Send Bloom

Privacy Policy

Personalised Digital Cards Service

Version 1.0 | Effective: 13.06.2026

1. Data Controller

The data controller of your personal data is: Dominik Maćkiewicz, sole trader operating under the name Blue Code Dominik Maćkiewicz, VAT ID: 5273170548, address: Sokołowska 24/26/32, Warsaw, email: dominik8881@wp.pl (hereinafter: Controller).

For matters relating to personal data, contact: dominik8881@wp.pl

2. What data we collect and why

2a. Order data (contract performance — Art. 6(1)(b) GDPR):

  • first and last name or nickname of the Buyer;
  • email address or phone number (for delivery of the Card link);
  • data provided for Card personalisation (e.g. recipient's name, private wishes, photos, voice recordings — if provided).

This data is stored in the Supabase database (EU servers) for the duration of the contract, i.e. 5 years (the Card link validity period), and then for the period required by tax legislation (5 years from the end of the tax year).

2b. Payment data (Stripe — separate controller):

Payment card data and transactions are handled exclusively by Stripe Payments Europe Ltd. The Controller does not have access to full card data. Stripe operates as a separate controller — see Stripe's privacy policy: stripe.com/privacy

2c. Analytics data (PostHog — legitimate interest — Art. 6(1)(f) GDPR):

We use PostHog — a product analytics tool. PostHog collects anonymous data about user behaviour on the site (e.g. visited pages, clicks, visit duration). PostHog servers in the EU (EU Cloud). This data is not linked to your personal data and is not used to identify specific individuals.

You have the right to object to the processing of analytics data — contact us or use the opt-out option in the site settings.

2d. Third-party personal data on the Card:

If the Buyer provides data relating to a third party (e.g. the recipient's name, photo, voice recording), the Buyer represents that they have the consent of that person or another valid legal basis to provide their data. The Controller processes such data on the basis of its legitimate interest (Art. 6(1)(f) GDPR), which is the proper performance of the service at the Buyer's request. Due to the nature of the service (creating digital surprise cards), direct fulfillment of the information obligation towards the third party by the Controller would require a disproportionate effort or even make it impossible to achieve the purpose of the order. Therefore, pursuant to Art. 14(5)(b) GDPR, the Controller is exempt from this obligation, relying on the Buyer's assurance of the legality of the data transfer.

3. Data processors

The Controller uses the following service providers to whom data processing may be entrusted:

  • Supabase Inc. — database, EU servers — storage of order data, wishes, and Card metadata;
  • Cloudflare, Inc. — Cloudflare R2 service, EU servers — storage of media files (e.g. voice recordings);
  • Stripe Payments Europe Ltd. — payment processing (separate controller);
  • PostHog Inc. — product analytics, anonymous data, EU Cloud;
  • Vercel, Inc. — hosting of the Card website;
  • Resend, Inc. — external system used for link delivery.

Each processor operates on the basis of a data processing agreement (DPA) and is required to apply GDPR-compliant safeguards.

4. Data transfers outside the EEA

Data is generally stored on servers within the European Economic Area (EEA).

Stripe may process some data on servers in the USA — Stripe uses Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of protection.

PostHog in EU Cloud mode processes data exclusively within the EEA.

Media files in Cloudflare R2 are stored on servers within the EU. Cloudflare, Inc., as a US-based entity, ensures appropriate protection mechanisms for any potential data transfers (e.g. certification under the Data Privacy Framework or Standard Contractual Clauses).

Entities such as Vercel, Inc. and Resend, Inc. are incorporated in the USA. Any transfers of data to them are based on appropriate safeguards compliant with the GDPR, such as Standard Contractual Clauses (SCCs) or certification under the Data Privacy Framework (DPF).

5. Data retention periods

  • Card content (media files, voice recordings, wishes): retained for 5 years from the delivery date (link validity period), then permanently and promptly deleted;
  • Transaction and billing data (e.g. name, purchase amount): retained for the period required by tax and accounting legislation, i.e. 5 years from the end of the calendar year in which the tax payment deadline fell (Art. 6(1)(c) GDPR);
  • Data required for complaints: until the limitation period for claims expires (generally 6 years);
  • PostHog analytics data: anonymised, not attributable to an individual.

6. Your rights

Under the GDPR, you have the following rights:

  • right of access to your data (Art. 15 GDPR);
  • right to rectification of data (Art. 16 GDPR);
  • right to erasure of data (Art. 17 GDPR) — subject to the Controller's legal obligations;
  • right to restriction of processing (Art. 18 GDPR);
  • right to data portability (Art. 20 GDPR);
  • right to object to processing based on legitimate interest (Art. 21 GDPR) — including PostHog analytics;
  • right to lodge a complaint with the President of the Personal Data Protection Office (www.uodo.gov.pl).

Requests regarding your rights may be directed to: dominik8881@wp.pl. We respond within 30 days.

7. Cookies and tracking technologies

The site may use cookies necessary for its operation (session cookies) and PostHog analytics cookies.

On your first visit to the site, we display information about cookies. You may manage cookies in your browser settings. Disabling analytics cookies does not affect your ability to use the site or view your Card.

8. Data security

The Controller applies appropriate technical and organisational measures to protect personal data, including: HTTPS data transmission encryption, access controls for the Supabase database, limitation of access to personal data to what is strictly necessary.

9. Changes to this Privacy Policy

The Controller reserves the right to amend this Policy. The current version is always available at https://sendbloom.io/privacy. We notify users of significant changes by email (if we hold the user's email address).

10. Global users and language versions

The Service is directed to users worldwide. Users accessing the Service from outside the European Economic Area (EEA) acknowledge that the primary data protection standard applied by the Controller is the European GDPR regulation, ensuring one of the highest levels of privacy protection. Regardless of the country of origin, every user of the Service enjoys the rights indicated in section 6 of this Policy. Data is processed in Poland and within the EEA (and in the USA to the extent of using authorized sub-processors, under the rules described in section 4). In the case of specific requirements imposed by local laws (e.g. CCPA), the Controller will make every effort to fulfill the resulting rights upon direct request of the user.

This Privacy Policy has been prepared in Polish and English. In the event of any interpretative discrepancies between the language versions, the Polish version shall be binding and prevail.

Privacy Policy v1.0 | GDPR compliant | Polish law 2026