Legal
Privacy Policy
Effective June 11, 2026
We're a small family operation in Pennsylvania. We print and mail every postcard ourselves, so the information you share with us goes directly into our workflow — not into a marketing platform or a data broker. This policy explains plainly what we collect, why, and how long we keep it.
What we collect and why
When you place an order, we collect:
- Your email address — collected by Stripe at checkout. We use it to send you shipping and order updates. Nothing else unless you opt in to marketing.
- Your name — printed on the card and shown on the card page as "Chris sent this."
- The recipient's name and mailing address — printed on the back of the card. We verify it against USPS records before accepting the order. We never sell, rent, or share recipient addresses with anyone. We save addresses in our system so we can alert you if a card is returned; we don't use them for any other purpose.
- Your photo — uploaded by you, processed for print quality in-house, then stored on Cloudflare R2 (a cloud storage service). It appears on the front of the postcard and is available to download on the card page linked by the QR code.
- Your message — up to 200 characters. Printed on the back of the card and shown on the card page.
- Your voice note (optional) — a browser recording up to 30 seconds. Stored on Cloudflare R2 and played on the card page when the recipient scans the QR. Every card has a QR code; the card page always lets the recipient save the photo to their phone and read your message, and plays your voice note if you recorded one.
- Sender-copy address (optional) — if you opt to purchase your own copy, we collect your mailing address to mail a second card to you.
Mailing addresses are used to print and mail your card. Full stop. We never sell, rent, share, or market to the people whose addresses you give us. The same goes for your own address if you order a sender copy.
Your photo is never shared with third parties. We store it on Cloudflare R2, display it on your card page, and use it to fulfill your order. As part of running our business, we may create content that shows printed cards — for example, in behind-the-scenes or process videos. The back of the card (including the recipient's address) is never shown. If we ever want to feature your specific card or photo directly and prominently, we'll ask you first.
When the recipient scans the QR code, we collect:
- An anonymous scan event (timestamp, rough location — city-level — from IP, scan count)
- Any reaction, reply text, voice/video note, or birthday they voluntarily submit on the card page
- Whether they initiate a reply card
We run Plausible Analytics on gramsforthefam.com — a privacy-respecting analytics tool we host ourselves. It collects aggregate data (page views, referrer source, country, device type, browser) with no cookies, no cross-site tracking, and no personal identifiers. The data stays on our own servers and is never shared with or sold to third parties. We use it to understand which pages people visit and where traffic comes from so we can improve the site.
Third-party services
- Stripe — processes your payment. Your card details never touch our servers. Stripe's privacy policy applies to payment data.
- Cloudflare R2 — cloud storage where we keep your photo, voice note, and any card page media. Files are served from
media.gramsforthefam.com. Cloudflare does not use the content of stored files for advertising or profiling. - Postmark — sends transactional emails (shipping updates, card page notifications) on our behalf. Your email address is shared with Postmark only to deliver these messages.
- Plausible Analytics (self-hosted) — we run our own instance of Plausible on our own servers to measure site traffic. It records page views, referrer, country, device type, and browser. No cookies are set. No personal information is collected or stored. Your IP address is used momentarily to derive an anonymous session count and is never logged or retained.
- Meta Conversions API — when you complete a purchase, we send a hashed (one-way encrypted) version of your email address to Meta's Conversions API so our ads can optimize for real purchases rather than guesses. We never send your name, address, or order contents to Meta. This is purely for ad measurement.
How long we keep things
Voice notes are kept indefinitely. They might scan that QR in 2031. The whole point is that it stays playable. Cloudflare R2 storage is inexpensive and we think the emotional value of a voice note that survives years outweighs the cost of keeping it. If you want your voice note removed, contact us and we'll take care of it.
Photos are kept as long as your card exists in our system. On request, we'll remove the photo from storage and the card page.
Order records are kept for as long as we need them for order history, accounting, and customer support. Your email address was collected by Stripe at checkout and is also subject to Stripe's data retention policies — if you want to be removed from Stripe's records, contact Stripe directly. If you ask us to delete your data from our systems, we'll remove what we control; we can't delete records that live solely within Stripe's infrastructure on your behalf.
Wave-back responses (reactions, reply text, voice/video notes from recipients) are kept as long as the associated card record exists.
California residents (CCPA)
If you're a California resident, you have the right to opt out of the "sale or sharing" of your personal information. Under CCPA's broad definition, sending your hashed email to Meta's Conversions API for ad measurement qualifies. To opt out, enter your email below — we'll flag your account and pass a Restricted Data Processing instruction to Meta on all future events tied to your email.
This only covers data we control. We can't retroactively remove data already processed by Meta or Stripe. It also won't stop you from seeing ads — it limits what Meta does with your data to serve them.
Your rights
You can ask us to:
- Delete your voice note
- Delete your photo from the card page
- Send you a copy of the data we hold on you
- Delete your information from our systems (see the order records note above regarding Stripe)
Email us at [email protected] with the subject "Data request."
Marketing email
We may occasionally email you about cultural moments (Mother's Day, Grandparents Day) if you opted in at checkout. Every email has an unsubscribe link. We don't sell or rent your email address.
Children
Our service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has submitted information to us, contact us and we'll delete it promptly.
Changes to this policy
If we make material changes, we'll update the effective date at the top of this page. For significant changes, we'll send an email to customers who have active cards or recent orders.
Contact
DollarUp, LLC (operating as Grams for the Fam)
106 W 3rd Ave Suite 101
Trappe, PA 19426
[email protected]