CardtopleaseBack to Home

Privacy Policy

Last updated: April 17, 2026

1. Introduction

Cardtoplease ("Cardtoplease," "we," "our," or "us"), operated by Happii Apps LLC, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, share, and safeguard your information when you use our website, mobile applications, and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Password (encrypted at rest)
  • Name (if provided)
  • Authentication provider details (when signing in with Apple or Google)
  • Account creation date and login activity

Content You Upload

When you create a card, we collect:

  • Photos you upload for AI card generation (which may contain images of people, pets, or other subjects)
  • Card personalization details (recipient name, occasion, relationship, custom preferences, messages)
  • Refinement requests you submit to edit your card
  • Generated card images and generated message text

Recipient Information

When you choose to share a card, we collect the delivery information you provide, such as the recipient's email address or phone number. We use this information solely to deliver the card you created and do not use it for any other purpose.

Payment and Subscription Information

Payments are processed by Stripe (web) and by Apple App Store or Google Play (mobile), with subscription state managed through RevenueCat. We do not store complete payment card information. We receive:

  • Transaction identifiers
  • Payment status and receipts
  • Subscription entitlement status
  • Credit purchase history

Usage and Device Information

We automatically collect:

  • Card view analytics (when a shared card is opened)
  • Credit usage and generation history
  • Device model, operating system version, and browser details
  • Coarse location inferred from IP address
  • Diagnostic and crash information
  • Mobile device identifiers (such as an app-specific install ID). We do not use Apple's IDFA for cross-app tracking.

Support Communications

If you contact us through our in-app chat or by email, we collect the contents of your message and any information you choose to include.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Process your photos through AI to generate card illustrations (see Section 4)
  • Generate AI-written messages based on your card details when you choose that option
  • Store, display, and let you revisit your cards
  • Deliver shared cards to the recipients you designate
  • Process payments, manage subscriptions, and track credit balances
  • Send service-related communications (receipts, subscription reminders, account notifications)
  • Provide customer support
  • Measure product usage and improve the Service
  • Detect, prevent, and respond to fraud and security incidents
  • Comply with legal, regulatory, and tax obligations

Legal Basis for Processing (EU/UK Users)

If you are in the European Economic Area or the United Kingdom, we process your information under the following lawful bases:

  • Performance of a contract — to provide the Service you have requested, including card generation and delivery.
  • Consent — for sending your photo to third-party AI services for card generation, and for any optional marketing communications. You may withdraw consent at any time.
  • Legitimate interests — to operate, secure, and improve the Service, provided these interests are not overridden by your rights.
  • Legal obligation — to meet tax, accounting, and other legal requirements.

4. AI Processing of Photos and Content

Creating a card requires sending certain information to third-party artificial intelligence ("AI") services. We ask for your explicit permission before doing so. This section explains exactly what is sent and how it is handled.

What We Send and To Whom

  • fal.ai (image generation). When you request a card, we send your uploaded photo(s) and a short text prompt describing the occasion and style to fal.ai. fal.ai returns an illustrated card image.
  • Google Gemini (message generation and alternate image path). If you request an AI-written message, we send card details (occasion, recipient name, relationship, optional context) to Google Gemini to generate the message text. Gemini may also be used as an alternative image-generation provider; in that case, your photo(s) and a text prompt are sent to Gemini.

Face Data

Photos you upload may contain faces. Cardtoplease does not perform facial recognition, face identification, face matching, or any form of biometric analysis. We do not extract, compute, or store face embeddings, face geometry, or any other biometric identifier derived from your photos. Photos are transmitted to our AI partners as complete images for the sole purpose of generating a stylized, illustrated card. No biometric profile of you or any subject in your photos is created at any point.

Your Consent

Before a photo is sent to any AI service for card generation, we ask for your explicit in-app consent. You may decline; if you do, no photo is sent and no card is generated. You may withdraw consent at any time by stopping use of the card-generation feature and by contacting us to request deletion of any data already processed.

Retention and Training

Uploaded photos are deleted from our servers shortly after your card is generated. Our AI partners process your photos solely to return a generated image and do not retain your photos for training of their AI models. Generated card images and messages are stored in your account so you can revisit, re-send, or download them, and are removed when you delete your account.

Third-Party Protections

We have confirmed that each third-party AI service we use provides contractual and technical protections for your data that are the same as, or equivalent to, the protections described in this Privacy Policy, including restrictions on secondary use, training, and retention. Links to each provider's privacy policy are provided in Section 5.

5. Third-Party Services

We use the following third-party service providers. Each processes information only to perform services on our behalf and under contractual protections that are the same as or equivalent to those in this Privacy Policy.

Supabase — Database, Authentication, and Storage

We use Supabase to host your account, cards, and uploaded assets. Supabase is GDPR-compliant and applies industry-standard security controls.

fal.ai — AI Image Generation

fal.ai processes your uploaded photos to generate illustrated cards. Photos are not used to train AI models and are not retained by fal.ai after processing.

Google Gemini — AI Text and Alternate Image Generation

Google's Gemini models process card details (and, on the alternate path, photos) to generate personalized messages or images. Data is processed in accordance with Google's AI privacy practices and is not used to train consumer-facing generative models.

Stripe — Payment Processing (Web)

Stripe processes subscription and credit-pack payments made on our website. We do not store complete payment card details. Stripe's privacy practices apply to information you provide during checkout.

Apple App Store and Google Play — In-App Purchases (Mobile)

In-app subscriptions and purchases on our mobile apps are processed by Apple and Google. We receive transaction and entitlement status but do not receive payment card details.

RevenueCat — Subscription Management

RevenueCat stores and synchronizes your subscription entitlement and purchase history across platforms so we can grant the correct access to paid features.

Resend — Email Delivery

We use Resend to send transactional and card-sharing emails. Recipient email addresses are passed to Resend only for the purpose of delivering your card or sending service messages.

Twilio — SMS Delivery

When you schedule a card to be sent by text message, Twilio transmits that SMS on our behalf to the recipient phone number you provide.

Vercel — Hosting

Our web application is hosted on Vercel, which processes standard request logs and performance data.

Cloudflare R2 / Amazon S3 — Image Storage

Generated card images and other media assets may be stored in object storage provided by Cloudflare R2 or Amazon Web Services.

PostHog — Product Analytics

We use PostHog to measure product usage, understand how features are used, and improve the Service. Event and session data may include device and usage details but not the contents of your cards or photos.

Sentry — Error Tracking

Sentry captures diagnostic and crash information to help us identify and fix defects. Error reports may include limited device, browser, and request metadata.

Crisp — Customer Support Chat

Crisp powers in-app and on-site support conversations. If you contact support, the content of your messages and associated metadata is processed by Crisp.

Meta Pixel — Website Advertising Measurement

On our website, we may use the Meta Pixel to measure the effectiveness of our advertising. This is used only on the web and not inside our mobile apps. You can control ad-related tracking through your browser and Meta account settings.

6. Data Sharing and Disclosure

We do not sell or rent your personal information. We share information only as described below:

  • Service providers listed in Section 5, under contracts that require them to provide the same or equivalent data protection as this Privacy Policy and to use your information only to perform services on our behalf.
  • Recipients you choose when you share a card via email, SMS, or public link.
  • Legal and safety reasons when required by law, subpoena, or valid legal process, or to protect our rights, property, users, or the public.
  • Business transfers, such as a merger, acquisition, or sale of assets, in which case information will be transferred subject to this Privacy Policy.

Where service providers are located in countries outside of your own, we rely on appropriate safeguards (such as Standard Contractual Clauses) for any cross-border transfer. See Section 11.

7. Data Security

We implement technical and organizational measures designed to protect your information:

  • Encryption of data in transit (HTTPS/TLS)
  • Encrypted password storage (one-way hashing)
  • Row-level security on database access
  • Authentication managed through Supabase with support for Apple, Google, and email-based sign-in
  • Least-privilege access controls for internal systems
  • Routine security monitoring and updates

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Data Retention

  • Uploaded photos are deleted from our servers shortly after your card is generated.
  • Generated card images and messages are retained while your account is active so you can revisit and re-send them.
  • Account information is retained while your account is active and for a reasonable period afterward to meet legal, tax, fraud-prevention, and dispute-resolution obligations.
  • Support communications are retained for a reasonable period to provide continuity of support.
  • Aggregated or de-identified data may be retained indefinitely and is no longer associated with you.

When you delete your account (see Section 14), we will delete your personal information within 90 days, except where retention is required by law.

9. Your Privacy Rights

General Rights

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Update or correct your information.
  • Deletion: Request deletion of your account and associated data.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection / Restriction: Object to or restrict certain processing of your data.
  • Withdrawal of consent: Withdraw consent where processing is based on consent.

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, use, and disclose; the right to delete personal information; the right to correct inaccurate personal information; and the right to opt out of the sale or sharing of personal information. We do not sell personal information and do not share it for cross-context behavioral advertising as those terms are defined under California law. We will not discriminate against you for exercising any of these rights.

EU / UK Residents (GDPR/UK GDPR)

In addition to the general rights above, you have the right to lodge a complaint with your local data protection authority. We process EU/UK personal data under the lawful bases described in Section 3.

How to Exercise Your Rights

Contact us at support@cardtoplease.com. We will respond within 30 days (or any shorter period required by applicable law). We may need to verify your identity before fulfilling your request.

10. Children's Privacy

The Service is not directed to, and we do not knowingly collect personal information from, children under 13 years of age (or under 16 in the European Economic Area and United Kingdom, or any higher age required by your country's law). If you believe a child has provided us with personal information, please contact us and we will take steps to delete it promptly.

11. International Data Transfers

Cardtoplease is operated in the United States. Your information may be transferred to, stored in, and processed in the United States or other countries where we or our service providers operate. When we transfer personal data out of the European Economic Area, United Kingdom, or other jurisdictions with data-transfer restrictions, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.

12. Mobile App Disclosures

  • App Tracking Transparency (iOS): We do not track you across apps or websites owned by other companies, and we do not use Apple's advertising identifier (IDFA) for cross-app tracking.
  • Permissions: We request access to your photo library or camera only when you choose to add a photo to a card. Denying permission does not prevent you from using other parts of the app.
  • Push notifications: If we offer push notifications, you may enable or disable them from your device settings.
  • In-app purchases: Purchases are processed by the platform operator (Apple App Store or Google Play) and managed via RevenueCat.

13. Cookies and Similar Technologies

On our website, we use cookies and similar technologies to:

  • Keep you signed in and maintain your session
  • Remember your preferences
  • Measure site usage and performance (PostHog)
  • Measure the effectiveness of our advertising (Meta Pixel, where applicable)
  • Protect the Service against fraud and abuse

You can control cookies through your browser settings. Disabling non-essential cookies will not affect your ability to use the Service, though some functionality may be reduced. We honor browser-level "Do Not Track" and Global Privacy Control signals where technically feasible.

14. Account Deletion

You can request deletion of your account and associated personal information at any time by emailing us at support@cardtoplease.com. Where in-app account deletion is available, you may also initiate the request directly from your account settings. We will process your request within 90 days, except where retention is required by law (for example, for tax or fraud-prevention purposes).

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through a prominent notice on the Service. Your continued use of the Service after the effective date of the updated policy constitutes acceptance of the changes.

16. Governing Law

This Privacy Policy is governed by the laws of the State of Texas, United States, without regard to its conflict-of-laws principles. Any disputes arising out of or relating to this Privacy Policy will be resolved in the state or federal courts located in Texas, subject to any mandatory consumer protections that apply in your jurisdiction of residence.

17. Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us at:

Cardtoplease, operated by Happii Apps LLC
Email: support@cardtoplease.com