🔒 Privacy Policy

Papir Card System

1. Information We Collect

1.1 Information You Provide

Data Type	Purpose	Required
Email Address	Account creation, notifications, deletion verification	For registered users
Uploaded Media	To display on your AR cards	Yes, for card creation
Card Metadata	File names, sizes, types	Automatic with uploads
Payment Information	Processing subscriptions (processed by Stripe/PayPal)	For paid plans only
Terms Acceptance	Legal record of consent (permanently stored)	For card activation

1.2 Automatically Collected Information

• IP Address: For security, analytics, and legal records
• Device Information: Browser type, operating system, screen resolution
• Usage Data: Card scans, feature usage, error logs
• Location Data: Approximate location from IP (country/city level only)
• User Agent String: For analytics and debugging

1.3 QR Code Scan Data

When someone scans your QR code, we collect:

• Timestamp of scan
• Scanner's IP address (anonymized after 30 days)
• Browser/device type
• Referring URL (if applicable)
• No personal identification of scanner - scans are anonymous

2. Data Retention Policy TIERED APPROACH

We follow a tiered retention strategy that balances operational needs, user privacy, and legal requirements. Backup data is encrypted and inaccessible for normal operations.

Data Category	Retention Period	Rationale	Security Measures
Active Card Content Media, messages, metadata	Until card deleted by user	Core service delivery	Encrypted at rest, access logged
IP Addresses (Activation) Terms acceptance records	Permanent (legal hold) LEGAL	Proof of terms acceptance, fraud prevention, legal compliance (GDPR Article 7)	Encrypted, access restricted to legal/security team only
Scan Logs Visitor IPs, timestamps, device info	30 days → then permanently anonymized (IP removed)	Analytics + privacy balance (industry standard)	Automatic anonymization process, cannot be reversed
User Activity Logs Feature usage, errors	90 days	Operational debugging and improvement	Stored in separate secured database
Account Data Profile, email, preferences	Until account deletion request	User control and service delivery	Encrypted, requires authentication to access
Payment Transaction Logs	7 years LEGAL	Sarbanes-Oxley Act, tax law compliance	Processed by Stripe/PayPal, we only store reference IDs
Backup Data	30 days maximum, encrypted, not used for any operational purpose	Disaster recovery only, inaccessible for normal operations	Encrypted, stored in separate secure location, access requires two-person approval
Inactive Accounts	24 months without access → deletion notice sent → 30 days to respond → permanent deletion	Data minimization (GDPR Article 5(1)(e))	Automated review process with human verification
EU User Data (GDPR)	As needed only, deleted when purpose fulfilled, maximum 30 days after account deletion	GDPR Article 5(1)(e) - storage limitation	Separate handling process for EU residents
India User Data	3 years after last use (DPDP Act requirement)	DPDP Act compliance	Automated deletion process at 3-year mark

3. How We Use Your Information

• To provide and maintain the Service
• To process payments and prevent fraud
• To send service-related notifications (not marketing unless you opt in)
• To improve and optimize our platform
• To comply with legal obligations
• To provide card analytics to creators (aggregated, anonymized data only)
• To maintain legal records of terms acceptance (permanent retention)
• To investigate and respond to abuse reports
• To verify and process data deletion requests

4. Data Storage & Security

4.1 Storage Locations

• Media files: Supabase storage (SOC 2 Type 2 certified) - may be in multiple regions
• Database: Supabase PostgreSQL (encrypted at rest)
• Server: Railway.app hosting (access logs retained 30 days)
• Backups: Encrypted, stored in separate geographic region

4.2 Security Measures

• Encrypted data transmission (TLS 1.3, HTTPS)
• Encrypted data at rest (AES-256)
• Secure password hashing (bcrypt)
• Regular security updates and penetration testing
• Access controls with audit logging
• Automated anonymization of scan logs after 30 days
• Two-person approval required for backup access
• 24/7 security monitoring

5. Third-Party Services

We share necessary data with the following service providers. Each has been vetted for security and compliance:

Service	Purpose	Data Shared	Their Certification	Their Privacy Policy
Supabase	Database & Storage	Media files, metadata, IPs	SOC 2 Type 2	supabase.com/privacy
Railway.app	Hosting	Server logs, IP addresses	SOC 2 Type 2	railway.app/legal/privacy
Stripe	Payment Processing	Payment details (not stored by us)	PCI DSS Level 1	stripe.com/privacy
PayPal	Payment Processing	Payment details (not stored by us)	PCI DSS Compliant	paypal.com/privacy
QR Code API	QR Generation	Card URLs only	-	Not retained by service

6. Your Rights & Choices

6.1 Access & Correction

You can access and update your account information through your profile settings. For additional requests, email privacy@papir.ca.

6.2 Data Export (Data Portability)

You have the right to receive a copy of your data in a machine-readable format (JSON/CSV). To request an export:

1. Email privacy@papir.ca with subject line "Data Export Request"
2. Include your Card ID or registered email address
3. We will verify your identity via email response
4. You will receive your data within 30 days (GDPR requirement)
5. Exports are provided free of charge once per year

6.3 Data Deletion (Right to Erasure)

To request deletion of your personal data:

1. Email privacy@papir.ca with subject line "Data Deletion Request"
2. Include your Card ID or registered email address
3. We will verify your identity via email response
4. We will process your request within 30 days and send confirmation
5. Deletion confirmation will include what was removed and what (if anything) was retained for legal reasons

Important deletion limitations:

• Card content will be deleted immediately and permanently
• Scan logs will be anonymized (cannot be linked back to you)
• Activation IP records are permanently retained for legal compliance (proof of terms acceptance under GDPR Article 7)
• Payment records retained by Stripe/PayPal per their policies (7 years)
• Public QR codes may remain accessible until CDN cache expires (up to 24 hours)

6.4 Opt-Out Options

• Marketing emails: Unsubscribe link in all emails (we send very few)
• Analytics: Use browser "Do Not Track" settings
• Cookies: Manage through browser settings (see Section 7)
• California residents: We do NOT sell your data - no opt-out needed

6.5 Right to Restrict Processing

You may request that we restrict processing of your data in certain circumstances (e.g., while disputing accuracy). Contact privacy@papir.ca.

7. Cookies & Tracking

We use minimal cookies, all strictly necessary for functionality:

• Session Cookies: For login functionality (expire when browser closes)
• CSRF Tokens: Security cookie (expires after form submission)
• Analytics Cookies: Anonymous usage statistics (30-day retention, no personal data)
• No advertising cookies, tracking pixels, or third-party marketing cookies

You can control cookies through your browser settings. Blocking essential cookies may affect functionality.

8. Children's Privacy (COPPA & GDPR Compliance)

Our Service is not intended for children under 13 (or 16 in Europe). We do not knowingly collect data from children under these ages. If we discover we have collected data from a child under the applicable age:

• We will immediately delete all associated data (within 48 hours)
• We will disable any associated cards
• We will notify the parent/guardian if contact information is available
• Parents can request verification and deletion at privacy@papir.ca

If you are a parent and believe your child has provided data to us, please contact us immediately.

9. International Data Transfers

Data may be processed in Canada, the US, or other countries where our service providers operate. We ensure adequate protection through:

• Standard Contractual Clauses (EU Commission approved)
• Data Processing Agreements with all sub-processors
• SOC 2 Type 2 certified infrastructure providers
• GDPR-compliant data handling practices regardless of location

10. Regional Rights

10.1 European Users (GDPR)

• Right to access: Know what data we hold
• Right to rectification: Correct inaccurate data
• Right to erasure: "Right to be forgotten" (see Section 6.3)
• Right to restrict processing: Limit how we use data
• Right to data portability: Receive data in machine-readable format
• Right to object: Object to processing based on legitimate interests
• Rights related to automated decision-making: We do not use automated decision-making
• Right to withdraw consent: At any time, by email
• Lodge a complaint: With your local supervisory authority (e.g., ICO in UK, CNIL in France)

10.2 California Users (CCPA/CPRA)

• Right to know: What personal information we collect, use, and share
• Right to delete: Personal information (see Section 6.3)
• Right to opt-out of sale: WE DO NOT SELL PERSONAL INFORMATION - no opt-out needed
• Right to correct: Inaccurate personal information
• Right to limit use of sensitive information: We only use sensitive information as necessary
• Right to non-discrimination: For exercising your rights
• Authorized agent: You may designate an agent to make requests on your behalf

For CCPA requests, email privacy@papir.ca with "CCPA Request" in subject line. We will verify your California residency.

10.3 Indian Users (DPDP Act)

• Right to know: What data is collected and purpose
• Right to correction: Update inaccurate data
• Right to erasure: Delete data when no longer needed
• Right to grievance redressal: Contact our Grievance Officer
• Data deletion: 3 years after last use as required by law
• Consent withdrawal: May withdraw consent at any time

10.4 Canadian Users (PIPEDA)

• Right to access: Your personal information
• Right to challenge accuracy: Correct errors
• Right to withdraw consent: Subject to legal or contractual restrictions
• Right to file a complaint: With the Office of the Privacy Commissioner of Canada

11. Reporting Inappropriate Content ABUSE REPORTING

If you encounter a card that violates our Terms of Service or contains illegal content:

Our abuse team is trained to handle sensitive content and will escalate to law enforcement if required by law.

12. Data Breach Notification

In the unlikely event of a data breach affecting your personal information:

• We will notify affected users within 72 hours (as required by GDPR)
• Notification will include what data was affected and what steps we've taken
• We will report to relevant supervisory authorities as required by law
• We will provide guidance on steps you can take to protect yourself

13. Data Protection Officer

We have appointed a Data Protection Officer (DPO) who oversees our compliance with data protection laws:

• Email: dpo@papir.ca
• Response Time: Within 30 days (15 days for urgent matters)
• Role: Independent oversight, handles escalations, ensures compliance
• Languages: English, French, Spanish support available

14. Contact Information

For privacy concerns, data requests, or general questions:

15. Changes to This Policy

We will notify users of significant changes:

• Email notification at least 30 days before changes take effect
• Platform notification upon login
• Updated "Last Updated" date at top of policy
• Continued use after changes constitutes acceptance
• Material changes (e.g., new data collection) require renewed consent

16. Legal Compliance Summary

We comply with the following regulations:

• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
• EU/UK: General Data Protection Regulation (GDPR) (EU) 2016/679
• California: California Consumer Privacy Act (CCPA) as amended by CPRA
• India: Digital Personal Data Protection Act 2023 (DPDP Act)
• Payment Card Industry: PCI DSS (via Stripe/PayPal)
• Financial Records: Sarbanes-Oxley Act (7-year retention)
• Children: Children's Online Privacy Protection Act (COPPA)