Skip to main content
pubtact Back home
privacy policy

Your data, your call.

We collect the minimum we need to run pubtact. We don't sell it. We don't sneakily share it. Here's exactly what happens.

last updated · 11 May 2026

1. Who is the data controller

Pubtact (a service operated from India) is the data controller for personal data we collect about you. Contact our privacy team at hello@pubtact.com. (We don't have a separate DPO yet — that inbox is the right place.)

2. What we collect

We only collect what we need to provide the Service:

  • Account data — email, name, password hash (bcrypt). Optional profile picture.
  • OAuth identifiers — when you sign in with Google / GitHub / LinkedIn / X, we store the provider id, name, email, and avatar URL returned by them.
  • Card content — anything you put on your card: bio, contact details, social links, uploaded images.
  • Usage analytics — IP (truncated), browser, page visited, anonymous viewer-id cookie. We use this to count views & saves on your card.
  • Cookies — a session cookie (auth) and a viewer-id cookie (analytics).
  • Payments — when you subscribe, our processor (Stripe / Razorpay) collects card details. We get back the subscription id, status, and last-four of the card.

3. What we do NOT collect

  • Your contacts, phone book, or call logs.
  • Precise GPS location (city-level only, opt-in for local search).
  • Biometric data.
  • Anything from third parties without your consent.

4. Why we process it (lawful basis)

  • Contract — to provide the Service you signed up for.
  • Legitimate interest — anti-abuse, security, basic analytics.
  • Consent — marketing emails, optional cookies, local-search discoverability.
  • Legal obligation — tax records, fraud investigations, court orders.

5. Who we share it with

Only the minimum required, only to run pubtact:

  • Cloud infra — Emergent (hosting + object storage).
  • Payments — Stripe / Razorpay (when you subscribe).
  • OAuth providers — only when you sign in with them.
  • Authorities — only if compelled by valid legal process and where local law allows us to notify you.

We never sell your personal data. Period.

6. Where your data lives

Data is stored on cloud infrastructure that may be located outside India (typically the EU or US, depending on region). We rely on Standard Contractual Clauses for any cross-border transfer and require equivalent security from every sub-processor.

7. How long we keep it

  • Account & card data — until you delete your account, then up to 30 days for backup purges.
  • Payment records — 7 years (Indian tax law).
  • Analytics events — 24 months, then aggregated.
  • Support emails — 24 months.

8. Your rights (GDPR / CCPA / DPDP)

You have the right to:

  • Access — get a copy of the data we hold about you.
  • Rectify — fix anything that's wrong.
  • Erase — be forgotten ("delete my account").
  • Restrict / object to processing, including marketing.
  • Portability — export your data as JSON.
  • Withdraw consent — for marketing or local-search anytime.
  • Lodge a complaint with your supervisory authority (EU DPA, ICO, the Data Protection Board of India, California AG).

To exercise any of these, email hello@pubtact.com. We respond within 30 days.

9. Children

pubtact is not directed at children under 13 (16 in the EEA). If we learn we've collected a child's data we delete it immediately.

10. Security

We hash passwords (bcrypt), use HTTPS everywhere, store cookies as httponly · secure · samesite, and apply least-privilege access to our database. We're not perfect — if you spot a security issue, mail hello@pubtact.com with the subject line “security”.

11. Cookies

See our Cookie policy for the full list.

12. Changes

If we change this policy in a material way, we'll email you and post a banner before it takes effect.

13. Contact

Privacy questions or data requests: hello@pubtact.com.

Crafted with for makers everywhere.