Cyber Security Policy

Last updated: 26 September 2025

Who we are

NFC Solutions Ltd t/a NFC Tagify provides digital business cards, NFC products, and a companion app. Our online shop is powered by Shopify for orders. For the app and customer accounts we act as Data Controller. For checkout and payments Shopify acts as our service provider and processes personal data under its Data Processing Addendum. 

Hosting and data location

Our application and databases are hosted in the United Kingdom. We do not intentionally transfer personal data outside the UK. If a transfer is ever required, we will use UK GDPR compliant safeguards, for example adequacy, the UK IDTA or appropriate safeguards as set out by the ICO.

What we collect and why

  • Account and profile details you choose to provide, for example name, role, company and contact links

  • Order information needed to fulfil purchases in Shopify

  • Essential technical logs, for example device and IP metadata, to keep the service reliable and secure
    We do not use personal data for marketing without consent. We send only essential service emails such as account verification, security alerts, maintenance notices and order confirmations.

Security principles

We follow a risk-based approach consistent with ICO and NCSC guidance. Our goal is to protect the confidentiality, integrity and availability of your data by using appropriate organisational and technical measures.

How we protect your data

Access and governance

  • UK-based staff only, least-privilege access, role-based controls and multi-factor authentication for administrative access

  • Access to production data is restricted and logged, with approvals and reviews

  • Regular policy reviews and training for relevant staff, aligned to UK guidance for small businesses and GDPR security outcomes

Network and application security

  • Protective monitoring to detect unusual traffic, automated scraping, and abuse

  • Layered bot and scraping defences with IP reputation, rate limiting and behavioural signals

  • Web application firewall, input validation and output encoding to reduce common web risks

  • Segregated environments, secure secrets management and timely dependency patching

Authentication and authorisation

  • Secure session and token management

  • Role-based access for users, admins and company administrators

  • Optional multi-factor authentication readiness for high-risk actions

Data protection

  • Separation between public profile content and private account information

  • Row Level Security in our databases to help ensure users can access only what they should

  • Encrypted transport for data in motion and secure storage of sensitive secrets

  • Controlled file uploads with type validation and access controls

Monitoring and response

  • Security event logging with alerting for suspicious activity

  • Automated safeguards to slow or block abusive behaviour

  • A documented incident response process including assessment, containment and notification where required by UK GDPR and ICO guidance

Business continuity

  • Regular, encrypted backups and restore testing

  • Service continuity planning for critical components

Public profiles, sharing and your choices

Digital business cards are designed for sharing. Although profiles are not indexed for search and we apply multiple controls to deter automated scraping, anything you publish to a public profile can be captured or reshared by others. Do not add sensitive or confidential information to public profiles.
You can at any time:

  • Disable or change your public profile link

  • Edit or remove information

  • Delete your account and associated profile data, subject to legal retention obligations

Vulnerability disclosure

We welcome responsible disclosure. Please report security issues using the contact below. We also support the industry standard security.txt location to make reporting easier. 

Your rights and contact

You can request access, correction, deletion, restriction or portability of your personal data. For requests relating to Shopify orders we follow Shopify’s guidance for merchants.
Contact: info@nfctagify.com, +44 1600 800080. You can learn more about UK data protection rights at GOV.UK and the ICO.