CardToDeal Data Processing Addendum

1. Scope and roles

This Data Processing Addendum ("DPA") forms part of the agreement between you (the "Customer") and Quiamo Digital Market Services LLP ("Quiamo", "we", "our"), a limited liability partnership registered in India at Padmavati Hills, Pune, Maharashtra 411009, operating the CardToDeal business card scanner at cardtodeal.com.

For personal data contained in the business cards you scan, you are the data controller and Quiamo is the data processor. You decide why and how that personal data is processed; we process it only on your documented instructions, which are the act of submitting a card for extraction and any configuration choices you make. This DPA applies in addition to our Privacy Policy and Terms of Service, and supplements rather than replaces them.

2. Subject-matter and duration of processing

The subject-matter of the processing is the extraction of structured contact data from business-card images you submit to CardToDeal. Processing is performed for the duration of your use of the service. For any single scan, processing lasts only as long as the request takes to complete: the image is processed in memory and discarded at the end of the request unless you explicitly choose to export the result to a CRM. Where you connect VynDeal CRM and export contacts, retention is governed by your separate agreement with that service.

3. Nature and purpose of processing

The nature of the processing is optical character recognition (OCR) and structured field extraction: a card image is converted into text fields such as name, job title, company, email and phone number, which are then returned to your browser. The purpose is limited to delivering this extraction service to you. We do not process the data for any independent purpose of our own, do not sell it, and do not use scanned contacts to build advertising profiles or to train external AI models beyond operating the CardToDeal service.

4. Categories of data subjects and personal data

4.1 Categories of data subjects

The data subjects are the individuals whose business cards you scan — the business-card holders, typically professional contacts you meet at trade shows, exhibitions, or business meetings.

4.2 Categories of personal data

• Identity data — full name and job title as printed on the card.
• Organisation data — company name and, where present, department or division.
• Contact data — business email address, phone and mobile numbers, postal address and website.
• Other printed fields — any additional text the card carries, such as a tagline or social handle.

CardToDeal does not request or knowingly process special-category (sensitive) personal data. You should not submit cards that carry such data.

5. Processor obligations

As your processor, Quiamo will: process personal data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law; ensure that persons authorised to process the data are bound by confidentiality; implement appropriate technical and organisational security measures; respect the conditions for engaging sub-processors set out below; assist you, taking into account the nature of the processing, in meeting your obligations to respond to data-subject requests and to maintain security, breach notification and data-protection impact assessments; and, at your choice, delete or return the personal data at the end of the provision of services. These obligations mirror the requirements of GDPR Article 28.

6. Confidentiality

We treat all personal data processed on your behalf as confidential. Access is limited to personnel and sub-processors who need it to deliver or support the service, all of whom are subject to a duty of confidentiality, whether contractual or statutory, that survives the end of their engagement.

7. Security measures

We maintain technical and organisational measures appropriate to the risk, including: encryption of data in transit (TLS); processing of card images in volatile memory with no persistent storage of the image after the request completes; access controls and the principle of least privilege for systems and data; logical separation between the free scanner and any CRM export path; regular patching of hosting infrastructure; and operational logging limited to the request metadata described in our Privacy Policy and retained for 30 days.

8. Sub-processing

You provide general authorisation for Quiamo to engage sub-processors to deliver the service, such as AI OCR providers, cloud hosting and email delivery. We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA and remain responsible to you for their performance. The current list of categories and named services is published and kept up to date on our Sub-processors page. We will give reasonable notice of any intended addition or replacement so you can object on reasonable data-protection grounds.

9. International transfers

CardToDeal's primary infrastructure is located in India. Some sub-processors may process data outside your country, including in the EU and the United States. Where personal data subject to GDPR is transferred outside the EEA, the transfer is covered by an appropriate safeguard such as the European Commission's Standard Contractual Clauses, incorporated into our agreements with the relevant sub-processor. Transfers subject to India's DPDP Act are made only to jurisdictions permitted under that Act.

10. Assisting with data-subject requests

Because the data we process for you is generally not stored after a scan, most data-subject requests are best handled by you as controller. Where a data subject contacts us directly, we will, without undue delay, inform you and assist you in responding, taking into account the nature of the processing and the information available to us. For guidance on the rights involved and how they are exercised, see our data-rights guide.

11. Breach notification

If we become aware of a personal-data breach affecting data we process on your behalf, we will notify you without undue delay after becoming aware of it, and provide the information you reasonably need to meet your own notification obligations to supervisory authorities and, where required, to affected data subjects.

12. Audit

We will make available to you the information reasonably necessary to demonstrate compliance with the obligations in this DPA and, on reasonable prior written notice and no more than once per year (or following a confirmed breach), allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to confidentiality and to not unreasonably disrupting our operations.

13. Deletion or return on termination

On termination of the services, and at your choice, we will delete or return all personal data processed on your behalf and delete existing copies, unless applicable law requires us to retain it. For the free scanner this is largely automatic: card images and extracted fields are not persisted beyond the request, so there is no stored dataset to return. Operational logs age out within 30 days. Data you exported to a connected CRM is governed by that service's own deletion controls.

14. Applicable law

This DPA is intended to satisfy the requirements applicable to controller-to-processor arrangements under the EU General Data Protection Regulation (GDPR), in particular Article 28, and India's Digital Personal Data Protection Act 2023 (DPDP Act). Where this DPA conflicts with the Terms of Service on a data-protection matter, this DPA prevails. For all other matters the Terms govern.