Yearly cardsYearly cards

Privacy Policy

Last updated: March 17, 2026

1. GENERAL

This Privacy Policy applies to all collected and processed personal data that you have provided to us or that Vouxly ApS (hereafter “We”, “Us”, or “Vouxly”) have collected as part of delivering our services through Yearly Cards (yearly.cards).

“Personal data” shall mean any information relating to an identified or identifiable natural person.

Important: Yearly Cards is a service that sends physical birthday cards on behalf of our users. This means we collect and store personal data about both our users (the people who set up cards) and their recipients (the people who receive cards). This Privacy Policy covers the processing of both categories of personal data.

2. IDENTITY OF THE DATA CONTROLLER

2.1 If there are any questions regarding this Privacy Policy, you may contact us using the information below.

Vouxly ApS CVR: 44587947 · Suomisvej 4, 1927 Frederiksberg, Denmark
Email: [email protected]

2.2 We process your personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) where applicable and any national regulation applicable to us.

3. WHAT DATA WE COLLECT

3.1 User Account Data

When you create an account and use Yearly Cards, we collect the following personal data about you:

  • Full name
  • Email address
  • Account authentication data (login credentials or third-party authentication tokens)
  • Physical mailing address as the return address on cards, in case a card is undeliverable and needs to be returned
  • Payment-related information (processed via LemonSqueezy; we do not store full payment card details)

3.2 Recipient Data

When you set up a card to be sent, we collect the following personal data about the person you are sending a card to (the “Recipient”):

  • Recipient’s full name
  • Recipient’s physical mailing address (street address, city, postal code, country)
  • Occasion date when the card should be delivered
  • The personal message you write for the Recipient’s card

This data is provided by you, the User, on behalf of the Recipient. The Recipient does not create an account or interact directly with our service. By providing Recipient data, you represent and warrant that:

  • You have a legitimate personal relationship with the Recipient.
  • You have the right to provide the Recipient’s personal data to us for the purpose of sending them a physical card.
  • The Recipient’s mailing address is accurate and current.
  • You will inform the Recipient that their data is being processed by our service if required by applicable law.

3.3 Technical and Usage Data

We may automatically collect the following data when you use our service:

  • Device type and browser information
  • IP address and approximate geographic location
  • Website usage data (e.g., page views, button clicks, session duration)
  • Error codes and error messages
  • Referring website or source (including UTM parameters)

3.4 Communication Data

If you contact us for support or feedback, we may collect: your email address and name; the content of your messages; any attachments you provide.

4. HOW WE USE YOUR DATA

4.1 We use User Account Data to:

  • Create and manage your account
  • Process payments for card orders
  • Send you order confirmations and delivery notifications
  • Communicate with you about your account and our service
  • Comply with legal and accounting obligations

4.2 We use Recipient Data to:

  • Print and mail physical cards to the Recipient on the dates you specify
  • Re-send cards annually as part of the recurring service
  • Contact the Recipient’s address for delivery purposes only
  • Maintain accurate records for card delivery and customer support

We do not use Recipient Data for marketing purposes. We do not contact Recipients by email, phone, or any means other than the physical card you have arranged.

4.3 We use Technical and Usage Data to:

  • Improve our service and user experience
  • Ensure the security and integrity of our website
  • Analyze usage patterns and optimize performance
  • Troubleshoot errors and technical issues

4.4 Legal Bases for Processing

We process personal data based on the following legal bases under the GDPR:

  • Contract — processing User Account Data and Recipient Data is necessary to fulfill the service you have purchased (sending a card on your behalf).
  • Legitimate interest — processing Technical and Usage Data is necessary for our legitimate interest in maintaining, securing, and improving our service. Processing Recipient Data for annual recurring card delivery is based on the legitimate interest of fulfilling the ongoing service arrangement.
  • Legal obligation — we process certain data (such as payment records) as required by applicable accounting and tax laws.
  • Consent — where we send marketing communications or use non-essential cookies, we do so based on your consent.

5. DATA SHARING AND DISCLOSURE

5.1 We do not sell, trade, or otherwise transfer your personal data or Recipient Data to third parties for their own purposes.

5.2 We may share data with the following categories of service providers, solely for the purpose of operating Yearly Cards:

  • LemonSqueezy — payment processing
  • Card printing and mailing partners — to physically print and mail cards. These partners receive only the data strictly necessary for printing and delivery: Recipient name, Recipient address, and the card message.
  • Vercel — hosting infrastructure
  • Plausible — privacy-focused analytics
  • Cloudflare — domain management and content delivery
  • Sentry — error monitoring
  • Neon (Databricks) — database hosting and authentication

5.3 We may disclose personal data to legal authorities when required by law or to protect our rights.

5.4 In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to the same privacy protections described in this policy.

6. DATA RETENTION

6.1 User Account Data is retained for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g., payment records for accounting purposes).

6.2 Recipient Data is retained for as long as the associated card is active (i.e., scheduled to be sent annually). If you cancel a card or delete a Recipient from your account, we will delete the Recipient’s personal data within 30 days.

6.3 Payment and transaction data may be retained for up to 5 years after the last transaction, as required by Danish accounting regulations (Bogføringsloven).

6.4 Technical and Usage Data may be retained in anonymized form for service improvement purposes.

6.5 When data is deleted from our systems, we take reasonable steps to ensure that any third-party service providers who have received Recipient data for fulfillment purposes also remove it in accordance with their own data retention policies.

7. DATA SECURITY

7.1 We implement appropriate technical and organizational security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction.

7.2 These measures include:

  • Encryption of data in transit (TLS/HTTPS) and at rest where appropriate
  • Access controls limiting who can view Recipient data
  • Regular security assessments
  • Secure data transmission to printing partners

7.3 Physical mailing addresses and personal messages are stored in encrypted databases with restricted access.

7.4 While we strive to protect personal data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

8. YOUR RIGHTS

As a user of Yearly Cards, you have the following rights under applicable data protection laws:

  • 8.1 Right to access. You have the right to obtain confirmation as to whether personal data concerning you is being processed and to access such data. You may also request information about what Recipient data you have provided to us.
  • 8.2 Right to rectification. You have the right to have inaccurate personal data corrected. You can update your own data and Recipient data directly through your account.
  • 8.3 Right to erasure. You have the right to request deletion of your personal data under certain circumstances. You can delete individual Recipients or your entire account through the service.
  • 8.4 Right to restrict processing. You have the right to request restriction of processing of your personal data in certain situations.
  • 8.5 Right to data portability. You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
  • 8.6 Right to object. You have the right to object to processing of your personal data based on legitimate interests.
  • 8.7 Right to withdraw consent. Where processing is based on consent, you have the right to withdraw your consent at any time.

To exercise these rights, contact us at [email protected]. We will respond to your request within 30 days.

9. RIGHTS OF RECIPIENTS

9.1 Recipients whose data has been provided to us by a User also have rights under applicable data protection law. If you are a Recipient and wish to exercise your rights (e.g., to request access, correction, or deletion of your data), please contact us at [email protected].

9.2 Upon receiving a valid request from a Recipient, we will:

  • Confirm whether we hold personal data about them
  • Provide details about what data is stored and for what purpose
  • Delete their data upon request, and notify the User who provided it

9.3 If deletion of Recipient data results in the cancellation of an active card, we will notify the User who arranged it.

9.4 We will not disclose the identity of the User who arranged the card to the Recipient unless required by law or with the User’s consent.

10. INTERNATIONAL DATA TRANSFERS

10.1 Your personal data may be transferred to and processed in countries other than your country of residence, including the United States (where some of our service providers are based).

10.2 When transferring data outside the European Economic Area, we rely on adequacy decisions or appropriate safeguards such as Standard Contractual Clauses where required.

10.3 Our printing and mailing partners may be located in the country of the Recipient’s mailing address to facilitate timely delivery.

11. COOKIES AND TRACKING

11.1 We use privacy-focused analytics (Plausible) which does not use cookies and does not track individual users.

11.2 We may use essential cookies for authentication and session management.

11.3 We may use advertising cookies and tracking technologies (such as Google Ads conversion tracking) to measure the effectiveness of our advertising campaigns. These are only set with your consent.

11.4 You can control cookie settings through your browser preferences.

12. SUB-PROCESSORS

12.1 We use the following third-party service providers to help us deliver our services:

  • LemonSqueezy (lemonsqueezy.com) — payment processing
  • Vercel (vercel.com) — hosting infrastructure
  • Plausible (plausible.io) — privacy-focused analytics
  • Cloudflare (cloudflare.com) — domain management and content delivery
  • Sentry (sentry.io) — error monitoring
  • Google (google.com) — advertising and conversion tracking
  • Card printing/mailing partner — physical card printing and postal delivery (specific partner details available upon request)

12.2 We expect all sub-processors to maintain appropriate data protection standards and, where required under GDPR, we seek to establish Data Processing Agreements to protect your data.

13. CHILDREN’S PRIVACY

13.1 Our services are not intended for children under 16 years of age in the EU/EEA, or under 13 years of age elsewhere.

13.2 We do not knowingly collect personal data from children. If you believe we have collected information from a child, please contact us immediately so we can delete the information.

13.3 Recipient data may include information about minors (e.g., a parent sending a card to a child). In such cases, the User providing the data represents that they are the parent or legal guardian of the minor Recipient, or have obtained appropriate consent.

14. CHANGES TO THIS PRIVACY POLICY

14.1 We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Privacy Policy on this page and updating the “Last updated” date.

14.2 For significant changes affecting how we handle Recipient data, we may provide additional notice via email to active users.

15. CONTACT INFORMATION

15.1 If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:

Vouxly ApS CVR: 44587947 · Suomisvej 4, 1927 Frederiksberg, Denmark
Email: [email protected]

15.2 If you are located in the European Union and believe your personal data has been processed in a way that does not meet the requirements of the GDPR, you have the right to lodge a complaint with your local supervisory authority. In Denmark, this is the Danish Data Protection Agency (Datatilsynet).