Back to Home

Privacy Policy

Last updated: June 13, 2026

1. Introduction

Umbel ("Umbel", "we", "us") provides a digital business card platform. This policy explains what personal information we collect, how we use and share it, and the rights you have over it. It applies to our website, applications, and services (the "Service").

We are the responsible party for personal information processed through the Service, and we process it in accordance with the Protection of Personal Information Act, 2013 (POPIA) of South Africa. Where users or visitors are located in other jurisdictions, we also have regard to applicable laws such as the EU and UK General Data Protection Regulation (GDPR).

2. Information We Collect

We collect the following categories of information:

  • Account information — your name, email address, and password (stored in hashed form). If you sign in with Google, we receive your name, email address, and profile picture from Google.
  • Profile and card content — the information you choose to put on your digital business card, such as your name, photo, job title, company, phone numbers, email addresses, links, and social profiles. This content is intended to be public (see section 4).
  • Contacts you save — contact details of other people that you add to your account, including details extracted from photos of paper business cards using our AI scanning feature (see section 5).
  • Information visitors share — if someone viewing your card chooses to share their details with you through the contact exchange form, we store what they submit (such as their name, email, and phone number) so you can access it.
  • Billing information — payments are handled by our payment partner, Polar, acting as merchant of record. We receive your subscription status, plan, and billing history, but we never receive or store your full card details.
  • Card analytics — when someone views your card or scans your QR code or NFC product, we record that the event occurred and its source (link, QR, or NFC) so we can show you aggregate statistics. We do not store the visitor's name or contact details as part of this, and visitors are not required to identify themselves to view a card.
  • Usage and device information — with your consent, we collect analytics about how our own site is used, such as pages visited, approximate location, and device and browser type (see section 11 on cookies).
  • Communications — messages you send us, for example support requests.

3. How We Use Your Information

We use personal information to:

  • Provide, operate, and maintain the Service, including hosting your public card and generating QR codes and wallet passes.
  • Process subscriptions and payments through our payment partner.
  • Show you analytics about how your card is performing.
  • Send transactional emails, such as account, security, and billing notifications.
  • Respond to support requests.
  • Monitor, secure, and improve the Service, and prevent fraud and abuse.
  • Comply with legal obligations.

Our lawful bases for processing are: performance of our contract with you (providing the Service); your consent (optional analytics cookies, marketing communications); our legitimate interests (securing and improving the Service, preventing abuse); and compliance with legal obligations. We do not sell your personal information, and we do not use your personal information for automated decision-making that has legal or similarly significant effects on you.

4. Public Profiles Are Public

The purpose of a digital business card is to be shared. Information you add to your card is accessible to anyone with your profile link, QR code, or NFC product, and may be indexed by search engines and viewed, saved, or downloaded (for example as a vCard) by visitors. Only add information to your card that you are comfortable making public. You can edit or remove card information at any time, although copies already saved by others or cached by search engines are outside our control.

5. AI Business Card Scanning

If you use our card scanning feature, the photo you upload is sent to a third-party AI model provider solely to extract the contact details from the image. The extracted details are saved to your contacts. We use commercial API services whose terms prohibit using submitted data to train their models. You are responsible for ensuring you may lawfully capture and store the details on cards you scan (see section 6).

6. Information About Other People

When you save someone's contact details to your account — whether typed in, scanned from a business card, or received through your card's contact exchange form — we store and process that information on your behalf and on your instructions. You are responsible for having a lawful basis to collect and keep it, and for honouring requests from those people to correct or delete it. If we receive a request directly from such a person, we may assist them and will refer the request to you where appropriate.

7. How We Share Information

We do not sell personal information. We share it only with the following categories of service providers (operators under POPIA), who process it on our behalf under contractual confidentiality and security obligations:

  • Cloud infrastructure providers — hosting, database, file storage, and authentication services that run the Service.
  • Payment processing — payments and subscription billing are handled by Polar, acting as merchant of record. Polar processes your payment details under its own privacy policy.
  • Email delivery providers — sending transactional emails such as account and billing notifications.
  • AI model providers — processing business card photos you upload for scanning (section 5).
  • Analytics providers — with your consent, measuring how our site is used (section 11).
  • Optional integrations you choose — if you sign in with Google, Google processes that sign-in; if you add your card to Apple Wallet, the pass containing your card details is delivered to your device through Apple's wallet infrastructure.

You can request an up-to-date list of the specific operators we use by emailing andrew@umbel.me.

If you are part of a team plan, your team administrator can view and manage the cards and related data in the team workspace.

We may also disclose information if required by law or a valid legal process, to protect the rights, safety, or property of Umbel, our users, or the public, or as part of a merger, acquisition, or sale of assets — in which case this policy will continue to apply to your information and we will notify you of any change in responsible party.

8. International Transfers

Our service providers may store and process your information on servers outside South Africa, including in the United States and the European Union. Where we transfer personal information across borders, we do so in accordance with section 72 of POPIA — relying on recipients being subject to laws or binding agreements that provide an adequate level of protection, on the transfer being necessary to perform our contract with you, or on your consent.

9. Retention and Deletion

We keep your personal information for as long as your account is active or as needed to provide the Service. When you delete specific content (such as a card or a saved contact), it is removed from the live Service promptly. When you delete your account — which you can do at any time from your account settings — your profile, cards, contacts, and analytics are deleted.

We may retain limited information after deletion where required by law (for example billing records for tax purposes), to resolve disputes, or to enforce our agreements. Residual copies in encrypted backups are deleted on a rolling basis as backups expire.

10. Your Rights

Under POPIA — and, where applicable, the GDPR — you have the right to:

  • Be told whether we hold personal information about you, and access it.
  • Request correction of inaccurate or incomplete information.
  • Request deletion of your information or your entire account.
  • Object to processing, including for direct marketing — we will stop unless we have overriding lawful grounds.
  • Withdraw consent at any time, where processing is based on consent, without affecting prior processing.
  • Receive a copy of information you provided to us in a portable, machine-readable format, where the GDPR applies.
  • Not be subject to solely automated decisions with legal or similarly significant effects.

You can exercise most of these rights directly in your account settings, or by emailing our Information Officer at andrew@umbel.me. We will respond within a reasonable time and at most within any period required by law, and we may need to verify your identity first. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator (South Africa) or your local supervisory authority.

11. Cookies

We use cookies and similar technologies in two categories:

  • Strictly necessary — session, authentication, and consent-preference cookies required for the Service to function. These are always active and do not require consent.
  • Analytics — cookies and identifiers used to measure how visitors use our site and how it performs. These are only set if you accept them via the consent banner shown on your first visit.

Your consent choice is stored for 12 months. You can change or withdraw your consent at any time by clearing the site's cookies in your browser (the banner will reappear) or by contacting us at andrew@umbel.me.

12. Security

We take reasonable and appropriate technical and organisational measures to protect personal information against loss, damage, unauthorised access, and unlawful processing — including encryption in transit (HTTPS), hashed passwords, and strict access controls at the application and database level. No method of transmission or storage is completely secure, but if we become aware of a breach affecting your personal information, we will notify you and the Information Regulator as required by POPIA.

13. Children

The Service is not directed at children, and you must be at least 18 years old to create an account. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

14. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you — for example by email or a notice in the Service — before the changes take effect. The "Last updated" date at the top of this page shows when it was last revised.

15. Contact Us

If you have questions about this policy or wish to exercise your rights, contact our Information Officer at andrew@umbel.me.

Cookie preferences

We use cookies to improve Umbel. See our Privacy Policy.