Your data, on your terms.

This Privacy Policy applies to the Debutap website at debutap.com and any sub-domain (including custom domains pointing to Debutap), our admin and customer dashboards, the public vCards we host on your behalf, our APIs, and any orders for physical NFC cards (collectively, the "Service").

Depending on the data and the relationship, Debutap acts in different capacities:

• When you sign up as a Debutap customer and use the Service, we are a data controller (GDPR) / data fiduciary (DPDP) / business (CCPA) for the personal data we collect about you.
• When your customers, visitors, or contacts interact with your vCard, store, or booking flows hosted on Debutap, we process their personal data on your behalf as a data processor (GDPR) / data processor (DPDP) / service provider (CCPA). Our handling of that data is governed by this Policy, our Data Processing Addendum, and the Terms of Service you accept on sign-up.
• When we run our public marketing site, blog, and pre-signup materials, we process personal data as a controller / fiduciary / business for marketing and lead-gen.

Personal data

Information that identifies or could reasonably be used to identify a living individual. Examples: name, email, phone number, IP address, device identifiers, photos.

Sensitive personal data

Categories that get extra legal protection — for example, government IDs, health data, biometric data, financial-account credentials, religious or political views, sexual orientation. Debutap does not deliberately collect sensitive categories. If you choose to put them in your card content, you do so as the controller.

Customer

A natural person or organisation that holds a Debutap account.

Visitor

Any person who visits a Debutap-hosted vCard, store, booking page, or our public marketing site.

Content

Everything a Customer uploads to or generates on Debutap — card text, photos, products, prices, services, bookings, customer data, analytics.

Sub-processor

A third-party service we use to run Debutap (cloud hosting, email delivery, payments, analytics, etc.). The full list is at /legal/sub-processors.

3.1 Information you give us

• Account data: your name, email address, phone number (optional), password (stored hashed), workspace name, profile image, time zone, language.
• Billing data: business name, billing address, GSTIN (for Indian customers), VAT or other tax identifiers (for international customers), country, preferred currency. We do not store full card numbers — those go directly to our payment processors and we only see a tokenised reference, last four digits, brand, and expiry.
• Card and store content: everything you publish — card fields, photos, products, prices, service descriptions, business hours, policies, custom CSS or JS. This may include personal data about you or third parties; you are responsible for the lawful basis to publish it.
• Customer-of-customer data: contact details that your customers submit via your card's contact form, store checkout, appointment booking, or newsletter sign-up. We process this on your behalf as a processor.
• Support and feedback: any information you share when contacting us, including transcripts of help-desk conversations.

3.2 Information we collect automatically

• Device and connection data: IP address, user agent (browser and OS), screen size, referring URL, language preference.
• Usage data: pages viewed, features used, buttons clicked, timestamps, error events. We use this to debug issues, secure the Service, and improve features.
• Visitor analytics on your vCards and stores: each visit (timestamp, country / city derived from IP, device class, source — NFC tap, QR scan, WhatsApp, direct, search), which sections were tapped. IP addresses are hashed within 30 days; only aggregated counts are kept beyond that.
• Cookies and similar: session cookies, preference cookies, and a minimal set of analytics identifiers. See our Cookie Policy for the full inventory and how to control them.

3.3 Information from third parties

• OAuth providers(e.g. Google sign-in) — when you choose to sign in via Google, we receive your name, email, profile photo, and Google account ID from Google's OAuth flow.
• Payment processors (Razorpay, Stripe, etc.) — confirmation of successful payments, refunds, chargebacks, last four digits, card brand and country.
• Domain registrars and Cloudflare — when you connect a custom domain, we verify ownership via DNS records.
• Public sources — when you order an NFC card for delivery to an address, we may verify the postal code with a public postal-code dataset.

• To create and run your account, host your cards, and process your transactions.
• To deliver physical NFC cards you order.
• To send you essential service emails — password resets, payment receipts, order updates, security alerts. You cannot opt out of essential service emails while your account is active.
• To send you marketing or feature emails — only if you've opted in (EEA/UK/Brazil) or if it's within the soft-opt-in scope for existing customers (other jurisdictions). You can opt out anytime.
• To detect, prevent, and respond to fraud, abuse, security incidents, and acceptable-use violations.
• To improve the Service — debug bugs, measure feature adoption, prioritise the roadmap.
• To comply with our legal obligations — tax records, financial audits, court orders, lawful government requests.
• To enforce our Terms of Service and Acceptable Use Policy.

We do not use the content of your cards, products, or customer messages to train any general-purpose AI model. AI features that act on your content (e.g. proposed in V2) will only run on your explicit, per-feature opt-in.

Under the GDPR and UK GDPR, we rely on the following lawful bases (Article 6 GDPR):

• Performance of a contract (Art. 6(1)(b)) — to deliver the Service you signed up for, run your cards, process payments, ship NFC cards.
• Legitimate interests (Art. 6(1)(f)) — to operate, secure, and improve the Service, prevent fraud and abuse, and conduct minimal direct marketing to existing customers about similar features. Our balancing assessments are available on request.
• Consent (Art. 6(1)(a)) — for non-essential cookies, marketing emails to non-customers, and any optional feature explicitly toggled on by you. You can withdraw consent any time.
• Legal obligation (Art. 6(1)(c)) — for tax records, accounting, statutory financial audits, lawful disclosures.

We do not sell personal data and we do not "share" it for cross-context behavioural advertising as defined under the CCPA/CPRA. We disclose data only in the following situations:

• Sub-processors: third-party vendors that help us run Debutap. See our full Sub-processors list. Every sub-processor is bound by a contract with confidentiality, security and (where relevant) Standard Contractual Clauses.
• Payment processors — Razorpay, Stripe, and UPI providers receive billing and transaction data necessary to charge you and pay out.
• Public display:the content you publish on a vCard or store is public by design. Don't put anything on a published card that you don't want the world to see. Password-protected cards are still hosted on our servers and are not end-to-end encrypted.
• Legal requests: we may disclose data if compelled by a valid legal process — court order, subpoena, statutory authority request. We push back on overbroad requests and notify the affected user where lawful.
• Business transfers:if Debutap, Deburise Solutions, or any part of our business is sold, merged, or restructured, personal data may transfer to the buyer. We will give 30 days' advance notice for material changes.
• Aggregated or de-identified data:we may share aggregated insights (e.g. "the median Indian SMB receives X taps per month") that cannot reasonably be linked back to any individual.

A current list of our sub-processors is at /legal/sub-processors. We notify customers of material changes by email at least 30 days in advance, and Business plan customers can object to a new sub-processor by writing to [email protected]. If a reasonable objection can't be resolved, you may terminate your subscription and receive a prorated refund.

Debutap is operated from India. Our primary servers are in Bengaluru (India), with edge caching globally via Cloudflare. When you sign up from outside India your data is transferred to India for processing.

For transfers from the EEA/UK/Switzerland:

• We rely on the European Commission's Standard Contractual Clauses (SCCs, 2021/914) as the transfer mechanism for transfers to India and to any sub-processor located outside an adequacy area.
• We have completed a Transfer Impact Assessment (TIA) for the India destination and apply supplementary measures: encryption at rest with keys we control, encryption in transit (TLS 1.2+), tightly scoped access, and a written policy to challenge any unlawful government access request. The TIA is available on request to enterprise customers.
• For UK transfers, the SCCs are supplemented with the UK International Data Transfer Addendum.

For transfers from Indiato overseas sub-processors (e.g. Stripe, Cloudflare), we rely on the DPDP Act's permitted-jurisdiction framework and notify the Data Principal in this policy.

We retain personal data only as long as we need it for the purposes set out above.

If the GDPR or UK GDPR applies to you, you have the following rights:

• Access — confirm whether we hold data about you and get a copy.
• Rectification — correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — delete data we hold, subject to legal obligations to keep some records.
• Restriction — limit how we process data while a dispute is being resolved.
• Portability — receive your data in a structured, commonly-used, machine-readable format and transfer it to another service.
• Objection — object to processing based on legitimate interests, including direct marketing (we will stop the marketing immediately).
• Withdraw consent — at any time, where consent is the lawful basis. Withdrawal doesn't affect lawful processing before the withdrawal.
• Lodge a complaint — with your local supervisory authority. For UK residents this is the ICO (ico.org.uk). For EEA residents see edpb.europa.eu/about-edpb/about-edpb/members_en.

If you are a Data Principal in India, you have the following rights under the Digital Personal Data Protection Act, 2023:

• The right to confirmation and access — a summary of the personal data we've processed and the activities we've performed.
• The right to correction and erasure — to correct inaccurate data and erase data that's no longer needed for the original purpose.
• The right to grievance redressal — you can write to our Grievance Officer at [email protected]; we will respond within the statutory time-frame.
• The right to nominate another person to exercise your rights in the event of your death or incapacity.
• The right to withdraw consent, where consent is the basis for processing.

If you are a California resident, in the last 12 months we have collected the following categories of personal information (CPRA categories in parentheses):

• Identifiers (A) — name, email, IP address, account ID.
• Customer records (B) — billing address, phone, tax ID.
• Commercial information (D) — subscriptions, orders, transaction history.
• Internet/network activity (F) — pages viewed, features used, referral data.
• Geolocation data (G) — approximate (city-level) location derived from IP.
• Inferences (K) — minimal preference inferences (e.g. preferred plan tier).

You have the following rights:

• Right to know what personal information we collect, use, disclose, and the categories of recipients.
• Right to delete personal information we hold about you, subject to exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of "sale" or "sharing" — though we do not sell or share personal information for cross-context behavioural advertising.
• Right to limit use of sensitive personal information — we do not use sensitive personal information for inferring characteristics, so this right does not currently produce additional restrictions.
• Right to non-discrimination — we will not deny service, charge different prices, or provide a different level of quality for exercising your rights.

To exercise these rights, email [email protected]with the subject line "CCPA Request". We will verify identity using account credentials and at least one additional factor. Authorised agents must provide signed permission and proof of identity.

Shine the Light:California residents may also request a list of personal information disclosed to third parties for those parties' direct marketing purposes. We do not engage in such disclosures, so the response will be "none".

13.1 Brazil (LGPD)

If you reside in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD) substantially similar to GDPR — confirmation, access, correction, anonymisation, portability, deletion, information about third-party sharing, revocation of consent, and the right to oppose processing. Contact [email protected]. Our LGPD representative is reachable at the same address.

13.2 Canada (PIPEDA)

Canadian residents have rights to access and correct personal information, withdraw consent, and lodge complaints with the Office of the Privacy Commissioner (priv.gc.ca).

13.3 Australia (Privacy Act 1988)

Australian residents have rights under the Australian Privacy Principles (APPs), including access, correction, and complaint to the Office of the Australian Information Commissioner (oaic.gov.au).

13.4 Other jurisdictions

If a local law gives you rights not listed above, contact us and we will honour them to the extent we're required to.

You have several ways to exercise the rights described above:

• Self-serve in the dashboard: most rights — access, export, correction, deletion, marketing preferences — can be exercised directly from Settings → Privacyin your Debutap dashboard. We'll add those flows progressively as the SaaS product ships; until then, use the email options below.
• Email: write to [email protected] from the email address on your account. Include the request type and any details we need to locate the data.
• Authorised agents: may submit a request on your behalf with written authorisation. We may contact you to verify.

We respond within 30 days (45 days for California complex requests; 30 days for India per DPDP; 1 month for GDPR, extendable by 2 months for complex requests). We do not charge a fee for verified requests, except for manifestly unfounded or excessive requests as permitted by law.

We protect personal data with administrative, technical and physical safeguards appropriate to the risk:

• TLS 1.2+ for all data in transit.
• Encryption at rest for database and backups.
• Hashed passwords (Argon2 / bcrypt).
• 2FA for admin accounts; available for all paid accounts.
• Role-based access controls; least-privilege internal access.
• Daily encrypted backups, rolling 30-day retention.
• Annual penetration testing and quarterly internal security review.
• Incident response plan with 72-hour breach notification (GDPR Art. 33), parallel notification timelines for DPDP and state US laws as applicable.

For more detail see our Security Policy.

Debutap is not directed to children under 18 (or the equivalent age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact [email protected] and we will delete it and the corresponding account.

Customers must not collect children's personal data on their cards or stores without verifiable parental consent, where required by law (e.g. COPPA in the US, GDPR Art. 8 for under-16s in the EEA, India's DPDP for those under 18).

The current Service does not make automated decisions that produce legal or similarly significant effects on individuals. Where AI features ship in future phases (e.g. card generation, translation), they will:

• Be off by default and require your explicit opt-in.
• Not use your customers' personal data to train any general-purpose model.
• Display the AI provider so you can make informed decisions about transferring data.
• Allow you to delete generated content and request review of any algorithmic decision.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Email account holders at least 30 days before the change takes effect.
• Display a banner on the dashboard.
• Update the "Last updated" date and version at the top of this page.
• For changes that require fresh consent under GDPR or DPDP, re-request consent before any new processing.

Old versions are archived and available on request.

Data Controller / Data Fiduciary / Business:

Deburise Solutions (operating "Debutap")
Bengaluru, Karnataka, India
GSTIN: 29AAYFD3238M1ZM

Privacy questions and rights requests:

• General privacy: [email protected]
• Data Protection Officer (DPO): [email protected]
• India DPDP Grievance Officer: [email protected]
• Security incidents and vulnerability disclosure: [email protected]

If we have not resolved your concern, you have the right to lodge a complaint with your local data protection authority. For India, the Data Protection Board of India (when notified). For the EEA, your national supervisory authority. For the UK, the Information Commissioner's Office (ico.org.uk).