Privacy Policy

Information We Collect

Personal Information You Provide

• Name, email address, phone number, and mailing or billing address
• Payment details (processed securely through PCI-compliant third-party processors such as Stripe)
• Recipient details (names and mailing addresses) that you provide for card delivery

Handwriting and Font Data

• Handwriting samples you upload or create using our scanning and handpad tools
• Digital font files generated from your handwriting samples
• Calibration data, glyph variants, and ligature information used to refine your font

Content You Create

• Personal messages, notes, or greetings you write or generate using our AI-assisted writing tools
• Images, logos, or other visual content uploaded during card design
• Card designs, layouts, and formatting preferences

Automatically Collected Information

• Device information, browser type, and operating system
• IP address, referral URLs, and site interaction data
• Cookies and similar technologies used for analytics, personalization, and marketing

We use Google Analytics, Meta Pixel, and similar tools to help us understand how visitors use our platform. See Section 7 (Cookies and Tracking) for full details, including a complete list of cookies, third-party processors, and how to manage your consent.

Recipient Information

When you provide recipient names, addresses, or other contact details for card delivery, we collect and process that information solely to fulfill your order. Recipients are not required to create an account and have not agreed to this Privacy Policy directly. We use recipient information only for the purpose of delivering cards on your behalf and do not use it for marketing, profiling, or any other purpose. See Section 5 (Recipient Data) for retention details.

How We Use Your Information

• Provide, personalize, and improve our website and services
• Process transactions, orders, and card deliveries
• Generate, store, and refine your personalized digital handwriting font
• Display your handwriting on the website and in card previews
• Produce and send physical cards on your behalf using pen plotter technology
• Communicate with you about your projects, account, orders, or support requests
• Assist with writing or content generation through integrated AI tools
• Maintain security, detect fraud, and ensure quality control
• Comply with legal obligations and enforce our Terms of Service

Handwriting Data and Your Privacy

We understand that your handwriting is unique to you and may be considered sensitive personal information under certain privacy laws. We are committed to treating your handwriting data with the same level of protection as biometric data, regardless of whether it is legally classified as such in your jurisdiction.

Our Commitments Regarding Your Handwriting Data

• Your handwriting samples and generated fonts are used solely to display your handwriting on the ThankYou.Cards platform and to produce and send physical cards on your behalf.
• We never sell, license, trade, or otherwise profit from your handwriting data or generated fonts beyond providing our core service to you.
• We never share your handwriting data or generated fonts with third parties for their own purposes. The only third-party access is our printing and fulfillment infrastructure, which processes your font solely to produce your cards.
• We never use your handwriting data for identification, authentication, surveillance, or profiling of any kind.
• We never use your handwriting data to train machine learning models for purposes unrelated to improving your personal font experience.
• Your handwriting font remains your intellectual property at all times.

Pre-Account Handwriting Collection

Our platform allows you to create a handwriting font before creating an account. When you use this feature, we collect your handwriting sample and generate a font file. By uploading your handwriting sample, you consent to this processing. This consent is obtained through a clear notice and acceptance prompt displayed before you submit your handwriting, separate from and prior to account creation. When you subsequently create an account, your font and handwriting data are linked to that account and become subject to your full account rights, including the right to request deletion at any time.

Retention and Deletion of Handwriting Data

• Active accounts: Your handwriting samples, generated fonts, and calibration data are retained for the duration of your account.
• Account deletion: Upon your request to delete your account, we will permanently destroy all handwriting samples, generated font files, glyph variants, and calibration data within 30 days.
• Pre-account data (no account created): If you create a font but never create an account, we retain that data for 12 months from the date of creation, after which it is permanently deleted.
• You may request deletion of your handwriting data at any time by emailing info@thankyou.cards, regardless of whether you maintain an active account.

AI and Content Generation

Our platform may integrate third-party AI services to help you draft, edit, or refine card messages. When you use these features:

• We send only the minimum data necessary (such as your prompt or draft text) to the AI provider to generate a response.
• We do not send your handwriting data, font files, recipient information, or account details to AI providers.
• Your messages and prompts are not used to train third-party AI models. We use API configurations that opt out of model training where available.
• You are responsible for reviewing and approving all AI-generated content before sending.
• We are not liable for the accuracy, appropriateness, or originality of AI-generated content.

Recipient Data

When you provide names, addresses, or other details about the people you want to send cards to, that information is considered third-party personal data. We handle it with special care:

• Recipient data is used exclusively to fulfill and deliver your card orders.
• We never use recipient data for marketing, advertising, or any purpose beyond card delivery.
• We never sell, share, or disclose recipient data to third parties except shipping carriers and fulfillment partners as necessary to complete delivery.
• Recipient mailing addresses and names are retained for 90 days following confirmed delivery or shipment, after which they are permanently deleted. Order history (without recipient addresses) is retained for your records.
• If you maintain a saved recipient list in your account, that data is retained until you delete it or close your account.

Sharing Your Information

We do not sell your personal data. We may share limited information only in the following circumstances:

• Service Providers: With vendors who help us operate our business, including our hosting platform (Bubble), payment processors (Stripe), email delivery (SendGrid), printing and fulfillment partners, and shipping carriers (USPS). These providers access only the data necessary to perform their specific function.
• Analytics and Advertising Providers: With Google (Google Analytics, Google Tag Manager) and Meta (Meta Pixel) for analytics and advertising, only when you have granted consent through our cookie banner. See Section 7 for details.
• AI Service Providers: With third-party AI providers solely to generate writing suggestions when you use our AI tools. See Section 4 for details.
• Legal Requirements: When required by law, valid court order, subpoena, or government request.
• Business Transfers: In connection with a merger, acquisition, or sale of assets. In such an event, your information remains protected under this same policy, and we will notify you before your data is transferred or becomes subject to a different privacy policy.

All third-party providers are bound by written data processing agreements that include confidentiality, data protection, and data destruction obligations.

Cookies and Tracking Technologies

What Cookies Are

Cookies are small text files placed on your device when you visit a website. We also use similar technologies such as local storage, session storage, and tracking pixels. Throughout this section, "cookies" refers to all of these technologies.

Categories of Cookies We Use

We group cookies into four categories, matching the consent options in our cookie banner:

• Necessary cookies are required for the website to function. They enable core features such as logging in, loading your card design in the editor, completing checkout, and remembering items in your cart between page loads. These cookies cannot be disabled because the site would not work without them. Under applicable law, we do not need your consent for these cookies.
• Preference cookies remember choices you make to improve your experience, such as your saved card templates, recipient lists, and display preferences. These do not personally identify you.
• Statistics cookies help us understand how visitors interact with our site by collecting anonymized information. We use this to improve the card editor, checkout flow, and overall user experience. These cookies fire only after you grant consent.
• Marketing cookies are used to show you relevant advertising on other websites and to measure the effectiveness of our advertising campaigns. These cookies fire only after you grant consent.

Third-Party Services That May Set Cookies

The following services we use may set cookies on your device. Each operates under its own privacy policy.

• Bubble (hosting platform): session and authentication cookies. Bubble Privacy Policy
• Stripe (payment processing): fraud prevention and checkout cookies set during purchase. Stripe Privacy Policy
• Google (Google Analytics 4 and Google Tag Manager): analytics and measurement. Google Privacy Policy
• Meta (Meta Pixel): advertising measurement and audience targeting, fired only with marketing consent. Meta Privacy Policy
• SendGrid (email delivery): tracking pixels in email messages we send you, used to measure delivery and engagement. SendGrid Privacy Policy

The complete, current list of cookies on our site, including names, durations, and providers, is available in our Cookie Declaration. You can view it by clicking the cookie icon in the lower corner of any page on our site.

How We Obtain and Record Your Consent

When you first visit our site, a cookie banner asks for your consent to non-essential cookies. You can accept all, reject all, or customize your choices by category. We use Cookiebot as our consent management platform. Your consent is recorded along with a timestamp and consent ID, retained for 12 months from your last consent action. If you contact us about your consent, please include your consent ID and the date so we can locate your record.

Until you grant consent, only Necessary cookies are active. We use Google Consent Mode v2 to ensure that analytics and advertising tags do not collect personal data before you opt in.

How to Manage or Withdraw Your Consent

You can change or withdraw your consent at any time:

• Use our cookie icon. The persistent cookie icon in the lower corner of every page reopens the consent banner so you can update your choices.
• Clear cookies in your browser. This will remove your stored consent and the banner will reappear on your next visit.
• Browser controls. Most browsers allow you to block or delete cookies through their settings. Disabling Necessary cookies through your browser may prevent parts of the site from working correctly, including the card editor and checkout.

Email Tracking

Emails we send you (order confirmations, shipping updates, marketing messages where you have opted in) may contain tracking pixels that tell us when an email is opened or a link is clicked. We use this to confirm delivery and measure engagement. You can disable this by viewing emails in plain-text mode in your email client, or by unsubscribing from marketing emails using the link at the bottom of any marketing message. Transactional emails (such as order confirmations) cannot be unsubscribed because they are required to fulfill your order.

Global Privacy Control (GPC)

We recognize and honor Global Privacy Control signals transmitted by your browser. When we detect a GPC signal, we treat it as a valid opt-out request for the sale or sharing of your personal information, as required by applicable state laws including the California Consumer Privacy Act and the New Jersey Data Privacy Act.

Your Privacy Rights

We believe everyone deserves strong privacy rights. Regardless of where you are located, you may:

• Access and review the personal information we hold about you
• Request correction of inaccurate personal information
• Request deletion of your account, handwriting data, fonts, and associated personal information
• Request a portable copy of your data
• Opt out of promotional emails (via unsubscribe link in any marketing email)
• Opt out of the sale or sharing of your personal information (we do not sell data, but you may submit this request for confirmation)
• Control cookie preferences through your browser or GPC signal

For California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act, including the right to know, delete, correct, opt out, and limit the use of sensitive personal information. We do not sell or share your personal information as defined under the CCPA. To exercise your rights, contact info@thankyou.cards. We will verify your identity and respond within 45 days.

For New Jersey Residents

If you are a New Jersey resident, you have rights under the New Jersey Data Privacy Act (effective January 15, 2025), including the right to access, correct, delete, and obtain a portable copy of your personal data, as well as the right to opt out of targeted advertising and sales of personal data. To exercise your rights, contact info@thankyou.cards.

For EEA and UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, you have additional rights including the right to access, correct, or delete your data, object to processing or request data portability, and withdraw consent at any time. We rely on legitimate interests, consent, and contractual necessity to process your data. Your information may be stored in the United States and protected under industry-standard safeguards. To exercise these rights, email info@thankyou.cards.

For Residents of Other US States with Privacy Laws

If you reside in a state with a comprehensive privacy law (including but not limited to Colorado, Connecticut, Virginia, Indiana, Kentucky, and others), you may have similar rights to access, delete, correct, and port your data, as well as opt-out rights. Contact info@thankyou.cards to exercise any applicable rights. We will respond within the timeframe required by your state's law.

We will never discriminate against you for exercising your privacy rights.

Data Retention

• Account information (name, email, billing address): Retained for the life of your account plus 30 days after deletion request.
• Handwriting samples and generated fonts: Retained for the life of your account. Permanently deleted within 30 days of account deletion. Pre-account fonts with no account created are deleted after 12 months.
• Card content and messages: Retained for the life of your account for reorder purposes. Deleted within 30 days of account deletion.
• Recipient data: Retained for 90 days after delivery/shipment, then permanently deleted. Saved recipient lists are retained until you delete them or close your account.
• Order and transaction history: Retained for 7 years for tax and legal compliance purposes. This includes order dates, amounts, and card quantities, but not recipient addresses or message content after the retention periods above.
• Consent records: Retained for 12 months from your last consent action.
• Automatically collected data (analytics, logs): Retained for up to 26 months, consistent with analytics provider defaults.

Data Security

We maintain technical and organizational safeguards to protect your information from unauthorized access, disclosure, alteration, or destruction. These include:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls limiting employee and contractor access to personal data on a need-to-know basis
• Secure cloud infrastructure (Amazon Web Services) with regular security updates
• PCI-compliant payment processing through Stripe (we never store your full payment card information)
• Regular review of security practices and incident response procedures

Data Breach Notification

In the event of a data breach that compromises the security of your personal information, we will:

• Notify affected users by email (and by mail if required by law) within the timeframe required by applicable state and federal law, and in no event later than 60 days after discovery of the breach
• Provide a clear description of the nature of the breach, the types of information involved, and the steps we are taking to investigate and remediate
• Provide guidance on steps you can take to protect yourself
• Notify applicable regulatory authorities as required by law

Children's Privacy

ThankYou.Cards is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from minors. If we become aware that a minor has provided personal data, we will promptly delete it. If you believe a minor has provided us with personal information, please contact info@thankyou.cards.

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, services, or applicable law. The latest version will always be available at /privacy-policy with an updated effective date. For material changes, we will notify you by email at the address associated with your account at least 30 days before the changes take effect.

Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or your data, please contact us at:

info@thankyou.cards
Thank You Cards LLC
PO Box 10
Oakhurst, NJ 07755