Privacy Policy

1. Scope

This policy applies to card creation, AI prompt and upload workflows, account creation/login, dashboard and settings tools, payments and credits, recipient delivery flows, and related communications.

2. Categories of Personal Information We Collect

• Account information: name, email, auth identifiers, and account status metadata.
• Contact and recipient information: sender/recipient names, recipient email addresses, and delivery scheduling data.
• Payment information: package selection, checkout session data, transaction records, and billing metadata. Full payment card numbers are processed by Stripe, not stored by us.
• User content: prompts, card text/messages, uploads, generated images/audio, drafts, edits, and share metadata.
• AI generation metadata: generation timestamps, provider routing, moderation/safety outcomes, and related diagnostics.
• Device and usage data: IP address, browser/device signals, app interaction events, and error/security telemetry.
• Cookie and similar identifier data used for authentication, session continuity, analytics, and abuse prevention.
• Support communications: request content and follow-up information when you contact support.
• OAuth profile data if you sign in through a social login provider (for example Google).
• Sensitive content you choose to submit inside prompts, uploads, or card messages.

3. Sources of Personal Information

• Directly from you.
• From recipients when delivery/open events occur.
• From service providers such as payment, email, and authentication vendors.
• From analytics, security, and diagnostic systems.
• From OAuth providers when social login is used.

4. How We Use Personal Information

• Provide account access, card creation, editing, scheduling, and delivery.
• Generate requested AI outputs (image/text/music) and associated card assets.
• Process purchases and maintain credit balances.
• Send transactional messages (verification, delivery, billing, and account notices).
• Send optional promotional emails and campaign-related offer messages when you have affirmatively opted in to receive them.
• Attribute promotional signups, experiments, and eligible welcome-offer redemptions to the campaign or flow that led to them.
• Detect and prevent abuse, fraud, spam, and security incidents.
• Debug, maintain, and improve reliability, moderation, and feature quality.
• Comply with legal obligations and enforce our Terms and safety policies.

5. AI Features, Prompts, Uploads, and Generated Content

We use third-party AI/media providers to process prompts and requested generation tasks. This can include prompt text, style inputs, uploaded references, and generation settings.

• We store generated outputs and related card data so you can edit, schedule, share, and resend cards.
• Card links may be viewable by anyone with the link once shared or delivered.
• Authorized personnel may review content for support, safety, abuse prevention, and reliability operations.
• AI outputs may be moderated and blocked/removed if they violate law, policy, or platform safety requirements.

Training disclosure: we do not use your private card content to train our own foundation models. Third-party providers may retain limited data for abuse detection, security, or service integrity according to their terms and our configuration.

Please avoid submitting highly sensitive information in prompts or uploads unless necessary for your intended card.

6. Marketing Emails, Promotions, and Consent

Card for Fun may offer optional promotions, such as welcome offers tied to a marketing-email signup. These promotional flows are separate from account creation and are not required to use the service.

• We send promotional emails only after a clear affirmative action, such as checking an unchecked consent box and submitting the form.
• We record the consent event and related metadata needed to administer the campaign, measure performance, prevent abuse, and connect the offer to a later account signup or purchase.
• That information may include the email address provided, timestamp, source surface, experiment variant, marketing campaign parameters, analytics identifiers, and whether the offer was saved, redeemed, or unsubscribed.
• If you unsubscribe, we keep a suppression record so we do not resume promotional emails to that email address by mistake.
• Where we sync promotional contacts into Resend for Topics, Segments, or future Broadcasts, we use the same suppression and unsubscribe state so opted-out addresses are not intentionally included in later marketing sends.
• Unsubscribing from marketing emails does not stop transactional or relationship emails such as receipts, account notices, password resets, or card delivery messages.

We aim to process unsubscribe requests promptly and, where applicable, within the timeframes required by law.

7. How We Share Personal Information

We disclose personal information to service providers that process data on our behalf, including:

• Infrastructure/database/authentication providers (including Supabase).
• Payment processors (including Stripe).
• Transactional email providers (including Resend).
• Analytics and error monitoring providers (including PostHog and Sentry).
• AI/media generation providers used for requested outputs.
• Security, legal, accounting, and professional advisors when required.

We may also disclose personal information for legal process, law-enforcement requests, fraud/abuse defense, or corporate transactions.

We do not currently sell personal information for money. We also do not currently use third-party ad networks for cross-context behavioral advertising. If that changes, we will update this policy and required opt-out controls before launch of that processing.

8. Cookies, Analytics, and Similar Technologies

We use cookies/local identifiers and similar technologies for authentication, security, session continuity, and analytics.

• Essential/session technologies for core product security.
• Analytics technologies for product diagnostics.
• Local storage or similar browser storage to frequency-cap optional promotional popups, remember dismissals, and avoid repeatedly showing the same promotional prompt.
• Error diagnostics with privacy controls, including suppression of direct PII fields in error telemetry where configured.

Blocking essential cookies may prevent login and other critical functionality.

9. U.S. State Privacy Rights

Depending on your state of residence, you may have rights to access/confirm, correct, delete, and obtain a portable copy of personal information, and to opt out of certain processing.

Where applicable, this can include rights to:

• Opt out of sale of personal information.
• Opt out of sharing for cross-context behavioral advertising.
• Opt out of targeted advertising.
• Opt out of qualifying profiling for significant decisions.
• Limit use/disclosure of sensitive personal information where required.
• Appeal a denied request where state law grants appeals.
• Use authorized agents as permitted by law.
• Receive non-discriminatory treatment for exercising rights.

Request submission: email privacy@cardforfun.com from your account email and include the request type, or use our Privacy Requests page.

Identity verification: we may request reasonable information to verify identity before fulfilling requests.

Appeal process: if we deny your request, you may appeal by replying to our denial email with subject line "Privacy Appeal" within 30 days.

10. California Privacy Notice

This section applies to California residents and is intended to support CCPA/CPRA notice obligations.

• Categories collected in the past 12 months: identifiers, account/contact data, payment metadata, internet/network activity, user content, and inferences/metadata needed to run the service.
• Sources: directly from users, recipients, service providers, integrations, and analytics/security systems.
• Business/commercial purposes: described in Section 4 of this policy.
• Categories disclosed for business purposes: categories listed in Section 6 to service providers and processors.
• Sale/share: we do not currently sell personal information for money and do not currently share personal information for cross-context behavioral advertising.
• Sensitive personal information: we process sensitive information only as reasonably necessary to provide requested services, secure the platform, and comply with law.

If our practices change in a way that triggers California "Do Not Sell or Share" or related link requirements, we will add those controls before the processing goes live.

California residents can also use our Privacy Requests page to submit access, deletion, correction, or appeal requests.

11. Sensitive Data, Biometric/Likeness Data, and AI Content Risks

Prompts, card messages, and uploads may contain sensitive personal information. Users control what they submit.

• We may process faces, likenesses, and other identifying visual details in uploaded images for generation requests.
• We do not use uploaded images for identity verification and do not intentionally create biometric templates (for example faceprints or voiceprints) for identification purposes.
• Do not upload images or content you do not have rights or permissions to use.
• Access to sensitive content is restricted to authorized personnel with operational need.

12. Children and Minors

Card for Fun is a general-audience service and is not directed to children under 13. We do not knowingly collect personal information directly from children under 13.

If you believe a child under 13 provided personal information, contact privacy@cardforfun.com so we can investigate and take appropriate action.

Users who upload photos or information about minors are responsible for having appropriate rights and permissions.

13. Automated Decision-Making and Profiling

Our AI features are used to generate creative card content. We do not use personal information for eligibility decisions in areas like credit, employment, housing, insurance, health care, or education.

We may use automated systems for moderation, abuse prevention, and anti-fraud operations.

14. Data Retention

We retain personal information based on service needs, legal obligations, fraud/security needs, and account lifecycle. Current retention approach:

15. Security

We maintain administrative, technical, and organizational safeguards designed for the sensitivity of the data we process.

• Encryption in transit and platform-level access controls.
• Auth checks and ownership checks on private API/data paths.
• Least-privilege principles for production access.
• Monitoring and alerting for reliability and abuse signals.

No system is perfectly secure. You should also protect your account credentials and device security.

16. International Users

Card for Fun is currently oriented to U.S. operations. If you use the service from outside the U.S., your information may be processed in the U.S. or other jurisdictions where our providers operate.

17. Legal and Regulatory Context

We monitor evolving U.S. privacy and consumer-protection requirements, including state comprehensive privacy laws and sector-specific obligations where applicable. This policy may be updated to reflect law changes, product changes, or vendor changes.

18. Changes to This Policy

We may update this policy from time to time. Material updates are posted here with updated dates. Continued use after an update means the updated policy applies.

19. Contact Us

Privacy requests and questions: privacy@cardforfun.com

Related terms: review our Terms of Service.