Privacy Policy

Introduction

Cardify ("we", "our", "us"), a service of BHD Group (Bin Haider Darwish LLC, C.R. No. 1334733), takes your privacy seriously. This policy explains what data we collect, why, how we store and protect it, and what rights you have. It is aligned with Oman’s Personal Data Protection Law (PDPL) and respects GDPR-style requests from international users.

Information we collect

We collect only what is needed to deliver the service:

• Identity and contact: name, email, phone, company, job title.
• Card content: the text, photos, logos and design choices you put on your cards.
• Payment data: billing address and the last four digits of your card. We never see or store full card numbers; Paymob handles those.
• Device and usage: IP address, browser, OS, pages viewed, actions taken, all used to secure the service and improve it.
• Cookies: a minimal session cookie (required) and optional analytics cookies that you can decline.

How we use your data

• Create and deliver your digital and printed cards.
• Authenticate you and protect your account.
• Process payments and issue invoices in OMR.
• Respond to support, sales and partnership inquiries.
• Improve the product (aggregate analytics, no individual profiling).
• Comply with Omani law, tax reporting and court orders.

Who we share data with

• Print partners (BHD Printing & Designing and marketplace shops) receive only the card design and shipping address, nothing more.
• Payment processor (Paymob) to settle OMR transactions under Oman Central Bank rules.
• ERP (internal to BHD Group) for invoicing and accounting.
• Hosting (Hostinger KVM, Muscat region) for storage and uptime.
• Legal authorities when required by Omani law or a court order.

Data retention

We keep account data for as long as your account is active, plus 24 months after closure for tax and dispute retention. Print order records are kept for 7 years to comply with Omani commercial-book requirements. You can request earlier deletion and we will honour it except where law requires us to keep specific records.

Data security

• TLS 1.2+ on every request, HSTS enforced.
• Passwords hashed with bcrypt, never stored in plain text.
• Session cookies marked Secure, HttpOnly, SameSite=Lax.
• Audit-log table is append-only at the database level.
• Regular nightly backups, stored encrypted off-box.

Your rights

You can always:

• Access a copy of your personal data (self-service export from the admin portal).
• Correct inaccurate data by editing your profile or contacting us.
• Request deletion of your account and associated data.
• Object to specific processing, such as analytics cookies.
• Withdraw consent for marketing emails at any time via the unsubscribe link.
• Lodge a complaint with Oman’s Ministry of Transport, Communications and Information Technology if you believe we have mishandled your data.

International transfers

Our servers are in Oman. Some processors (Paymob for payments, Google for fonts, Hostinger for infrastructure) may process data in their own regions under contractual safeguards. We do not sell your data to anyone.

Changes to this policy

We may update this policy to reflect new features or legal changes. If a change is material, we will notify you by email or in-product banner before it takes effect, and keep the prior version available on request.

Contact

Questions about this policy, or to exercise any of your rights, email [email protected] or use the Cardify contact page.