Cardenius is built on a simple principle: your contact data belongs to you. We store it locally on your device by default, never sell it, and never share it with advertisers.
Contents
1. Who we are
Cardenius is an AI-powered business card scanner and contact management application for Android and iOS, developed and operated by Milan Nai ("we", "us", "our"). Our registered base of operations is Ahmedabad, Gujarat, India; the App is available to users worldwide.
This Privacy Policy explains how we collect, use, and protect information when you use the Cardenius mobile application ("the App"). By using the App, you agree to the practices described here.
2. What we collect
Information you provide directly
| Data | Purpose | Where stored |
|---|---|---|
| Phone number | Account creation and OTP authentication via Firebase | Firebase Auth (Google) |
| Display name, email, company | Your user profile | Firestore (Google) + device SQLite |
| Scanned card data (names, phones, emails, addresses) | Your contact database | Device SQLite only |
| Card images (front and back photos) | Visual reference for scanned cards | Device local storage only |
| Your digital card design | My Card feature — your personal visiting card | Device SQLite only |
Information collected automatically
| Data | Purpose | Service |
|---|---|---|
| Crash reports and error logs | App stability and bug fixing | Firebase Crashlytics |
| App usage analytics (screens visited, feature usage) | Understanding how the app is used to improve it | Firebase Analytics |
| Ad interaction data (free tier only) | Serving relevant ads to free users | Google AdMob |
Optional features (only if you enable them)
- Cloud backup — if you enable backup, your encrypted contact database is uploaded to your chosen provider (Google Drive, Dropbox, or Firebase Storage). We cannot read this data; it is AES-256 encrypted on your device before upload.
- Phone contacts import — if you grant contacts permission, Cardenius reads your phone's address book to import contacts. This data is processed locally and not sent to our servers.
- Google Contacts import — coming in a future update. Will require separate Google account authorisation and will be subject to this policy.
- Location — the Map view uses your device location (if granted) to show contacts on a map. Location data is not stored or transmitted.
Camera and microphone
The App requests camera permission to photograph business cards for scanning. No images are transmitted to our servers. Images shared with the Google Gemini Vision API for AI extraction are governed by Google's Privacy Policy.
3. How we use it
- Provide and operate the App's features
- Authenticate your account via phone OTP
- Sync your subscription/tier status so premium features work across reinstalls
- Detect and fix crashes via Crashlytics
- Understand feature usage to prioritise improvements via Analytics
- Serve non-personalised ads to free-tier users via AdMob
- Send push notifications for reminders and daily digests (only if you grant notification permission)
We do not use your data for profiling, targeted advertising beyond AdMob's standard serving, or any automated decision-making that produces legal effects.
5. Storage & security
All contact data, card images, and personal card designs are stored in your device's private app storage (SQLite database and local file system). This data is not accessible to other apps.
Cloud backups are encrypted with AES-256 before leaving your device. The encryption key is derived from an app-level secret combined with an optional user passphrase. We cannot decrypt your backup files.
Authentication data (phone number, tier status) is stored in Firebase with access restricted by Firestore security rules — only you can read or write your own document.
6. Data retention
- Local data — retained on your device until you uninstall the app or clear app data.
- Firebase Auth record — retained until you request account deletion.
- Firestore user document — retained until you request deletion.
- Crashlytics and Analytics data — retained for 90 days per Google's default retention settings.
- Cloud backups — stored in your own cloud storage account; you control retention.
7. Your rights
You have the following rights regarding your personal data:
- Access — you can export all your scanned contacts as CSV or vCard from Settings → Export (Premium) or individually via the share button (all users).
- Correction — you can edit any contact directly in the App.
- Deletion — you can delete individual contacts or all data via Settings → Delete account. Deleting the app or clearing app data removes all local data immediately.
- Account deletion — to delete your Firebase Auth record and Firestore data, email us at privacy@cardenius.com with the subject "Delete my account". We will process requests within 30 days.
- Portability — export your data in standard formats (CSV, vCard) at any time.
- Opt out of Analytics — you can disable analytics collection from Settings → Privacy (coming in a future update).
If you are in the European Economic Area or United Kingdom, you have additional rights under GDPR/UK GDPR including the right to lodge a complaint with your local supervisory authority.
8. Third-party services
| Service | Provider | Data shared | Policy |
|---|---|---|---|
| Firebase Auth | Phone number | Firebase Privacy | |
| Cloud Firestore | User profile, tier status | Firebase Privacy | |
| Firebase Crashlytics | Crash traces, device info | Firebase Privacy | |
| Firebase Analytics | App usage events | Firebase Privacy | |
| Gemini Vision API | Card images (for AI extraction) | Google Privacy | |
| Cloud Vision API | Card images (for OCR) | Google Privacy | |
| Maps SDK for Android | Device location (if granted) | Google Privacy | |
| Google AdMob | Ad interaction data (free tier) | Google Privacy | |
| Google Drive | Encrypted backup file (optional) | Google Privacy | |
| Dropbox | Dropbox Inc. | Encrypted backup file (optional) | Dropbox Privacy |
| Apple App Store (StoreKit) | Apple Inc. | Transaction data for iOS subscriptions | Apple Privacy |
9. Children's privacy
Cardenius is designed for working professionals and is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us at privacy@cardenius.com and we will delete it promptly.
10. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you through the App. Your continued use of the App after the effective date constitutes acceptance of the updated policy.
11. Contact us
For privacy-related questions, data deletion requests, or any concerns about this policy:
We aim to respond to all privacy inquiries within 7 business days.