Privacy Policy

Kardma is a digital business-card and email-signature platform operated by PlusNarrative (Pty) Ltd ("Kardma", "we", "us"), a private company registered in South Africa.

For the purposes of the Protection of Personal Information Act, 2013 (POPIA), Kardma acts as a Responsible Party when we process personal information about visitors to our marketing site and people who interact with our public-facing forms, and as an Operator when we process personal information about employees of our customer organisations on their behalf.

Where Kardma is an Operator, the data-handling commitments below are supplemented by the Data Processing Agreement (DPA) executed with the customer organisation.

We process the following categories of personal information:

About employees of customer organisations

• Full name and surname
• Corporate email address
• Mobile telephone number
• Job title
• LinkedIn profile URL (optional)
• Profile photograph (optional)
• Office location address (optional)
• Organisation and subsidiary affiliation
• Account status and role within their organisation
• Audit trail of administrative actions affecting their account

About people who use a public vCard's lead-capture form

• Full name and email address (required)
• Telephone number, company name, and free-text message (optional)
• The IP address and browser user agent used at the moment consent was given, retained as evidence of explicit consent
• A reference to the specific vCard that was viewed
• Timestamp of capture

About visitors to our marketing site

• Standard server-log information (IP address, browser type, pages requested, timestamp), retained for security and operational diagnostics

We do not knowingly process special-category personal information (as defined in POPIA s.26) such as identity numbers, banking details, health information, or biometric identifiers.

The personal information described above is processed for the following purposes:

• To provide the Service — creating and serving each user's digital vCard and email signature, generating QR codes and shareable links, and enabling administrative management.
• Lead capture — at the explicit request of a vCard owner's contact, transmitting that contact's details to the vCard owner for follow-up.
• Security, audit, and accountability — recording administrative changes, investigating misuse, and meeting our POPIA obligations.
• Service communications — sending operational notifications relating to a user's account (sign-in links, approval notifications, security alerts).
• Improving the Service — analysing aggregated, non-identifying usage information to improve features and reliability.

We do not use any personal information for direct marketing without explicit opt-in consent obtained separately at the moment we wish to use it.

We rely on the following lawful bases under POPIA s.11(1) for the processing described above:

• Consent — the data subject voluntarily provides the information for an articulated purpose (most notably, public vCard lead-capture submissions, which require an explicit consent action before submission).
• Performance of a contract — to deliver the Service to our customer organisations and their employees in terms of executed service agreements.
• Legitimate interest — for audit logging, security, and limited operational diagnostics, where these are necessary and proportionate to operating the Service.

Where consent is the basis of processing, the data subject may withdraw that consent at any time using the contact details in section 12.

Personal information is collected directly from the data subject (when an employee completes their own profile, or when a visitor submits a lead-capture form) or from the customer organisation that the employee belongs to (during onboarding, when the organisation provides an initial list of employees to invite).

Where the customer organisation provides information about its employees, the customer is responsible for ensuring it has established a lawful basis to share that information with us as an Operator.

We use a small number of trusted infrastructure providers to operate the Service. These providers act as our sub-processors and are contractually bound to confidentiality and security obligations equivalent to those described in this policy.

We do not sell, rent, or otherwise commercialise personal information to third parties. Where the recipient of a public vCard lead-capture submission is the vCard owner identified at the moment of submission, the sharing is at the explicit direction of the data subject.

Some of our sub-processors store personal information outside the Republic of South Africa, typically in the European Union or the United States. We rely on contractual provisions and the sub-processors' own POPIA / GDPR commitments to ensure that the level of protection afforded to your personal information remains equivalent to that required under POPIA s.72.

The specific data-residency configuration for a customer organisation is established during onboarding and documented in that customer's DPA.

• Active user accounts — for the duration of the customer organisation's subscription.
• Lead-capture submissions — by default for 36 months from the date of submission, after which the record is automatically deleted unless the customer extends retention.
• Audit log records — for the duration of the subscription plus 12 months thereafter, for forensic and dispute-resolution purposes.
• Backups — for up to 30 days as part of the standard backup rotation.
• On termination — the customer organisation has 30 days to export its data, after which production data is deleted within a further 60 days. Backups expire on their natural rotation.

As a data subject under POPIA you have the right to:

• Access the personal information we hold about you
• Correct personal information that is inaccurate, misleading, or outdated
• Request deletion of personal information no longer necessary for the purposes for which it was collected
• Object to the processing of your personal information on reasonable grounds
• Withdraw consent where processing is based on your consent
• Lodge a complaint with the Information Regulator (see section 13)

To exercise any of these rights, contact us using the details in section 12. We will acknowledge your request within 7 working days and respond substantively within 30 days, as POPIA requires.

Where you are an employee of one of our customer organisations, your rights may also be exercised through your organisation's administrator, who has direct access to view, edit, and remove employee records.

We protect personal information using appropriate technical and organisational measures, including:

• TLS encryption for all data in transit
• Encryption at rest within our managed-database and storage providers
• Role-based access control with least-privilege defaults
• Multi-factor authentication for all personnel with production access
• An immutable audit log of administrative actions
• Application-level isolation of each customer organisation's data
• Secrets management via a dedicated vaulting provider; no credentials in source control

No security measure is absolute. If we become aware of a compromise of personal information, we will notify affected data subjects and the Information Regulator within 72 hours, as POPIA s.22 requires.

Kardma uses cookies and similar technologies only as strictly necessary to operate the Service — primarily, session cookies issued by our authentication provider (Clerk) to keep you signed in. We do not currently use third-party analytics or advertising cookies. If that changes, this policy will be updated and (where required) consent will be requested.

For any privacy-related query, data-subject request, or suspected incident, contact:

If you believe we have failed to handle your personal information lawfully, you have the right to lodge a complaint with the Information Regulator of South Africa:

We would appreciate the opportunity to address your concern directly first.

We may update this policy from time to time as the Service evolves, as our sub-processors change, or as required by law. The "Last updated" date at the top reflects the most recent substantive change. For material changes, we will give customers reasonable advance notice.