Privacy Policy

This privacy policy (the “Privacy Policy”) clearly and precisely informs the persons who use the website hosted at https://friends.posthero.app and its associated applications (the “Service”) about the processing of the personal data collected by POSTHERO SOLUTIONS S.L. (“POSTHERO” or the “Company”) as the data controller.

Use of the Service implies knowledge and acceptance of this Privacy Policy. Users are advised to read it carefully before registering or making a send.

1. Data controller

The controller of the personal data collected through the Service is POSTHERO SOLUTIONS S.L., with Spanish tax ID B26713065 and registered office at Calle Cargol nº 4 Nave D, 08110, Montcada i Reixac (Barcelona), Spain. Privacy contact email: hello@posthero.app.

2. Personal data we process

We process the following categories of personal data depending on how the user interacts with the Service:

2.1 Account data

To register and use the Service, we collect first name, last name, email address and password (which is stored hashed). Optionally, the user may provide their phone number, profile picture, date of birth and country of residence. We also keep the information needed to manage the account: preferred language, registration date, last login date and registration source (friends).

2.2 Recipient data (contacts)

When the user creates a contact or enters a recipient for a send, we process the data that the user provides about that person: first name and last name, full postal address (street, postal code, city, province, country), email (optional) and date of birth (optional). This data is used exclusively to manage the user's contact book and to print and deliver the corresponding letter or postcard.

The user is responsible for having a legal basis enabling them to provide us with third-party data for that purpose (for example, their personal relationship with the recipient). POSTHERO limits itself to processing such data on behalf of the user — as processor/collaborator for the specific send and as controller for what is required for the operational running of the Service (managing the contact book, handling rights requests, security, fraud prevention and regulatory compliance).

2.3 Send content

We process the text the user writes in the letter or postcard, as well as the handwritten font, ink colour, paper style, format (letter or postcard), occasion (birthday, Christmas, thank-you, other) and, where applicable, the selected image or motif. This content is kept in the user's account so they can review it in their send history.

2.4 Payment data

Payments are processed through Stripe Payments Europe, Ltd., which acts as an independent controller with respect to card data and bank authentication. POSTHERO receives only the information needed to identify the payment (transaction ID, amount, currency, date, status and, where applicable, the last four digits and the card brand). POSTHERO does not store the full PANof the user's card. Stripe's processing of data is governed by its own privacy policy.

2.5 Scheduled send data

If the user schedules a send for a future date (for example, a birthday), we keep the scheduled date, the recurrence (one-off or annual), the associated contact and the send content until it is executed or cancelled.

2.6 Usage and technical data

When the user accesses the Service, we automatically collect technical information such as IP address, browser type and version, operating system, device, pages visited within the Service, date and time of access, time spent, unique device identifiers and diagnostic data. This data helps us operate and improve the Service and prevent abuse.

2.7 Support and communication data

When the user writes to us by email or through any other support channel, we process the identifying and contact data they provide, as well as the content of the communication.

3. Purposes and legal bases of processing

POSTHERO processes personal data for the purposes and on the legal bases set out below:

• Provision of the Service (account registration and management, composition of letters and postcards, contact management, immediate and scheduled send management, history, on-screen preview). Legal basis: performance of the Service contract accepted by the user (art. 6.1.b GDPR).
• Printing, enveloping and postal delivery of the letter or postcard to the recipient. Legal basis: performance of the contract (art. 6.1.b GDPR).
• Payment management through Stripe, invoicing and compliance with accounting and tax obligations. Legal basis: performance of the contract (art. 6.1.b GDPR) and compliance with legal obligations (art. 6.1.c GDPR).
• User support and incident management. Legal basis: performance of the contract and legitimate interest of the controller in providing a quality service (art. 6.1.b and 6.1.f GDPR).
• Functional reminders before a scheduled send and operational notifications relating to the account or to a send. Legal basis: performance of the contract (art. 6.1.b GDPR).
• Commercial communicationsabout new features, special occasions and Posthero or Posthero Friends promotions by email or other electronic means. Legal basis: user's consent, which can be withdrawn at any time through the unsubscribe link included in each communication or by writing to hello@posthero.app (art. 6.1.a GDPR and art. 21 LSSI).
• Service improvement and statistical analysis through aggregated or pseudonymised data, error monitoring, fraud and abuse prevention and security. Legal basis: legitimate interest of the controller in maintaining and improving a secure and reliable service (art. 6.1.f GDPR).
• Compliance with applicable legal obligations (tax, accounting, responding to requests from competent authorities, defence against claims, etc.). Legal basis: compliance with a legal obligation (art. 6.1.c GDPR).

4. Categories of recipients

POSTHERO does not sell or transfer the user's personal data to third parties for them to use for their own commercial purposes. However, in order to provide the Service, certain data is accessed or processed by the following categories of recipients:

• Technology providers that supply POSTHERO with hosting, storage, backup, database, cloud infrastructure and content delivery services.
• Printing and postal logistics providers (printer and postal operator — primarily Correos in Spain or the equivalent postal operator in the destination country — responsible for the physical production and delivery of the letter or postcard).
• Stripe, as the payment service provider.
• Transactional and marketing email providers (for example, to send the account verification email, reminders and commercial communications where the user has given consent).
• Analytics, product metrics and error monitoring providers that help us understand use of the Service and detect failures. These providers receive aggregated or pseudonymised data whenever technically possible.
• Professional advisors (legal, accounting or tax) bound by confidentiality obligations.
• Public authorities, judges and courts when there is a legal obligation to do so.

When these third parties process personal data on POSTHERO's behalf they act as data processors, bound by the corresponding data processing agreement requiring them to apply appropriate technical and organisational measures and to process the data exclusively in accordance with POSTHERO's instructions.

5. International transfers

Some of the technology providers used by POSTHERO may be located outside the European Economic Area or perform processing operations from outside the EEA. In such cases, POSTHERO ensures that international transfers take place under one of the mechanisms provided by applicable regulations: European Commission adequacy decisions, Standard Contractual Clauses approved by the European Commission or equivalent safeguards, together with additional technical and organisational measures where necessary.

6. Retention periods

Personal data is kept for as long as necessary to fulfil the purposes for which it was collected, according to the following general criteria:

• Account data: for as long as the account remains active. If the user requests deletion, data is erased or blocked to respond only to potential legal liabilities (in particular, those arising from tax and accounting regulations, during the applicable limitation periods).
• User's contacts: for as long as the user keeps them in their contact book. The user can delete them at any time from their account.
• Content of completed sends:kept in the user's history for as long as the account is active, with a reasonable maximum period of inactivity after which it may be archived or deleted.
• Accounting and tax data (invoices, payment receipts): for the applicable legal periods (in Spain, generally up to 6 years from the end of the financial year).
• Security records and technical logs: for as long as necessary for security purposes, fraud prevention and technical incident resolution, in accordance with industry best practices.

7. Automated decisions

POSTHERO does not take decisions based solely on automated processing of user data that produce significant legal effects or similarly significantly affect the user. Automated fraud-detection or content-moderation mechanisms may apply, but always with human review before taking measures that affect the account or the send.

8. Children's data

The Service is intended exclusively for persons over 18 years of age. POSTHERO does not intentionally collect personal data from minors. If POSTHERO becomes aware that it has collected data from a minor, it will proceed to delete it as soon as possible. If the user is a parent or guardian and believes that a minor under their care has provided us with data, they may contact us at hello@posthero.app.

9. User rights

The user may at any time exercise the following rights recognised by data protection regulations:

• Access: to know what personal data is being processed, its origin, purpose and recipients.
• Rectification: to modify inaccurate or incomplete personal data.
• Erasure (“right to be forgotten”): to request deletion of the data when it is no longer necessary for the purposes for which it was collected or when another legally provided reason applies.
• Objection: to object to the processing of their data on grounds relating to their particular situation or, at any time and without need for justification, to processing for marketing purposes.
• Restriction: to request restriction of processing in the cases provided for by the regulations.
• Portability: to receive the personal data provided in a structured, commonly used and machine-readable format, and to transmit it to another controller when technically possible.
• Withdrawal of consent at any time for processing operations based on it, without affecting the lawfulness of prior processing.

To exercise these rights, the user may write to hello@posthero.app, stating in the subject line the right they wish to exercise and attaching, where necessary, documentation proving their identity. POSTHERO will respond within the time limits laid down by applicable regulations.

The user also has the right to lodge a complaint with the Spanish Data Protection Agency, especially if they consider that their rights have not been satisfactorily addressed. Contact details: C/ Jorge Juan, 6, 28001 Madrid; telephones 901 100 099 and 91 266 35 17; electronic office https://sedeagpd.gob.es/sede-electronica-web/ and website www.aepd.es.

10. Security measures

POSTHERO has implemented reasonable technical and organisational measures to guarantee the security of personal data and to prevent its alteration, loss, unauthorised processing or access, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons.

Despite this, no system of transmission over the Internet or electronic storage is 100% secure. If the user has reason to believe that the security of their account has been compromised, they should immediately notify us at hello@posthero.app.

11. Changes to this Policy

POSTHERO may update this Privacy Policy to adapt it to changes in regulations, case law or industry practice, or to reflect new Service features. The version in force will always be available on this page, with the date of the latest update. Where the changes are material, the user will be informed by reasonable means.

12. Contact

For any query relating to this Privacy Policy or to the processing of personal data, the user may contact POSTHERO at hello@posthero.app.