Privacy Policy

1. Data We Collect

We collect only the minimum data necessary to provide our service:

• Email address — only if you purchase send credits, used to deliver your codes and track your credit balance
• Recipient phone number — only when you choose to send an SMS, used solely for delivery and then discarded
• Recipient email address — only when you choose to send via email, used solely for delivery
• Payment information — processed entirely by Stripe; we never see, store, or have access to card numbers
• Message content — the personal message you attach to your bouquet, retained only until delivery is confirmed

We use privacy-friendly analytics (Vercel Analytics) to understand how visitors use our site, and Google Ads conversion tracking to measure the effectiveness of our advertising. We do not build user profiles or engage in behavioural advertising beyond measuring ad conversions.

2. How We Use Your Data

privacy.s2_body

• Email: to deliver your purchase codes and manage your credit balance
• Phone numbers: to deliver the SMS message you requested — then discarded within 30 days
• Recipient email: to deliver the email message you requested — then discarded within 30 days
• Payment data: processed by Stripe under their privacy policy; we only receive confirmation of payment
• Message content: to deliver your message — then deleted within 30 days

We do not sell, rent, trade, or share your personal data with third parties for marketing or advertising purposes. We never will.

3. Third-Party Services

We use the following third-party services, each with their own privacy policies:

• Stripe — payment processing (stripe.com/privacy)
• Twilio — SMS delivery (twilio.com/legal/privacy)
• Vercel — hosting and privacy-friendly analytics (vercel.com/legal/privacy-policy)
• Google Ads — advertising conversion tracking (policies.google.com/privacy)

4. Data Retention & Deletion

Credit balance records are retained while your account has active credits. Delivery records (phone number, email, message content) are automatically deleted within 30 days of successful delivery. You may request immediate deletion of all your data at any time by contacting us. Upon request, we will delete your data within 30 days and confirm deletion to you.

5. Data Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS/HTTPS), secure payment processing via Stripe, and minimal data retention. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

6. Your Rights

Regardless of your location, you have the right to:

• Access — request a copy of any data we hold about you
• Rectification — correct any inaccurate data
• Deletion — request deletion of your data ("right to be forgotten")
• Portability — receive your data in a machine-readable format
• Objection — object to processing of your data
• Restriction — request restriction of processing
• Withdrawal — withdraw consent at any time where processing is based on consent

7. EU/EEA Residents (GDPR)

Our legal basis for processing your data is contractual necessity (to deliver the service you requested) and legitimate interest (to manage credit balances and prevent fraud). You have additional rights under GDPR including the right to lodge a complaint with your local data protection authority. We do not transfer your data outside the EEA unless adequate safeguards are in place.

8. UK Residents (UK GDPR)

If you are a UK resident, your data is protected under the UK General Data Protection Regulation and the Data Protection Act 2018. The data controller is Angus Malcolm. Our legal basis for processing is contractual necessity (to deliver the service you requested). You have all the rights listed in Section 6 above, plus the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. We are committed to resolving any concerns directly — please contact us first so we can address your issue promptly.

9. California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to know what personal information we collect, request its deletion, correct inaccuracies, and opt-out of its sale or sharing. We do not sell or share personal information as defined by the CCPA/CPRA. We do not use sensitive personal information for purposes beyond what is necessary to provide the service.

10. Brazilian Residents (LGPD)

Under Brazil's Lei Geral de Proteção de Dados, you have rights similar to those listed above. Our legal basis for processing is the performance of a contract. You may contact Brazil's national data protection authority (ANPD) with complaints.

11. Japanese Residents (APPI)

Under Japan's Act on the Protection of Personal Information (APPI), you have the right to request disclosure, correction, suspension of use, or deletion of your personal data. We process your data for the purposes specified in this policy and do not provide it to third parties without consent except as necessary for service delivery. You may file a complaint with the Personal Information Protection Commission (PPC).

12. South Korean Residents (PIPA)

Under Korea's Personal Information Protection Act (PIPA), you have the right to access, correct, delete, and suspend processing of your personal data. We collect only the minimum information required, retain it only as long as necessary, and destroy it securely once the purpose is fulfilled. Our data protection officer can be reached via the contact details below. You may file a complaint with the Personal Information Protection Commission (PIPC) or the Korea Internet & Security Agency (KISA).

13. Thai Residents (PDPA)

Under Thailand's Personal Data Protection Act (PDPA), you have the right to access, correct, delete, restrict processing, and port your data. We process data based on contractual necessity and do not use it for direct marketing without consent. You may lodge a complaint with the Personal Data Protection Committee (PDPC).

14. Vietnamese Residents (PDPD)

Under Vietnam's Personal Data Protection Decree (PDPD), you have the right to know about the processing of your personal data, to consent to or refuse processing, and to request access, correction, or deletion. We process your data only for the purposes stated in this policy and implement appropriate security measures. You may file a complaint with the Ministry of Public Security.

15. Chinese Residents (PIPL)

Under China's Personal Information Protection Law (PIPL), you have the right to know about, access, correct, delete, and port your personal information. We process personal information based on your consent and contractual necessity. We do not transfer personal information outside mainland China unless adequate protection is ensured. You may file a complaint with the Cyberspace Administration of China (CAC).

16. Indian Residents (DPDP Act)

Under India's Digital Personal Data Protection Act (DPDP Act), you have the right to access information about processing, request correction and erasure, and nominate a representative. We process data only for lawful purposes with your consent. You may file a complaint with the Data Protection Board of India.

17. Russian Residents (Federal Law 152-FZ)

Under Russia's Federal Law No. 152-FZ on Personal Data, you have the right to access, correct, block, and destroy your personal data. We process data based on your consent and for the performance of a contract. Personal data of Russian citizens is stored and processed in accordance with applicable localisation requirements. You may file a complaint with Roskomnadzor (Federal Service for Supervision of Communications).

18. Cookie & Tracking Policy

We use Vercel Analytics, a privacy-friendly analytics service that does not use cookies and does not collect personally identifiable information. We also use Google Ads conversion tracking, which may set cookies to measure when a visitor completes a purchase after clicking an ad. Google's cookies are subject to Google's privacy policy. We may also use strictly necessary session cookies required for the service to function. You can control cookie behaviour through your browser settings.

19. Data Controller & Lawful Basis

The data controller responsible for your personal data is Angus Malcolm. Our lawful basis for processing under GDPR and UK GDPR is: (a) contractual necessity — to fulfil your order and deliver the service you requested; and (b) legitimate interest — to manage credit balances and prevent fraud. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

20. Children

This service is not directed at children under 13 (or 16 in the EU/EEA/UK). We do not knowingly collect data from children. If you believe a child has provided us personal data, contact us immediately and we will delete it promptly.

21. Changes to This Policy

We may update this privacy policy from time to time. Changes become effective upon posting. Material changes will be communicated via the website. Your continued use of the service after changes constitutes acceptance.

22. Contact & Data Protection Officer

For privacy-related requests or questions, contact us at privacy@digitalflowers.app or via our contact form. Our Data Protection Officer can be reached at the same address. We will respond to all data subject requests within 30 days (or one calendar month under GDPR/UK GDPR). If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority.