Privacy Policy

Last updated: January 2025

Effective Date: January 1, 2025

1. Introduction

Cardy ("we," "us," or "our") is committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered personalized card service, including our website, mobile application, and related services (collectively, the "Service").

By using our Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Service.

2. Information We Collect

2.1 Personal Information You Provide

We collect information you voluntarily provide when using our Service:

• Account Information: Name, email address, password, phone number, and billing address
• Payment Information: Credit card details, billing information, and transaction history (processed securely through third-party payment processors)
• Recipient Information: Names, email addresses, postal addresses, and relationship details of card recipients
• Personal Notes: Special information about recipients, preferences, interests, and personalization details
• Important Dates: Birthdays, anniversaries, holidays, and other significant occasions
• Communication Data: Messages, feedback, and correspondence with our customer support team

2.2 Information Automatically Collected

We automatically collect certain information when you use our Service:

• Usage Data: Cards sent, delivery status, login times, feature usage, and service interactions
• Device Information: IP address, browser type, operating system, device identifiers, and mobile network information
• Location Data: General geographic location based on IP address (not precise location)
• Cookies and Tracking: Website interactions, preferences, and analytics data through cookies and similar technologies
• Log Data: Server logs, error reports, and system performance data

2.3 Information from Third Parties

We may receive information from:

• Payment processors regarding transaction status and fraud prevention
• Email service providers regarding delivery status and engagement metrics
• Analytics providers for service improvement and user behavior insights
• Social media platforms if you choose to connect your accounts

3. How We Use Your Information

3.1 Primary Service Functions

• Generate personalized AI-powered greeting cards based on recipient information
• Schedule and deliver cards to recipients via email
• Process payments and manage your credit balance
• Maintain your account and provide customer support
• Send service notifications, reminders, and important updates

3.2 Service Improvement and Analytics

• Analyze usage patterns to improve our AI algorithms and personalization
• Monitor service performance and identify technical issues
• Conduct research and development for new features
• Generate anonymized analytics and insights

3.3 Legal and Security Purposes

• Comply with legal obligations and regulatory requirements
• Prevent fraud, abuse, and unauthorized access
• Protect our rights, property, and safety, and that of our users
• Enforce our Terms of Service and other agreements

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area, we process your personal data based on:

• Contract Performance: Processing necessary to provide our Service and fulfill our contractual obligations
• Legitimate Interests: Service improvement, fraud prevention, and business operations
• Consent: Marketing communications and optional features (where consent is obtained)
• Legal Obligation: Compliance with applicable laws and regulations

5. Information Sharing and Disclosure

5.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

5.2 Service Providers

We share information with trusted third-party service providers who assist us in operating our Service:

• Payment Processors: Stripe, PayPal, and other payment services for transaction processing
• Email Services: SendGrid, Mailgun, or similar services for card delivery
• Cloud Infrastructure: AWS, Google Cloud, or similar providers for data storage and processing
• Analytics Providers: Google Analytics and similar services for usage analysis
• Customer Support: Help desk and communication platforms

5.3 Legal Requirements

We may disclose your information when required by law or to:

• Comply with legal processes, court orders, or government requests
• Protect against fraud, security threats, or illegal activities
• Enforce our Terms of Service or other agreements
• Protect the rights, property, or safety of Cardy, our users, or the public

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

6. Data Security

6.1 Security Measures

We implement comprehensive security measures to protect your information:

• Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access Controls: Role-based access with multi-factor authentication for employees
• Network Security: Firewalls, intrusion detection, and regular security monitoring
• Regular Audits: Security assessments and vulnerability testing
• Data Minimization: Collection and retention of only necessary information

6.2 Data Breach Response

In the unlikely event of a data breach, we will:

• Investigate and contain the breach immediately
• Notify affected users within 72 hours where required by law
• Report to relevant authorities as required
• Take steps to prevent future incidents

7. Data Retention

7.1 Retention Periods

• Account Data: Retained while your account is active and for 2 years after closure
• Transaction Records: Retained for 7 years for tax and legal compliance
• Recipient Information: Retained while your account is active or until you delete it
• Usage Logs: Retained for 12 months for security and service improvement
• Marketing Data: Retained until you opt out or for 3 years of inactivity

7.2 Data Deletion

You may request deletion of your personal data at any time. We will delete your information within 30 days, except where retention is required by law.

8. Your Privacy Rights

8.1 Access and Control

You have the right to:

• Access: Request a copy of your personal information
• Rectification: Correct inaccurate or incomplete information
• Erasure: Request deletion of your personal information
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Limit how we process your information
• Objection: Object to processing based on legitimate interests

8.2 Marketing Communications

You can opt out of marketing emails by:

• Clicking the unsubscribe link in any marketing email
• Updating your preferences in your account settings
• Contacting our support team

8.3 Exercising Your Rights

To exercise your privacy rights, contact us at privacy@cardymail.com. We will respond within 30 days and may require identity verification.

9. Cookies and Tracking Technologies

9.1 Types of Cookies

• Essential Cookies: Required for basic service functionality
• Performance Cookies: Help us understand how you use our Service
• Functional Cookies: Remember your preferences and settings
• Marketing Cookies: Used for targeted advertising (with consent)

9.2 Cookie Management

You can control cookies through your browser settings. Note that disabling certain cookies may affect Service functionality.

10. Third-Party Services and Links

Our Service may contain links to third-party websites or integrate with external services. This Privacy Policy does not apply to third-party services, and we encourage you to review their privacy policies.

11. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware of such collection, we will delete the information immediately.

12. International Data Transfers

12.1 Cross-Border Processing

Your information may be processed in countries other than your residence, including the United Kingdom and United States, where our servers and service providers are located.

12.2 Transfer Safeguards

We ensure adequate protection for international transfers through:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions for certain countries
• Other appropriate safeguards as required by law

13. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

• Right to know what personal information is collected and how it's used
• Right to delete personal information
• Right to opt out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising privacy rights

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will:

• Post the updated policy on our website
• Update the "Last updated" date
• Notify you of material changes via email or in-app notification
• Obtain consent for changes that expand our use of your information

15. Contact Information

15.1 Privacy Inquiries

For privacy-related questions, requests, or concerns, contact us at:

Email: privacy@cardymail.com

General Contact: hello@cardymail.com

15.2 Data Protection Officer

For GDPR-related inquiries, you may contact our Data Protection Officer at:

Email: dpo@cardymail.com

15.3 Supervisory Authority

If you're in the EU/EEA and have concerns about our data practices, you may lodge a complaint with your local data protection authority.

This Privacy Policy is designed to help you understand how we collect, use, and protect your personal information. We are committed to maintaining your trust and protecting your privacy.