Privacy Policy

Last updated: July 5, 2026

1. Who we are

Cardster ("we," "us") is a client-celebration platform that sends branded greeting cards by email on behalf of businesses ("Customers"). This policy explains what personal information we collect, how we use it, and the choices available to you, whether you are a Customer using Cardster or a person who received a card sent through Cardster.

2. Information we collect

From Customers (account holders):

  • Account details: business name, email address, password (stored hashed).
  • Brand assets: logo, colors, mascot images, sign-off text.
  • Billing information, processed by our payment provider; we never store card numbers.
  • Usage information such as pages visited and actions taken in the app.

About Customers' clients (card recipients), provided by the Customer:

  • Name, email address, birthdate, preferred language, and phone number.
  • Delivery events: whether a card was sent, delivered, opened, or bounced.

We intentionally collect nothing else about recipients. We never request or store clinical, financial, or legal case information.

3. How we use information

  • To send the greeting cards our Customers schedule.
  • To operate, secure, and improve the Service.
  • To provide support and send service-related notices.
  • To bill for subscriptions.
  • To comply with legal obligations.

We do not sell personal information. We do not use recipient information for advertising, and we do not contact recipients except to deliver the cards a Customer scheduled.

4. Service providers

We share information only with the providers that run the Service: cloud hosting and database (Supabase on AWS), email delivery (Amazon Web Services), payment processing, and error monitoring. Each provider processes data only on our instructions under a written agreement. For healthcare Customers, providers that handle patient information operate under Business Associate Agreements.

5. Health information (HIPAA)

When a healthcare practice uses Cardster, the recipient information it shares with us (names, contact details, birthdates) is processed as protected health information under a Business Associate Agreement with that practice. We use it only to deliver celebration cards on the practice's behalf, protect it with encryption in transit and at rest, log access, and delete it per our retention policy or the practice's instructions.

6. Your choices

  • Card recipients: every email includes an unsubscribe link. Unsubscribing stops all future cards from that business immediately. You may also ask the business that sent the card to correct or delete your information, or email us at info@prrenovatio.com and we will help.
  • Customers: you can export or delete your data at any time from the app or by contacting us. Closing your account starts a 90-day retention window, after which all data is permanently deleted.

7. Security and retention

All data is encrypted in transit (TLS) and at rest. Access is limited by role-based controls and tenant isolation at the database layer. We retain Customer Data while the account is active and for 90 days after cancellation, then delete it. Send logs needed for legal compliance (for example, unsubscribe records) may be kept longer where the law requires.

8. Cookies and analytics

The app uses only the cookies needed to keep you signed in. The marketing site may use privacy-respecting analytics that do not track you across other sites. We do not use third-party advertising cookies.

9. Children

The Service is for businesses and is not directed to children. A business may send birthday cards to clients of any age (for example, a pediatric dental patient) under its own relationship and legal responsibility; we process only the minimal information described above.

10. Changes and contact

We will post any changes to this policy here and, for material changes, notify Customers by email. Questions or requests: info@prrenovatio.com.