legal

privacy policy

last updated: 13 july 2026 · applies to the roloboop web app, mobile webapp, api and website

the short version

roloboop turns business cards into CRM contacts. We collect what we need to do that job, we don't sell your data, card images are deleted after processing, and you stay in control. The detail is below — written to be read, not skimmed past.

1. who we are

roloboop is a product of boopcat ltd, a company registered in England & Wales (company no. 16923037), registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom. For data collected through roloboop's website, app and dashboard about you as our customer, boopcat ltd is the data controller.

Questions, requests or complaints: manny@boopcat.co. We are registered with the UK Information Commissioner's Office (registration ref. ZC077244).

2. what we collect

  • Account data — your name, email address, password (hashed), company name, and billing details (handled by Stripe, our payment processor; we never see full card numbers).
  • Scanned card data — images of business cards you scan and the contact details extracted from them (name, role, company, email, phone, address, social handles). The card image is stored privately with the saved contact.
  • CRM connection data — authorisation tokens for the CRM you connect (HubSpot today). We never store your CRM password.
  • Usage data — how you use the app and dashboard (features used, scan counts, error logs), your device type and operating system.
  • Newsletter data — your email address and your consent record, if you subscribe.
  • Cookies — see our cookie policy.

3. why we use it, and our lawful bases

  • To provide the service (scanning, parsing, syncing to your CRM, your account and support) — necessary to perform our contract with you.
  • To bill you and keep required records — contract and legal obligation.
  • To improve roloboop (aggregated usage analytics, debugging) — our legitimate interest in running a good product; analytics cookies only with your consent.
  • To send you our newsletter and launch news — your consent, which you can withdraw at any time via the unsubscribe link in every email.
  • To keep the service safe (fraud and abuse prevention) — our legitimate interest.

4. scanned cards: your contacts' data

When you scan someone's business card, you are collecting their personal data. For that data, you are the controller and boopcat ltd acts as your processor — we process it only on your instructions to extract, store and sync it to your CRM. You are responsible for having a lawful basis to hold your contacts' details (for business-card exchanges this is typically legitimate interest) and for honouring their requests to be updated or deleted.

To help: images from abandoned scans are deleted automatically within about 24 hours; a saved contact's card image stays privately attached to that contact until you delete it. Deleting a contact in roloboop removes the record and its card image from our systems within 30 days (it does not delete the copy already synced to your CRM). Our processor commitments are set out in our terms of service; a signed data processing addendum is available on request.

5. who we share it with

We never sell or rent personal data, and we don't share it for cross-context behavioural advertising. We share data only with:

  • Your CRM provider — the one you connect (HubSpot today), on your instruction.
  • Service providers under contract with us — Vercel (hosting), Neon (database), Cloudflare (card-image storage), Anthropic (AI card reading), Stripe (payments), our email provider, and (with consent) analytics. Each is bound by a data processing agreement.
  • Authorities — if the law genuinely requires it.
  • A buyer or successor — if boopcat ltd is sold or merged, under the same protections; we'd tell you first.

6. international transfers

Several of our providers — including Vercel, Neon, Cloudflare, Anthropic and Stripe — process data in the United States. Where data leaves the UK/EEA, we rely on UK adequacy regulations, the UK International Data Transfer Agreement/Addendum, or EU Standard Contractual Clauses, plus technical safeguards such as encryption in transit and at rest.

7. how long we keep it

  • Card images — abandoned scans are deleted automatically within ~24 hours; a saved contact's image is kept until you delete the contact.
  • Contact records — for as long as your account is active, or until you delete them.
  • Account data — while your account exists, then deleted within 90 days of closure (billing records kept 6 years for tax law).
  • Newsletter data — until you unsubscribe.

8. security

Every record is bound to its owner — a request for anyone else's data simply returns "not found". Data is encrypted in transit (TLS 1.2+) and at rest (AES-256); CRM tokens are encrypted before storage; card images are private and served only through short-lived signed links. No system is perfect — if a breach ever affects you, we'll notify you and the relevant regulator as the law requires (within 72 hours to the ICO where applicable).

9. your rights (uk & eu)

Under the UK GDPR and EU GDPR you can ask us to: access the data we hold about you; correct it; delete it; restrict or object to processing (including direct marketing — we'll always stop); port it to another service in a machine-readable format; and withdraw consent at any time without affecting prior processing.

Email manny@boopcat.co — we respond within one month, free of charge. You can also complain to the Information Commissioner's Office (UK) or your local EU supervisory authority, though we'd appreciate the chance to sort it out first.

10. your california privacy rights (ccpa/cpra)

If you are a California resident, you have the right to: know what personal information we collect, use and disclose (it's what's in section 2, used as in section 3); access and correct it; delete it; opt out of sale or sharing; limit use of sensitive personal information; and not be discriminated against for exercising any of these rights.

We do not sell or share personal information as defined by the CCPA/CPRA, and we haven't in the preceding 12 months. We collect the categories: identifiers, commercial information, internet activity, and professional information (from scanned cards). We do not collect sensitive personal information beyond account credentials.

To exercise your rights, email manny@boopcat.co with "california request" in the subject. You may use an authorised agent; we'll verify the request via your account email. We respond within 45 days.

11. other us states

Residents of Virginia, Colorado, Connecticut, Utah, Texas and other states with comprehensive privacy laws have similar rights of access, correction, deletion, portability, and opt-out of targeted advertising and sales (we do neither). Use the same contact as above; if we decline a request you may appeal by replying to our decision.

12. children

roloboop is a business tool and isn't intended for anyone under 16. We don't knowingly collect children's data; if you believe we have, tell us and we'll delete it.

13. cookies

We use essential cookies, plus optional analytics cookies only with your consent. Full detail, including how to change your choice, is in our cookie policy.

14. changes to this policy

If we make material changes we'll email account holders and post a notice on this page at least 14 days before they take effect. The "last updated" date at the top always tells you the current version.

15. contact

boopcat ltd, 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom · manny@boopcat.co