Privacy Policy
Effective date: 13 May 2026
1. Who we are
The data controller responsible for this website is:
Amora.Cards
Tommy Østgaard
Haspertskamp 7A, 48432 Rheine, Germany
Email: help@amora.cards
2. What this policy covers
This policy explains what personal data we collect when you use Amora.Cards, how we use it, who we share it with, and what rights you have. We comply with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the Telecommunications-Telemedia Data Protection Act (TTDSG).
3. Legal bases for processing
We process personal data under the following grounds:
- Contract performance (Art. 6(1)(b) GDPR): Processing necessary to create and deliver your postcard.
- Legitimate interests (Art. 6(1)(f) GDPR): Fraud prevention, security, and aggregate analytics that do not override your fundamental rights.
- Legal obligations (Art. 6(1)(c) GDPR): Tax records and payment compliance.
4. Data we collect and how we use it
4.1 Order and service data
What: Your name, email address, billing address, the photo you upload, the message you write, and the recipient's name and postal address.
Why: To print and deliver your postcard and to handle support requests.
Legal basis: Contract performance.
Retention: Account data for 3 years after last activity; postcard content for up to 1 year after delivery.
4.2 Payment data
What: Payment details are processed entirely by Stripe. We store only the transaction ID and payment status — never full card numbers or bank details.
Why: To process payments and handle refunds.
Legal basis: Contract performance and legal obligations.
Retention: 10 years for tax compliance.
4.3 Analytics data
What: We use PostHog (EU cloud) to collect aggregated, pseudonymous usage data — pages visited, clicks, the steps completed in the send flow, and errors. PostHog is configured to use browser localStorage only; it sets no tracking cookies.
Why: To understand how people use the site so we can improve it. No data is sold or shared with advertisers.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). The analytics data is pseudonymous, limited to first-party use, and does not override your rights.
Retention: Aggregate analytics data is retained for up to 12 months. You can opt out at any time — see our Cookies & Storage page.
4.4 Technical data
What: IP address, browser type, device information, and access timestamps.
Why: Security, fraud prevention, and technical support.
Legal basis: Legitimate interests.
Retention: Up to 30 days in server logs.
5. Third-party services
5.1 Stripe (payment processing)
Stripe processes all payment transactions. We never see or store your full card details. See Stripe's privacy policy.
5.2 Supabase (database and authentication)
We use Supabase to store order data and manage user accounts. Data is stored on EU servers. Supabase processes data under GDPR-compliant terms.
5.3 PostHog (analytics)
We use PostHog EU cloud for product analytics. Data is stored in the EU and processed under PostHog's DPA. No data is shared with third-party ad networks. See PostHog's privacy policy.
5.4 Resend (transactional email)
We use Resend to send order confirmations and status updates. Only your email address and order details are passed to Resend for this purpose.
5.5 Prodigi (printing and fulfilment)
Your postcard image, message, and recipient address are shared with Prodigi solely to print and ship your postcard. Prodigi is bound by data processing agreements.
5.6 Fonts
All fonts are self-hosted. No request is made to Google Fonts or any external font CDN when you visit this site.
6. International data transfers
We process data primarily within the EU. Where services involve transfers outside the EU (e.g. Stripe, Prodigi), appropriate safeguards are in place:
- EU–US Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs)
- Adequacy decisions by the European Commission
7. Cookies and local storage
We use one essential authentication cookie (set by Supabase when you log in) and browser localStorage for your in-progress postcard draft and anonymous analytics. No marketing or advertising cookies are set. No cookie consent banner is shown because no consent-dependent cookies are used.
Full details are on our Cookies & Storage page.
8. Your rights under GDPR
You have the right to:
- Access (Art. 15): Request a copy of the data we hold about you.
- Rectification (Art. 16): Correct inaccurate data.
- Erasure (Art. 17): Ask us to delete your data.
- Restriction (Art. 18): Limit how we process your data.
- Portability (Art. 20): Receive your data in a machine-readable format.
- Object (Art. 21): Object to processing based on legitimate interests.
To exercise any of these rights, email help@amora.cards. We will respond within one month.
9. Security
We use encryption in transit (HTTPS) and at rest, access controls, and regular security reviews. No system is perfectly secure — if you suspect a breach, contact us immediately.
10. Children
Our service is not intended for children under 16. We do not knowingly collect data from children under 16. If you believe we have, contact us and we will delete it.
11. Data retention
| Data type | Retained for |
|---|---|
| Account and order data | 3 years after last activity |
| Transaction records | 10 years (tax compliance) |
| Postcard content | 1 year after delivery |
| Server logs | 30 days |
| Analytics data | 12 months |
12. Changes to this policy
We may update this policy. For significant changes, we will notify you by email or with a notice on the site. The effective date at the top of this page will always reflect the current version.
13. Contact and complaints
Questions or requests: help@amora.cards
You may also lodge a complaint with a supervisory authority. In Germany, the relevant authority is:
Landesbeauftragte für Datenschutz und Informationsfreiheit NRW (LDI NRW)
Kavalleriestraße 2–4, 40213 Düsseldorf — ldi.nrw.de