Privacy Policy
Last updated: 7 April 2026
1. Who we are
The Card Genie ("we", "us", "our") is a UK-based service that lets you create personalised AI-generated e-cards. We are the data controller for the personal data described in this policy. You can reach us at support@thecardgenie.com.
2. Data we collect
Information you provide
- Account data — email address and display name when you sign up.
- Photos — images you upload to generate cards.
- Card content — text, occasion, and style choices you make.
Information collected automatically
- Usage data — pages visited, features used, timestamps (via Google Analytics).
- Device data — browser type, operating system, screen size, IP address.
- Cookies — see our Cookie Policy.
Information from third parties
- Payment data — Stripe processes your payment. We receive a transaction ID, amount, and last four card digits. We never see or store your full card number.
- Bot detection — Cloudflare Turnstile provides a risk score. No personal data is shared with us from this check.
3. How we use your data
- To create and deliver your AI-generated cards.
- To process payments and send receipts.
- To send card-sharing and reminder emails you request.
- To improve the service and fix bugs.
- To prevent fraud and abuse.
Our legal bases under UK GDPR are: contract performance (providing the service you requested), legitimate interest (analytics, security), and consent(marketing emails, non-essential cookies).
4. Third-party services
We share data only as needed to run the service:
- Supabase (EU) — database hosting and authentication.
- Stripe (US, EU) — payment processing. See Stripe's privacy policy.
- fal.ai (US) — AI image and video generation. Your uploaded photos are sent to fal.ai solely to generate your card, then deleted from their systems.
- Resend (US) — transactional email delivery.
- Google Analytics (US) — anonymised usage analytics, only with your consent.
- Cloudflare (US) — CDN, bot protection (Turnstile), and performance.
- Sentry (US) — error monitoring to help us fix bugs. May capture sanitised error data.
Where data is transferred outside the UK, we rely on adequacy decisions or standard contractual clauses to protect your data.
5. Data retention
- Account data — kept while your account is active. Deleted within 30 days of account deletion.
- Uploaded photos — processed for card generation, then automatically deleted within 30 days.
- Generated cards — stored for up to 12 months so you and recipients can access them.
- Payment records — retained for 7 years as required by UK tax law.
- Analytics data — retained for 14 months by Google Analytics.
6. Your rights
Under UK GDPR you have the right to:
- Access your personal data.
- Correct inaccurate data.
- Delete your data ("right to be forgotten").
- Restrict or object to processing.
- Data portability — receive your data in a common format.
- Withdraw consent at any time (e.g. cookie preferences).
To exercise any of these rights, email us at support@thecardgenie.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
7. Children
The Card Genie is not intended for children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
8. Security
We use HTTPS encryption, secure authentication via Supabase, and restrict access to personal data to essential systems only. While no system is 100% secure, we take reasonable measures to protect your data.
9. Changes to this policy
We may update this policy from time to time. We will notify you of significant changes by email or by displaying a notice on the site. The "last updated" date at the top reflects the most recent revision.
10. Contact
Questions about this policy? Email us at support@thecardgenie.com.