GDPR Policy

Public-by-link profiles

Some Metacard profiles are intentionally accessible to anyone who has the URL so they can be shared via NFC or QR. The URL is unguessable, but if it is shared or leaked, third parties may view the profile. You can (a) keep fields minimal, (b) rotate/regenerate your public link, or (c) switch to private mode where available. We set search engine directives to block indexing, but we cannot fully control third-party crawlers.

Hosting & storage

one.metacard.gr is hosted on Vercel (frontend). The API runs on a hardened DigitalOcean VPS. Personal data is stored in MongoDB Atlas (EU region). Media you upload (e.g., avatars) is stored in AWS S3 (EU region). Access to production data is restricted to our Admin/DPO (Alex Koukis) and the customer’s workspace owner (Controller).

Legal bases

• Contract (to provide your account and card/profile features)
  
  

• Legitimate interests (security, abuse prevention, troubleshooting)
  
  

• Legal obligation (invoicing & tax records)
  
  

• Consent only where required (e.g., non-essential cookies/analytics)
  
  

Your choices

You may edit fields, rotate your public link, or request deletion/export at info@metacard.gr.
For employee profiles under a company workspace, contact your employer (Controller); we’ll act on their instructions.

“Metacard profiles are shareable by design. Anyone with your unique link can view your public profile. Keep data minimal, and rotate your link if needed. We block search indexing but can’t fully prevent third-party collection. You can switch to private mode (where available) or request deletion at info@metacard.gr.

Security controls

• Passwords: We never store passwords in plain text. Passwords are hashed with bcrypt (13 salt rounds) before storage (industry standard)
  
  

• Encryption in transit & at rest: TLS for all network traffic; storage encryption provided by MongoDB Atlas and AWS S3.
  
  

• Infrastructure: Frontend on Vercel; API on DigitalOcean VPS with firewall, least-privilege users, and regular security patches.
  
  

• Access control: Production data access is limited to Admin/DPO (Alex Koukis) and the workspace owner (Controller).
  
  

• Hardening & patching: We keep runtime and critical dependencies on current stable versions and apply security patches promptly.
  
  

• Webhook & API security: HMAC verification, idempotency keys, rate limiting, input validation, and audit logging.
  
  

Incident detection & notification

We monitor for unauthorized access. If we reasonably believe personal data was accessed by an unauthorized party, we will (a) investigate, (b) mitigate, and (c) notify affected customers without undue delay and, where required by law, notify the competent authority within 72 hours.

Data access & export on demand

At any time, you can request access/export or deletion of the data we hold about you by emailing info@metacard.gr. For profiles managed by a company, we coordinate with the workspace owner (Controller) and act on their instructions.