Privacy Policy

This Privacy Policy describes how Warmlo ("Warmlo," "we," "us") collects, uses, shares, and protects information in connection with the Warmlo service. By using the Service, you consent to the data practices described here.

1. Information We Collect

1.1 Information You Provide

• Account information: name and email address (collected via Clerk authentication, typically through your Google account).
• Recipient information: names, email addresses, dates, relationships, and any custom messages or notes you provide about the people you send cards to.
• Preferences: default mood, greeting mode, notification settings.
• Payment information: processed by Stripe; we do not store full card numbers.
• Communications: any messages you send to us.

1.2 Information Collected Automatically

• Usage data: pages viewed, actions taken, timestamps, error logs.
• Device data: browser type, operating system, IP address, approximate location (country/region from IP).
• Cookies and session data: used for authentication, security, and to remember preferences.

1.3 Information from Third Parties

When you sign in with Google through Clerk, we receive your name and email from Google. We do not receive your Google password. If you connect Google Calendar (future feature), we will receive event data with your explicit consent.

2. How We Use Information

• To provide, operate, and maintain the Service;
• To generate AI greeting card text using OpenAI;
• To deliver greeting cards to recipients you designate, via Resend;
• To send you account-related and service-related emails (heads-up reminders, important notices);
• To process payments via Stripe;
• To improve the Service, debug issues, and develop new features;
• To detect, prevent, and address fraud, abuse, and security incidents;
• To comply with legal obligations and enforce our Terms.

3. AI Processing

To generate greeting card text, we send a prompt containing the recipient's first name, your relationship, the event type, the chosen mood, your first name, and (for milestone events) the year, to OpenAI's API. OpenAI processes this data under their data processing terms; data sent via API is not used to train OpenAI's models. We do not send recipient email addresses or other directly-identifying information to OpenAI.

4. Sharing of Information

We share information only as needed to operate the Service:

• Clerk: authentication and session management.
• Supabase: database hosting (your account, recipients, cards).
• OpenAI: AI text generation (limited prompt data only).
• Resend: email delivery to you and your recipients.
• Vercel: web hosting and serverless infrastructure.
• Stripe: payment processing (when you make a purchase).
• Legal compliance: we may disclose information when required by law, subpoena, or to protect rights, safety, or property.
• Business transfers: in the event of a merger, acquisition, or sale of assets, your information may be transferred to the successor entity.

We do not sell your personal information to third parties for advertising or marketing purposes. We do not use recipient email addresses for any purpose other than delivering the cards you authorize.

5. International Data Transfers

Our service providers are primarily based in the United States. By using the Service, you consent to the transfer and processing of your information in the United States and other countries that may have different data protection laws than your country of residence. For users in the EU/EEA and UK, transfers are made under appropriate safeguards including Standard Contractual Clauses where applicable.

6. Data Retention

We retain your account data for as long as your account is active. After account deletion, we may retain certain information for a reasonable period for legitimate business purposes including fraud prevention, dispute resolution, legal compliance, and backup integrity. Card delivery logs are retained for up to 24 months. You may request deletion at any time (see Section 8).

7. Security

We implement reasonable administrative, technical, and physical safeguards to protect your information, including HTTPS encryption in transit, encrypted storage at rest (via our infrastructure providers), and access controls. However, no method of transmission or storage is 100% secure. You use the Service at your own risk. You are responsible for keeping your account credentials secure.

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you.
• Correction: request correction of inaccurate information.
• Deletion: request deletion of your information (subject to legal retention requirements).
• Portability: request your information in a portable format.
• Restriction or objection: restrict or object to certain processing.
• Opt out of marketing: unsubscribe from marketing emails (heads-up emails are service emails and required).
• Withdraw consent: where processing is based on consent, withdraw it at any time.
• Lodge a complaint: with your local data protection authority.

To exercise these rights, email privacy@warmlo.com. We will respond within 30 days.

9. Recipient Rights

If you receive a greeting card from Warmlo and wish to be excluded from future cards, contact privacy@warmlo.com and we will block your email address from receiving any further cards through the Service. Note that the sender (the person who added you) is responsible for managing recipient lists; we will honor recipient suppression requests directly.

10. Cookies

We use essential cookies for authentication and session management. We may use limited analytics cookies to understand usage patterns. We do not use cookies for cross-site advertising or behavioral tracking. You can control cookies via your browser settings; disabling essential cookies will prevent the Service from working.

11. Children

The Service is not intended for individuals under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect information from children. If we learn we have collected information from a child, we will delete it promptly.

12. California Privacy Rights (CCPA/CPRA)

California residents have additional rights including the right to know what personal information is collected, the right to delete, the right to correct, the right to opt out of sale or sharing of personal information, and the right to non-discrimination. We do not sell your personal information. To exercise California rights, email privacy@warmlo.com.

13. EU/UK Privacy Rights (GDPR)

If you are in the EU/EEA or UK, our legal bases for processing are: (a) performance of a contract (to provide the Service); (b) legitimate interests (to operate, improve, and secure the Service); (c) consent (where required); and (d) legal obligation. Our Data Controller is Warmlo. To contact our representative or to lodge a complaint, email privacy@warmlo.com.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice. The "Effective" date at the top reflects the latest version.

15. Contact

Questions about this Privacy Policy? Email privacy@warmlo.com.