Privacy Policy

Effective Date: 22/07/2025

1. Data Controller and Contact Information

The controller responsible for data processing on this website is:

Amora.cards
Tommy Østgaard
Haspertskamp 7A
48432 Rheine
Germany
Email: post@amora.cards

2. Overview of Data Processing

This privacy policy explains what personal data we collect when you use our website and services, how we use it, and what rights you have regarding your data. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

3. Legal Basis for Data Processing

We process your personal data based on the following legal grounds under Article 6 GDPR:

  • Contract performance (Art. 6(1)(b) GDPR): Processing necessary to fulfill our postcard service.
  • Legitimate interests (Art. 6(1)(f) GDPR): Fraud prevention, security, and service improvement that do not rely on optional cookies.
  • Consent (Art. 6(1)(a) GDPR): Optional analytics and marketing cookies (Google tags), newsletter subscriptions, and similar optional features.
  • Legal obligations (Art. 6(1)(c) GDPR): Tax records, payment processing compliance.

4. Data We Collect and How We Use It

4.1 Account and Service Data

What we collect: Email address, name, billing address, postcard content (photos, messages), recipient addresses.

How we use it: To create and deliver your postcards, process payments, provide customer support.

Legal basis: Contract performance.

Retention: Account data for 3 years after last activity, postcard data for up to 1 year after delivery.

4.2 Payment Information

What we collect: Payment details are processed by Stripe (our payment processor). We only store transaction IDs and payment status.

How we use it: To process payments and handle refunds.

Legal basis: Contract performance and legal obligations.

Retention: 10 years for tax compliance.

4.3 Website Analytics and Marketing Tags

What we collect: With your consent, we use Google Analytics (GA4) to collect usage data such as pages viewed and interactions. If you enable marketing cookies, Google may also process data for advertising, personalization, and remarketing features as described in Google’s policies.

How we use it: To understand website usage, measure campaigns, and improve our service.

Legal basis: Consent (Art. 6(1)(a) GDPR) where cookies or similar technologies are used for analytics or marketing. You can change or withdraw consent anytime via the cookie settings linked in the site footer.

Consent: We use Google Consent Mode so that optional tags stay disabled until you agree. Your choices are stored in your browser (local storage) and applied on each visit.

Further information: Google Privacy Policy, How Google uses information from sites that use its services

4.4 Technical Data

What we collect: IP address, browser type, device information, access times.

How we use it: Security, fraud prevention, technical support.

Legal basis: Legitimate interests.

Retention: Up to 30 days in server logs.

5. Third-Party Services

5.1 Stripe (Payment Processing)

We use Stripe for payment processing. Stripe processes payment data according to their privacy policy: https://stripe.com/privacy

5.2 Supabase (Database and Authentication)

We use Supabase for data storage and user authentication. Data is stored on EU servers and processed according to GDPR requirements.

5.3 Google Analytics and Google Marketing Platform

We use Google Analytics 4 and, where you consent, related Google tags for marketing. Processing is subject to Google’s terms and privacy policy: https://policies.google.com/privacy

5.4 Resend (Email Service)

We use Resend for transactional emails (order confirmations, shipping notifications). Emails are processed according to their privacy policy.

5.5 Google Fonts

We use Google Fonts that are hosted locally on our servers. This means no personal data (such as your IP address) is transmitted to Google when fonts are loaded. No connection is made to Google's servers.

5.6 Printing Partners

Your postcard data (images, text, addresses) is shared with our printing partners only for the purpose of printing and shipping your postcards. These partners are contractually bound to data protection requirements.

6. International Data Transfers

We primarily store and process data within the European Union. When data is transferred to third countries, we ensure appropriate safeguards are in place:

  • EU-US Data Privacy Framework for US-based services
  • Standard Contractual Clauses (SCCs) where applicable
  • Adequacy decisions by the European Commission

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of Access (Art. 15 GDPR): Request information about data we process
  • Right to Rectification (Art. 16 GDPR): Correct inaccurate personal data
  • Right to Erasure (Art. 17 GDPR): Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing (Art. 18 GDPR): Limit how we use your data
  • Right to Data Portability (Art. 20 GDPR): Receive your data in a portable format
  • Right to Object (Art. 21 GDPR): Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for consent-based processing

To exercise these rights, contact us at support@amora.cards. We will respond within one month.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication
  • Staff training on data protection

9. Cookies and Tracking

Our website uses only essential cookies necessary for the operation of the site. These cookies do not require user consent under § 25(2) TTDSG.

Specifically, we use:

  • A session cookie to manage user authentication and login. This cookie is securely set by our authentication system (Supabase) and stores a JSON Web Token (JWT) in a secure, HTTP-only cookie. It expires automatically after a defined period or when the user logs out.
  • A cookie to store your selected currency (e.g., EUR, USD), which ensures consistent pricing display across pages. This cookie is stored only on your device and is not used for tracking.

No cookies are used for marketing, analytics, or user profiling.

We also use localStorage in your browser to temporarily save in-progress postcard designs. This allows you to continue editing your postcard even if you navigate away from the page. This data is stored only on your device and is never transmitted to our servers. It is deleted when you clear your browser storage or manually reset the postcard editor.

10. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16, please contact us immediately.

11. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy:

  • Account data: 3 years after last activity
  • Transaction data: 10 years for tax compliance
  • Postcard content: 1 year after delivery
  • Server logs: 30 days
  • Marketing communications: Until you unsubscribe

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by email or through a notice on our website. The date of the last update is shown at the top of this policy.

13. Contact and Complaints

For questions about this privacy policy or to exercise your rights, contact us at:

Email: post@amora.cards

You also have the right to lodge a complaint with a supervisory authority. In Germany, you can contact your local data protection authority or the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

14. Specific Information for German Users

This privacy policy complies with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the Telecommunications-Telemedia Data Protection Act (TTDSG).

Supervisory Authority: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2-4, 40213 Düsseldorf
Website: https://www.ldi.nrw.de

We do not create usage profiles without consent and do not use tracking or marketing cookies. Where technically required (e.g., for session management or currency settings), we rely on Art. 6(1)(b) and (f) GDPR in conjunction with § 25(2) TTDSG.