Privacy
Last updated: 2026-05-20.
We keep what we need to run the service and nothing else. This page lists the user-identifying data we store, the cookies we set, what control you have over your data, and how to reach us with questions or complaints.
1. Roles under Indian law
Under the Digital Personal Data Protection Act, 2023 ("DPDP Act"), we are the Data Fiduciary for the personal data you give us; you are the Data Principal. By signing in — either by clicking a magic link we email you, by entering a password you've set on your account, or by choosing "Continue with Google" — you give us consent to process your personal data for the purposes described below.
2. What we collect
| Surface | Data |
|---|---|
| Account | Your email address (used for magic-link sign-in). Optionally a first name. Your IP is checked at the moment you request a magic link to rate-limit abuse but is not stored long-term. |
| Cards you create | Card type, the personalization fields you fill in, an optional photo you upload, the share link, the recipient email if you send the link via the in-app Share form. |
| Card opens | A timestamp + a hashed session id so we can deduplicate the same recipient reloading the page. We do not store who opened it: no IP, no user agent, no referrer. |
| Diagnostics | Structured logs of admin and system actions. No personalization data, no photo data; user-id references only. |
| Account credentials | Magic-link tokens (single-use, 15-minute lifetime). If you set a password, we store it as a salted PBKDF2 hash. The plaintext password is never stored or logged. |
| Google account claims | If you choose "Continue with Google", Google sends us your stable account identifier (sub), email address, an indicator of whether Google verified that email, and your first name (given_name) if it's set on your Google profile. We never receive your Google password or any other Google account data. |
3. Cookies
We use exactly two cookies. Both are strictly necessary for the service to work — there is no third-party tracking and no other kind of cookie to opt out of.
.AspNetCore.Identity.Application- Signs you in after you click a magic link. HTTP-only, Secure, SameSite=Strict. Expires 30 days after your last visit.
card_session- Prevents the same recipient from inflating a card's open count by reloading. Scoped to
/c/, SameSite=Lax, Secure. 24-hour rolling lifetime.
4. Third parties & cross-border transfers
The service integrates with a minimum number of third-party processors:
- Resend (operated by Resend Inc., USA) — production email delivery (magic-link emails, share emails) when
Email:Provideris set toResend. The data we send: recipient email, subject, message body. Email delivery is governed by Resend's data-processing agreement; this involves a transfer of your email address and message contents to servers in the United States. - Mailgun (operated by Sinch / Mailgun Technologies Inc., USA — or by Sinch Email Germany GmbH if the EU region is selected) — alternative transactional email provider, active only when
Email:Provideris set toMailgun. The data we send is identical to the Resend block above (recipient email, subject, message body). Governed by Mailgun's data-processing agreement. - MailKit / SMTP — the FR-001a fallback when the primary provider (Resend or Mailgun) hard-fails on a send. Also used as the only provider in development against a local MailHog instance. The destination SMTP server is operator-configured at deploy time.
- Google LLC (USA) — identity provider when you choose "Continue with Google". You authenticate with Google directly; we receive only the claims listed under §2 (Google account claims). We share no data to Google. Use of Google as an identity provider is governed by Google's Privacy Policy.
We do not use a third-party analytics service. We do not use ad networks. We do not route requests through a CDN or edge proxy that gets to inspect request bodies. Cross-border transfers under the DPDP Act are limited to what is necessary for service delivery.
5. Children
The service is not directed at children. Per the DPDP Act, processing personal data of a Data Principal under 18 requires verifiable consent from a parent or lawful guardian. If you are under 18, please do not use the service without your parent or guardian's express consent. If we discover an account was created by a child without the required consent, we will delete it.
6. Retention
| Data | Kept for |
|---|---|
| Magic-link tokens | 24 hours |
| Web vitals samples | 30 days |
| Diagnostic / error logs | 14 days |
| Free-tier cards | 10 days from creation, then auto-revoked |
| Revoked cards (any tier) | Default 90 days, admin-configurable; then permanently deleted |
| Active cards on paid tiers | While your account exists, OR until your chosen expiration |
| Photos | Deleted synchronously when the parent card is revoked or you delete your account; orphan rows are swept after 30 days |
| Account itself | Until you delete it from your account settings |
| Password hash | While your account exists; deleted synchronously when you delete the account or remove your password |
| Google connection (sub + email) | While your account is connected; deleted synchronously when you disconnect Google from Settings or delete your account |
7. Your rights as a Data Principal
The DPDP Act gives you several rights over your personal data; we respect each one:
- Access. Your dashboard shows everything we have on file: your active and revoked cards, open counts, your account state. For a JSON-format export, contact the Grievance Officer below.
- Correction. Change your email or display name from your account settings.
- Erasure. Delete your entire account from your account settings. This synchronously removes your cards, your photos, and your account row.
- Nomination. Per DPDP §13, you may nominate another individual to exercise these rights on your behalf in the event of your death or incapacity. To register a nomination, email the Grievance Officer below.
- Withdraw consent. You may withdraw your consent at any time by deleting your account. Note: this will end your access to the service and remove your data, since processing your data is what makes the service function for you. You may also remove your password or disconnect your Google account at any time from your account settings; magic-link sign-in remains available.
- Grievance. If you believe we are mishandling your data, raise a grievance with the Grievance Officer below before approaching the Data Protection Board of India.
8. Grievance Officer
Per the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the DPDP Act:
- Grievance Officer: Hardik Viradiya
- Email: [grievance officer email — to be added before public launch]
- Operating from: Rajkot, Gujarat, India
- Response time: within 30 days of receipt of a written grievance
9. Data breaches
If we become aware of a personal-data breach affecting you, we will notify you and the Data Protection Board of India in accordance with the DPDP Act timelines, with the information available to us at the time and follow-up details as the investigation progresses.
10. Changes to this policy
We update the last-updated stamp at the top whenever this page changes. Material changes are emailed to your sign-in email so you know to re-read.