.de.