Privacy Policy

1. Introduction

Welcome to MYZO, a digital business card platform operated by Obelisk Agency SRL, a company registered in Romania, European Union ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and related services (the "Service"). By using MYZO, you agree to the collection and use of information in accordance with this policy.

2. Data Controller

The data controller responsible for your personal data is:

3. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide our Service to you (Article 6(1)(b) GDPR)
• Legitimate Interests: Processing for our legitimate business interests, such as improving our Service, preventing fraud, and ensuring security (Article 6(1)(f) GDPR)
• Consent: Where you have given explicit consent for specific processing activities (Article 6(1)(a) GDPR)
• Legal Obligation: Processing necessary to comply with legal requirements (Article 6(1)(c) GDPR)

4. Information We Collect

4.1 Information You Provide

• Account Information: Email address, username, and password when you create an account
• Profile Information: Display name, bio, avatar image, and any other information you choose to add to your public profile
• Contact Information: Phone numbers, email addresses, physical addresses, and social media links you add to your digital business card
• Custom Links: URLs, titles, and descriptions of links you add to your profile
• Widgets: Content you add through widgets including text, images, quotes, RSS feeds, and embedded media
• Payment Information: When you subscribe to a paid plan, payment processing is handled by Lemon Squeezy, Inc. We do not store your complete credit card information on our servers

4.2 Information Collected Automatically

• Analytics Data: Profile views, link clicks, QR code scans, and visitor geographic data (country/city level, anonymized)
• Device Information: Browser type, device type, operating system, and screen resolution
• Log Data: IP addresses (anonymized after processing), access times, pages viewed, and referring URLs
• Cookies: Essential cookies for session management and optional analytics cookies (with your consent)
• In-App Notification Events: A per-user log of activity that affects your account (for example, when another MYZO user saves your profile to their connections, only if they have enabled identity sharing). This log is visible only to you and is not used for advertising.

4.3 Third-Party Authentication

If you sign in using Google OAuth, we receive your email address and basic profile information from Google. We do not access your Google contacts, calendar, or other Google services.

5. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Service
• Create and manage your account and digital business card
• Display your public profile to visitors
• Provide analytics about your profile's performance
• Process payments and manage subscriptions
• Send important service-related notifications
• Respond to your inquiries and provide customer support
• Detect, prevent, and address technical issues, fraud, or abuse
• Enforce our Terms of Service and protect our users
• Comply with legal obligations

6. Information Sharing and Disclosure

6.1 Public Information

Your profile information (display name, bio, avatar, links, widgets, and contact information you add) is publicly accessible to anyone who views your MYZO profile. Please be mindful of the personal information you choose to make public.

6.2 Service Providers (Data Processors)

We may share information with third-party service providers who process data on our behalf under data processing agreements compliant with GDPR:

• Lemon Squeezy, Inc.: Payment processing (EU Standard Contractual Clauses apply)
• Cloud Infrastructure: Data hosting and storage within the EU where possible
• Brevo (Sendinblue): Email service provider for sending transactional and marketing emails. Data shared: email address, name. Location: France (EU). Privacy Policy: https://www.brevo.com/legal/privacypolicy/
• Google OAuth: Authentication provider for social login / account authentication. Data shared: email, name, profile picture (with user consent). Location: USA (with EU SCCs). Privacy Policy: https://policies.google.com/privacy
• Cloudflare Turnstile: Bot protection / CAPTCHA for protecting forms from automated abuse. Data shared: IP address, browser fingerprint. Location: USA (with EU SCCs). Privacy Policy: https://www.cloudflare.com/privacypolicy/

6.3 Legal Requirements

We may disclose your information if required by law, court order, or governmental authority within the European Union, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6.4 Business Transfers

If MYZO is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website of any change in ownership.

6.5 Sharing With Other MYZO Users

When you save another user's profile to your connections, this action is private by default. If you enable the "Let people know when I add them" setting in your privacy controls, the user you save will receive an in-app notification containing your display name and a link to your public profile. This setting is OFF by default for every user and can be turned off at any time. Changes apply only to future saves; saves you made while the setting was disabled remain silent forever.

Other MYZO users can also view your public profile (display name, bio, avatar, links, and any contact information you have chosen to publish). The "Allow connections" setting controls whether other users can save your profile to their connections at all.

7. International Data Transfers

We primarily store and process data within the European Union. When data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• Other lawful transfer mechanisms under GDPR

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with our Service. Specific retention periods:

• Account Data: Retained until you delete your account
• Analytics Data: 7 days (free users), up to 365 days (paid plans)
• Log Data: 90 days for security purposes
• Login Attempt Records: 30 days for security and lockout enforcement; purged immediately when you delete your account
• In-App Notification Events: Retained until you delete your account or mark notifications as read for more than 90 days
• Payment Records: As required by tax and accounting laws (typically 7-10 years)

When you delete your account, we delete or anonymize your personal information within 30 days. The deletion sweep covers your profile, contacts, notifications, audit logs, and login attempt records linked to your email or username, except where retention is required by law (notably payment records for tax compliance).

9. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of Access (Art. 15): Request a copy of your personal data we process
• Right to Rectification (Art. 16): Request correction of inaccurate personal data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Restriction (Art. 18): Request limitation of processing of your data
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: File a complaint with a supervisory authority (in Romania: ANSPDCP - Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal)

To exercise these rights, contact us at privacy@myzo.link or use the controls available in your account settings. We will respond to your request within 30 days.

9.1 In-App Privacy Controls

In addition to the rights listed above, you can manage the following privacy preferences directly from your account settings:

• Allow connections: control whether other MYZO users can save your profile to their connections
• Let people know when I add them: control whether the people you save receive a notification with your name (off by default)
• Show in Explorer: control whether your profile appears in the public discovery feed
• Marketing consent: opt in or out of promotional emails at any time
• Analytics: opt in or out of usage-analytics collection
• Restrict processing (GDPR Article 18): pause processing of your data while a dispute about accuracy or lawfulness is being resolved

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data as required by GDPR Article 32, including:

• Encryption of data in transit using TLS 1.2+
• Secure password hashing using industry-standard algorithms
• Regular security assessments and updates
• Access controls and authentication measures
• Authentication tokens kept in browser memory only, never persisted to disk, to limit exposure from cross-site scripting
• Content Security Policy enforced at the network layer to restrict the origins from which scripts and resources can load
• Authenticated API responses marked as private and non-cacheable so personal data cannot land in intermediate caches
• Regular automated backups
• Data breach notification procedures

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.

11. Cookies and Tracking Technologies

We use cookies in accordance with the ePrivacy Directive:

• Strictly Necessary Cookies: Required for the Service to function (session management, authentication)
• Analytics Cookies: Help us understand how you use our Service (only with your consent)

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect Service functionality.

12. Third-Party Links and Embedded Content

MYZO profiles may contain links to third-party websites and embedded content from external services (YouTube, Spotify, etc.). We are not responsible for the privacy practices of these third parties.

When you interact with embedded content, those third-party services may collect information about you according to their own privacy policies. We encourage you to review their policies before interacting with embedded content.

13. Children's Privacy

MYZO is not intended for children under the age of 16 in the European Economic Area, or under 13 in other jurisdictions. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at privacy@myzo.link, and we will take steps to delete such information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last updated" date
• Sending you an email notification for significant changes

Your continued use of the Service after changes indicates your acceptance of the updated Privacy Policy.

15. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your data, please contact us:

You also have the right to lodge a complaint with the Romanian Data Protection Authority (ANSPDCP) or your local supervisory authority if you believe your data protection rights have been violated.