Privacy notice.

Plain English first, legal language second. We will name every partner who touches your data, and how long each one keeps it.

What we collect

When you mail a postcard, we collect: the 280 characters you wrote, your email address, the timestamp at which you ticked the consent box, your IP address, your user-agent string, and the referring page. Nothing else from your device.

How long we keep it

The 280 characters of your postcard text are deleted from our database within 24 hours, via a scheduled cron job. The IP address, user-agent, and TLS fingerprint from our own access logs are deleted on the same 24-hour cron. Your email address is retained on the waitlist until you ask us to remove it (or until the waitlist closes after Layer B launches).

Subprocessor list (Article 28)

These are the companies whose infrastructure we use. Each of them keeps their own records on their own schedule. We have no power to delete records on their systems within 24 hours; instead, we name them honestly.

• Vercel / Cloudflare — hosting + edge routing. Plan-tier dependent log retention (typically ≥30 days on Pro).
• Formspree — waitlist email intake. Stores submissions until manually deleted; we run a daily Vercel Cron / GitHub Action calling Formspree’s submission-delete API to honor the 24h text-purge claim.
• Plausible (self-hosted) or Cloudflare Web Analytics — cookieless page analytics. No third-party cookies set; no cookie banner required.
• Google Jigsaw Perspective API — crisis-tripwire classifier (SEVERE_TOXICITY + THREAT attributes). Submission text is sent to the API at submit-time only; Google states queries are not used for model training. Standard Contractual Clauses 2021/914 apply for any EU/UK enablement (currently geo-blocked at the edge).
• Resend or Postmark (Layer B, not active yet) — transactional email. Delivery metadata retained ~30 days (Resend) or 45 days (Postmark).

DPIA summary

The 280 characters of postcard text are plausibly Article 9 special-category personal data the moment we solicit emotional disclosure. Our lawful basis is the unbundled Article 9(2)(a) explicit consent collected at submit, supplemented by a legitimate-interest balancing test for the operational handling of the message between submit and delete. The full DPIA, counsel-reviewed, will be published prior to UK/EU geo-block lift.

Your rights

Access, erasure, portability, and objection requests can be sent to privacy@postcard.day. We respond within 30 days.

Crisis tripwire

If your postcard contains crisis language, we do not pass it to a stranger. The submission is dropped client-side after a regex pre-check; an audit-log entry is written to a 30-day TTL Cloudflare KV namespace accessible only to the founder, used for tripwire iteration and law-enforcement cooperation if a court order is served. You see the resource card at submit, not the next morning.

Last updated 2026-05-23.

← back to today’s postcard