LAUNCH WEEK - 50% OFF
5
Days
:
08
Hours
:
50
Minutes
:
19
Seconds
Code
LAUNCH50Copy

Privacy Policy

Effective Date: 22/07/2025

1. Data Controller and Contact Information

The controller responsible for data processing on this website is:

Amora.cards
Tommy Østgaard
Basilikastraße 31
48429 Rheine
Germany
Email: post@amora.cards

2. Overview of Data Processing

This privacy policy explains what personal data we collect when you use our website and services, how we use it, and what rights you have regarding your data. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

3. Legal Basis for Data Processing

We process your personal data based on the following legal grounds under Article 6 GDPR:

  • Contract performance (Art. 6(1)(b) GDPR): Processing necessary to fulfill our postcard service.
  • Legitimate interests (Art. 6(1)(f) GDPR): Website analytics, fraud prevention, and service improvement.
  • Consent (Art. 6(1)(a) GDPR): Newsletter subscriptions and optional features.
  • Legal obligations (Art. 6(1)(c) GDPR): Tax records, payment processing compliance.

4. Data We Collect and How We Use It

4.1 Account and Service Data

What we collect: Email address, name, billing address, postcard content (photos, messages), recipient addresses.

How we use it: To create and deliver your postcards, process payments, provide customer support.

Legal basis: Contract performance.

Retention: Account data for 3 years after last activity, postcard data for up to 1 year after delivery.

4.2 Payment Information

What we collect: Payment details are processed by Stripe (our payment processor). We only store transaction IDs and payment status.

How we use it: To process payments and handle refunds.

Legal basis: Contract performance and legal obligations.

Retention: 10 years for tax compliance.

4.3 Website Analytics

What we collect: We use Plausible Analytics, a privacy-friendly analytics service that collects anonymous usage statistics without cookies or personal data.

How we use it: To understand website usage and improve our service.

Legal basis: Legitimate interests.

Data location: EU servers.

4.4 Technical Data

What we collect: IP address, browser type, device information, access times.

How we use it: Security, fraud prevention, technical support.

Legal basis: Legitimate interests.

Retention: Up to 30 days in server logs.

5. Third-Party Services

5.1 Stripe (Payment Processing)

We use Stripe for payment processing. Stripe processes payment data according to their privacy policy: https://stripe.com/privacy

5.2 Supabase (Database and Authentication)

We use Supabase for data storage and user authentication. Data is stored on EU servers and processed according to GDPR requirements.

5.3 Plausible Analytics

We use Plausible for privacy-friendly website analytics. No personal data or cookies are used. Learn more: https://plausible.io/privacy

5.4 Resend (Email Service)

We use Resend for transactional emails (order confirmations, shipping notifications). Emails are processed according to their privacy policy.

5.5 Google Fonts

We use Google Fonts that are hosted locally on our servers. This means no personal data (such as your IP address) is transmitted to Google when fonts are loaded. No connection is made to Google's servers.

5.6 Printing Partners

Your postcard data (images, text, addresses) is shared with our printing partners only for the purpose of printing and shipping your postcards. These partners are contractually bound to data protection requirements.

6. International Data Transfers

We primarily store and process data within the European Union. When data is transferred to third countries, we ensure appropriate safeguards are in place:

  • EU-US Data Privacy Framework for US-based services
  • Standard Contractual Clauses (SCCs) where applicable
  • Adequacy decisions by the European Commission

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of Access (Art. 15 GDPR): Request information about data we process
  • Right to Rectification (Art. 16 GDPR): Correct inaccurate personal data
  • Right to Erasure (Art. 17 GDPR): Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing (Art. 18 GDPR): Limit how we use your data
  • Right to Data Portability (Art. 20 GDPR): Receive your data in a portable format
  • Right to Object (Art. 21 GDPR): Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for consent-based processing

To exercise these rights, contact us at support@amora.cards. We will respond within one month.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication
  • Staff training on data protection

9. Cookies and Tracking

Our website uses only essential cookies necessary for the operation of the site. These cookies do not require user consent under § 25(2) TTDSG.

Specifically, we use:

  • A session cookie to manage user authentication and login. This cookie is securely set by our authentication system (Supabase) and stores a JSON Web Token (JWT) in a secure, HTTP-only cookie. It expires automatically after a defined period or when the user logs out.
  • A cookie to store your selected currency (e.g., EUR, USD), which ensures consistent pricing display across pages. This cookie is stored only on your device and is not used for tracking.

No cookies are used for marketing, analytics, or user profiling.

We also use localStorage in your browser to temporarily save in-progress postcard designs. This allows you to continue editing your postcard even if you navigate away from the page. This data is stored only on your device and is never transmitted to our servers. It is deleted when you clear your browser storage or manually reset the postcard editor.

10. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16, please contact us immediately.

11. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy:

  • Account data: 3 years after last activity
  • Transaction data: 10 years for tax compliance
  • Postcard content: 1 year after delivery
  • Server logs: 30 days
  • Marketing communications: Until you unsubscribe

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by email or through a notice on our website. The date of the last update is shown at the top of this policy.

13. Contact and Complaints

For questions about this privacy policy or to exercise your rights, contact us at:

Email: post@amora.cards

You also have the right to lodge a complaint with a supervisory authority. In Germany, you can contact your local data protection authority or the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

14. Specific Information for German Users

This privacy policy complies with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the Telecommunications-Telemedia Data Protection Act (TTDSG).

Supervisory Authority: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2-4, 40213 Düsseldorf
Website: https://www.ldi.nrw.de

We do not create usage profiles without consent and do not use tracking or marketing cookies. Where technically required (e.g., for session management or currency settings), we rely on Art. 6(1)(b) and (f) GDPR in conjunction with § 25(2) TTDSG.