Privacy Policy

1. Introduction

Welcome to Just Christmas Cards ("we," "our," or "us"). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services (collectively, the "Service").

This policy complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws. By using our Service, you agree to the collection and use of information in accordance with this policy.

Data Controller: Just Christmas Cards is the data controller responsible for your personal data. If you have any questions about this policy or our data practices, please contact us at privacy@justchristmascards.com.

2. What Personal Data We Collect

2.1 Information You Provide Directly

• Account Information: When you create an account, we collect your email address and password (encrypted). If you register via OAuth providers (Google or Facebook), we receive your name, email address, and profile picture from those services.
• User-Generated Content: Photos you upload to create Christmas cards, custom messages you add to cards, and personalization preferences (such as card style choices, text preferences, and design options).
• Payment Information: We collect billing details through Stripe (our payment processor), including your name, billing address, and payment method information. We do not directly store your complete credit card numbers.
• Communications: Any information you provide when contacting our customer support team, including your email address and message content.

2.2 Information Collected Automatically

• Usage Data: Information about how you interact with our Service, including cards you view, cards you favorite, cards you generate, and timestamps of these activities.
• Technical Data: IP address, browser type and version, device information, operating system, referring URLs, and pages visited. This data is collected through cookies and similar technologies.
• Authentication Cookies: Session cookies and tokens used to maintain your logged-in state and authenticate your requests to our Service.
• Rate Limiting Data: We temporarily store hashed identifiers and request counts to prevent abuse and ensure fair usage of our Service.

2.3 Information from Third-Party Sources

• OAuth Providers: If you sign in using Google or Facebook, we receive basic profile information including your name, email address, and profile picture as authorized by you.
• Payment Provider: Stripe provides us with transaction data, payment status, and billing information necessary to process your purchases.

3. How We Use Your Personal Data

We process your personal data for the following purposes:

3.1 Service Provision

• Create and manage your user account
• Process your uploaded photos using AI technology to generate personalized Christmas cards
• Store your generated cards and user photos in secure cloud storage (AWS S3)
• Display your card collection and enable you to favorite, download, and share cards
• Process background jobs for AI card generation using our queue system

3.2 Payment Processing

• Process payments for credit purchases through Stripe
• Maintain order history and transaction records
• Manage your credit balance for card generation
• Handle refunds and payment disputes

3.3 Service Improvement

• Analyze usage patterns to improve our Service and user experience
• Monitor Service performance and troubleshoot technical issues
• Develop new features and card templates based on user preferences

3.4 Security and Fraud Prevention

• Implement rate limiting to prevent abuse and ensure fair usage
• Detect and prevent fraudulent activities and security breaches
• Enforce our Terms of Service and protect our legal rights

3.5 Communications

• Send you service-related notifications (e.g., card generation completion, payment confirmations)
• Respond to your support requests and inquiries
• Send marketing communications (only with your explicit consent, which you can withdraw at any time)

4. Legal Basis for Processing

Under UK GDPR, we process your personal data based on the following legal grounds:

4.1 Contract Performance (Article 6(1)(b))

Processing is necessary to perform our contract with you, including account creation, card generation services, and payment processing.

4.2 Consent (Article 6(1)(a))

We process your uploaded photos and generate AI-based Christmas cards based on your explicit consent. You provide this consent when you upload a photo and initiate card generation. You may withdraw consent at any time by deleting your photos and cards.

4.3 Legitimate Interests (Article 6(1)(f))

We process certain data based on our legitimate interests, including:

• Service improvement and analytics
• Fraud prevention and security
• Technical troubleshooting and Service optimization

We always balance our legitimate interests against your rights and freedoms.

4.4 Legal Obligations (Article 6(1)(c))

We may process your data to comply with legal obligations, such as tax laws, financial regulations, and responding to lawful requests from authorities.

5. Data Sharing and Third-Party Processors

We do not sell your personal data. We share your data only with trusted third-party service providers who help us operate our Service:

5.1 Infrastructure and Hosting

• Supabase: Provides database hosting, authentication services, and user management. Data is processed under GDPR-compliant terms. Row Level Security (RLS) policies ensure users can only access their own data.
• Amazon Web Services (AWS S3): Stores uploaded photos and generated cards. Data is encrypted at rest and in transit. AWS complies with GDPR and provides EU data residency options.
• Redis/Upstash: Manages background job queues for card generation and temporary caching. Data is encrypted and automatically expires.

5.2 AI Processing

• Google Gemini AI: Processes your uploaded photos to generate personalized Christmas cards. Photos are transmitted securely and are not retained by Google after processing. Google's AI services are subject to their privacy policies and data processing agreements.

5.3 Payment Processing

• Stripe: Processes all payment transactions. We receive only transaction confirmations and necessary billing information. Stripe is PCI DSS compliant and handles credit card data directly. Stripe's privacy policy governs their data practices.

5.4 Authentication

• Google OAuth: Facilitates sign-in with your Google account. Subject to Google's privacy policy.
• Facebook OAuth: Facilitates sign-in with your Facebook account. Subject to Facebook's privacy policy.

5.5 Data Processing Agreements

All third-party processors are bound by data processing agreements that require them to protect your data in accordance with GDPR standards. They process data only on our instructions and for the specific purposes outlined in this policy.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside the United Kingdom and European Economic Area (EEA), including the United States, where some of our service providers are located.

When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our service providers to ensure GDPR-level protection.
• Adequacy Decisions: Some transfers are to countries recognized by the UK government as providing adequate data protection.
• Additional Safeguards: All data in transit is encrypted using TLS/SSL protocols, and data at rest is encrypted using industry-standard encryption.

7. Data Retention

We retain your personal data for as long as necessary to provide our Service and comply with legal obligations:

• Account Data: Retained for the duration of your account plus 30 days after account deletion to allow for account recovery.
• Uploaded Photos and Generated Cards: Retained until you delete them or close your account. After deletion, files are permanently removed from our storage within 30 days.
• Transaction Records: Retained for 7 years to comply with tax and financial regulations.
• Usage Data and Logs: Retained for up to 90 days for security and troubleshooting purposes.
• Rate Limiting Data: Automatically expires within 24 hours.
• Job Queue Data: Automatically removed within 7 days after job completion.

After the retention period, we securely delete or anonymize your data so that it can no longer identify you.

8. Security Measures

We implement industry-standard security measures to protect your personal data from unauthorized access, disclosure, alteration, and destruction:

8.1 Technical Security

• Encryption: All data in transit uses TLS 1.3 encryption. Data at rest is encrypted using AES-256 encryption in AWS S3 and encrypted database storage.
• Password Security: Passwords are hashed using bcrypt with per-user salts and never stored in plain text.
• Access Controls: Row Level Security (RLS) policies ensure users can only access their own data. Service accounts use JWT authentication with short-lived tokens.
• Rate Limiting: API endpoints are protected with rate limiting to prevent abuse and brute-force attacks.
• Input Validation: All user inputs are validated and sanitized using Zod schemas to prevent injection attacks.

8.2 Organizational Security

• Access to personal data is restricted to authorized personnel only
• Regular security audits and vulnerability assessments
• Incident response procedures for data breaches
• Employee training on data protection and security best practices

8.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours, as required by UK GDPR Article 33 and 34.

9. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

9.1 Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you. We will provide this information free of charge within one month of your request.

9.2 Right to Rectification (Article 16)

You have the right to correct inaccurate or incomplete personal data. You can update your account information directly through your account settings.

9.3 Right to Erasure ("Right to be Forgotten") (Article 17)

You have the right to request deletion of your personal data. You can delete individual cards and photos through the Service, or request full account deletion by contacting us. Upon deletion, we will remove your data within 30 days, except where we are legally required to retain certain records.

9.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict processing of your personal data in certain circumstances, such as while we verify the accuracy of disputed data.

9.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON), and to transmit that data to another service provider. This applies to data you provided to us with your consent or for contract performance.

9.6 Right to Object (Article 21)

You have the right to object to processing based on our legitimate interests. If you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

9.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing before withdrawal.

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

• Website: https://ico.org.uk/
• Helpline: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

9.9 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@justchristmascards.com. We will respond to your request within one month. We may ask you to verify your identity before fulfilling your request.

10. Automated Decision-Making and Profiling

10.1 AI Card Generation

Our Service uses Google Gemini AI to automatically generate Christmas cards based on your uploaded photos and preferences. This is an automated process that does not involve human review of each individual card generation.

Purpose: To create personalized Christmas cards efficiently and at scale.

Your Rights: You have the right not to be subject to decisions based solely on automated processing where those decisions produce legal effects or similarly significantly affect you. Our AI card generation does not produce such effects, as:

• You initiate the process voluntarily by uploading a photo
• You can regenerate or delete cards at any time
• The output is purely creative and does not affect your legal rights or status

10.2 No Profiling

We do not engage in profiling activities that evaluate personal aspects about you, such as analyzing or predicting your economic situation, health, personal preferences, or behavior beyond basic usage analytics for Service improvement.

11. Cookies and Tracking Technologies

11.1 Essential Cookies

We use essential cookies that are strictly necessary for the Service to function:

• Authentication Cookies: Maintain your logged-in session (Supabase auth tokens). These cookies are essential for the Service and cannot be disabled.
• Security Cookies: Used for rate limiting and fraud prevention.

11.2 Performance and Analytics Cookies

We may use performance cookies to understand how users interact with our Service. These cookies do not identify you personally. You can disable these through your browser settings, though this may affect your experience.

11.3 Managing Cookies

Most web browsers allow you to control cookies through their settings. However, blocking essential cookies will prevent you from using the Service. For more information about cookies, visit www.allaboutcookies.org.

12. Third-Party Links

Our Service may contain links to third-party websites (such as social media platforms when sharing cards). We are not responsible for the privacy practices of these websites. We encourage you to read their privacy policies before providing any personal data.

13. Children's Privacy

Our Service is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@justchristmascards.com, and we will delete such data promptly.

Under UK GDPR Article 8, children under 16 require parental consent for processing their personal data in relation to information society services (online services). We rely on age verification at registration to ensure compliance.

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You can request information about the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale: We do not sell personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at privacy@justchristmascards.com. We will verify your identity before fulfilling your request.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy
• Notify you via email if you have an account with us
• Display a prominent notice on our Service

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes your acceptance of the revised policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all legitimate requests within one month. Occasionally, it may take us longer if your request is particularly complex or you have made multiple requests. In this case, we will notify you and keep you updated.

17. Legal Compliance

This Privacy Policy complies with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)
• California Consumer Privacy Act (CCPA)
• Other applicable data protection and privacy laws

We are committed to maintaining compliance with all relevant data protection regulations and continuously monitor changes in legislation to ensure our practices remain compliant.