Privacy
Privacy policy
About this policy
Postcards is a small app for daily exchanges between you and the few people you actually want to stay close to. This page explains what we collect, how we use it, and how to reach us. We try to keep it short and plain.
Postcards is operated by the team at team@joinpostcards.com.
What we collect
We collect only what we need to run the service.
- Account. Phone number, display name, profile photo, birthday, timezone, gender, and the answers you give during onboarding.
- Content you create. Postcards, chat messages, photos you send, and read receipts.
- Push. Device push tokens and your notification preferences, so we can deliver the alerts you have opted into.
- Contacts. If you grant access, your address book is read on your device. We send only normalized phone numbers to our server to find people you already know who use Postcards. We do not store your contacts.
- Diagnostic. Device platform and operating system version, so we can keep the app working on your device.
We do not collect precise location, advertising identifiers, or browsing history.
How we use it
We use your data to:
- Operate the service and keep your account secure.
- Deliver postcards, chats, and photos between you and your people.
- Send you push notifications you have opted into.
- Match you with people in your contacts who already use Postcards.
- Diagnose and fix problems with the app.
- Review reports and act on safety issues.
We do not sell your data. We do not share it with advertisers. We do not use it to train third-party advertising or recommendation systems.
Storage and security
All data in transit is encrypted with TLS. Access to your data on the server is enforced by row-level security policies, so only you and the people you send to can read your messages and photos. Our infrastructure provider, Supabase, is SOC 2 Type II certified.
Retention
Your data is kept for as long as your account is active. When you delete your account from the You screen, your profile, postcards, chats, and photos are permanently removed within 30 days. Backups are rotated on the same window.
Your rights
You can:
- Ask for a copy of the data we hold about you.
- Ask us to correct anything that is wrong.
- Delete your account at any time from the You screen.
- Withdraw consent for push notifications in your device settings.
- Ask us to export your data in a portable format.
If you live in the EEA or the United Kingdom, you have additional rights under the GDPR, including the right to object to certain processing and to lodge a complaint with your local supervisory authority. If you live in California, you have additional rights under the CCPA, including the right to know what personal information we have collected and the right to deletion. We honor these rights for everyone, regardless of where you live.
To make a request, email team@joinpostcards.com.
Children
Postcards is not for children under 13. We do not knowingly collect data from anyone under 13. If we learn that we have, we will delete it. If you are a parent and believe your child has given us their data, contact us and we will remove it promptly.
International transfers
Postcards is operated from the United States and your data is processed there. If you use Postcards from outside the US, you understand that your data is transferred to and stored in the US.
Changes to this policy
When we make material changes to this policy, we update the date at the top of this page and, if the change is significant, we let you know in the app before it takes effect.
Contact
For privacy questions, data requests, or anything else covered here, email us at team@joinpostcards.com. We aim to respond within 30 days.