Privacy Policy

2.1 Information You Provide

• Account Information: Email address, password (stored using secure one-way hashing - we cannot see your password), and optional recovery email address
• Payment Information: Processed securely through Stripe; we do not store credit card numbers, CVV codes, or complete card details on our servers
• Content: Text, images, links, and other content you create on your URL pages
• Communications: Messages, support requests, and other communications you send to us

2.2 Information Collected Automatically

When anyone visits any page on the nfcalchemy.com domain (including your public URL pages), we automatically collect the following information:

• Location Data (City-Level)

  We use third-party IP geolocation services (ipapi.co) to determine the approximate geographic location (city, region, country) associated with the visitor's IP address. This location data is collected automatically for all visitors without requiring consent, as it is necessary for providing analytics to page owners and for security/fraud prevention purposes.

• Hashed IP Address

  We create a one-way cryptographic hash (SHA-256) of the visitor's IP address. We do NOT store raw IP addresses. The hash allows us to identify unique visitors without retaining personally identifiable IP information. This hash cannot be reversed to obtain the original IP address.

• Timestamp

  The date and time of each page visit

• Page URL

  Which page was visited

• QR Code Visit Flag

  Whether the visit originated from scanning a QR code

• Browser Geolocation (Consent Required)

  If a page owner has enabled geolocation features AND the visitor grants permission through their browser, we may collect precise latitude, longitude, and accuracy data. This is the only location data that requires explicit visitor consent.

2.3 Analytics Data Provided to Page Owners

If you create URL pages on NFC Alchemy, you will have access to analytics about visitors to your pages, including:

• Total page views and unique visitor counts
• Geographic distribution of visitors (city/country level)
• Visit timestamps
• QR code scan statistics
• Device and browser information (when available)

2.4 Cookies and Session Data

We use the following cookies and session technologies:

• Session Cookies: Essential cookies that maintain your login state and authentication. These expire after 8 hours of inactivity or when you log out.
• Authentication Tokens: Secure tokens used to verify your identity across requests

We do NOT use:

• Third-party advertising cookies
• Cross-site tracking cookies
• Cookies for behavioral advertising

Cookie Control: Most browsers allow you to refuse or delete cookies. However, disabling session cookies will prevent you from logging into your account and using authenticated features of the Service.

3.1 All URL Pages Are Publicly Accessible

All URL pages you create on nfcalchemy.com (URLs in the format nfcalchemy.com/page/[your-url]) are publicly accessible to anyone on the internet. There is no password protection or private access option for these pages.

3.2 Publicly Editable Pages

If you enable the "publicly editable" feature on a page, anyone who visits that page can modify its content. This includes:

• Editing text and formatting
• Adding or removing images
• Changing links and other content
• Modifying any visible data on the page

You are solely responsible for any content that appears on your publicly editable pages, including content added by third parties.

3.3 Location Data on Public Pages

If you choose to display location data, visitor analytics, or other information on your public pages, this information will be visible to all visitors. Exercise caution when deciding what data to make publicly visible.

3.4 Protecting Your URLs

If you notice malicious content, spam, or abuse on your URL pages, you can:

• Cycle/regenerate your URL through the dashboard controls to obtain a new URL and invalidate the old one
• Disable public editing if the page was publicly editable
• Delete the page entirely from your account
• Report abuse to us at [email protected]

5.1 Service Providers

We share information with third-party vendors who perform services on our behalf:

• Stripe: Payment processing - receives your email address and payment information to process subscriptions
• ipapi.co: IP geolocation service - receives visitor IP addresses to determine geographic location
• DigitalOcean: Cloud hosting and infrastructure - hosts our servers and databases
• Email Services: Transactional email delivery for account verification, password resets, and notifications

5.2 Analytics to Page Owners

Visitors to your URL pages will have their visit data (location, timestamp, page views) shared with you through your analytics dashboard. Visitors should be aware that page owners can see aggregate analytics about traffic to their pages.

5.3 Legal Requirements

We may disclose information if required by law or in good faith belief that such action is necessary to:

• Comply with subpoenas, court orders, or legal process
• Respond to lawful requests from law enforcement agencies
• Protect our rights, privacy, safety, or property
• Investigate potential violations of our Terms of Service
• Protect against legal liability

5.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website of any change in ownership or uses of your personal information.

5.5 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

6.1 Account Data

• Active Accounts: Your account information is retained while your account is active
• After Deletion Request

  Upon requesting account deletion, your data is retained for a maximum of 30 days before permanent deletion. This period allows for processing any pending subscription cancellations, completing any outstanding billing matters, and allowing you to recover your account if the deletion was accidental. After 30 days, all personal data is permanently and irreversibly deleted.

6.2 URL Page Content

Content on your URL pages is retained while your subscription is active. Upon subscription cancellation or account deletion, your URL page content is deleted according to the retention schedule above.

6.3 Analytics Data

• Visitor Analytics: Retained for up to 24 months to provide historical analytics to page owners
• Location and Hash Data: Retained for up to 24 months for analytics and security purposes

6.4 Our Right to Delete Data

As stated in our Terms and Conditions, we reserve the right to delete any account, data, or content at any time for any reason, including but not limited to violations of our Terms of Service, malicious or abusive activity, spam or automated abuse, inactivity, or at our sole discretion.

8.1 Account Information

You can review and update your account information (email, recovery email, password) through your account settings in the dashboard.

8.2 Data Export

You may request a copy of your personal data by contacting us at [email protected].

8.3 Account Deletion

You can request account deletion through your account settings. Upon deletion:

• Your account enters a 30-day retention period
• After 30 days, all personal data is permanently deleted
• URL pages and content are removed
• Analytics data associated with your pages is deleted

8.4 Cookies

You can control cookies through your browser settings. Most browsers allow you to view what cookies are stored, delete cookies individually or all at once, block cookies from specific or all websites, and set preferences for certain types of cookies.

Note: Blocking our session cookies will prevent you from logging into your account.

8.5 Opting Out of Analytics Collection

If you are a visitor to someone else's NFC Alchemy page and do not wish to have your visit logged:

• Use a VPN or proxy service to mask your IP address
• Use browser privacy features (private/incognito mode does not prevent this collection)
• Note that basic analytics collection (hashed IP, location) occurs automatically and cannot be disabled on a per-visitor basis

Your Rights

• Right to Know: Request disclosure of what personal information we collect, use, disclose, and sell
• Right to Delete: Request deletion of your personal information (subject to certain exceptions)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell personal information)
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

Categories of Personal Information Collected

How to Exercise Your Rights

To exercise your California privacy rights, contact us at [email protected] with your request type, email address associated with your account, and verification information as requested. We will respond within 45 days as required by law.

Your Rights

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your data ('right to be forgotten')
• Restriction: Request restriction of processing in certain circumstances
• Portability: Request your data in a portable, machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent where processing is based on consent
• Lodge Complaint: File a complaint with your local data protection authority

Legal Basis for Processing

Data Controller

Board Craft LLC acts as the data controller for personal information collected through NFC Alchemy. To exercise your GDPR rights, contact us at [email protected]. We will respond within 30 days as required by law.