Privacy Policy — Entwined Heart

Section 1

Information We Collect

We collect the following information when you use Entwined Heart:

Email addresses — of senders and recipients, to deliver cards
Phone numbers — your own number, if you provide it during signup or in Vault Settings and opt in to SMS notifications; and recipients' numbers, when you provide them for SMS card delivery
Card content — the message, heading, relationship, and occasion you choose
First name — used to personalise your experience and pre-fill card signatures
Saved signatures — names you choose to save for quick reuse (e.g. "Your Mom")
IP address — used solely for rate limiting and abuse prevention
Email notifications preference — whether you have opted in to product updates
Subscription information — your plan level and billing status, managed via Stripe
Contact records — on paid plans, you may store names, email addresses, phone numbers, relationships, birthdays, and notes for people you send cards to. This information is stored securely and used only to help you send cards.
Device push tokens — if you enable push notifications, your device token is stored to deliver notifications via Apple APNs. You can disable notifications at any time in your device settings.

Section 2

How We Use Your Information

To deliver cards to recipients via email (SendGrid) or SMS (Twilio, for users who have opted in)
To store cards in recipients' personal vaults
To detect and prevent abuse and spam
To process subscription payments via Stripe
To send product updates if you opted in
To personalise your experience (pre-filling your name, saving preferences)

Section 3

AI Features & Content Moderation

Entwined Heart uses Anthropic's Claude API in two ways:

Content moderation — all card messages are reviewed before delivery to detect harmful content. This happens automatically and the message is not stored beyond the time needed to evaluate it.
AI writing nudges — on paid plans, when you request a writing suggestion, your card details (occasion, relationship, and partial message) are sent to the Anthropic API to generate a hint or suggestion. This content is not retained by Anthropic beyond the API call.

We do not use your card content to train AI models. Anthropic's API data handling is governed by their Privacy Policy.

Section 4

Third Parties

We work with the following trusted service providers. We do not sell your personal data to any third party.

SendGrid (Twilio) Used to deliver card notification emails. Privacy Policy →

Twilio Used to deliver SMS notifications to users who have opted in. See Section 5 for full SMS details. Privacy Policy →

Stripe Used to process subscription payments. We do not store payment card details. Privacy Policy →

Supabase Used to store user accounts, cards, and preferences securely. Privacy Policy →

Anthropic Used for content moderation and AI writing nudges. Message content is not retained beyond the API call. Privacy Policy →

Netlify Used to host the platform and run server functions. Privacy Policy →

Apple (APNs) Used to deliver push notifications to iOS devices. Privacy Policy →

Cloudflare Used for bot protection via Turnstile. Privacy Policy →

Section 5

SMS Communications

Entwined Heart may send you SMS text messages in the following circumstances:

Card delivery notifications — when a card is delivered to a recipient who has provided their phone number
Card received alerts — notifying you that someone has sent you a card, if you have opted in to SMS notifications

      You will only receive SMS messages if you have explicitly opted in. Opt-in occurs when you enter your phone number during account signup or in your Vault Settings, and acknowledge the SMS opt-in notice displayed at that time.
    

Opt-in language: When you provide your phone number, you will see the following notice:

      "I agree to receive card notifications via SMS. Message and data rates may apply. Reply STOP to unsubscribe."
    

Message frequency: Message frequency varies based on your activity. You will only receive a message when a card is sent to you. Typically 1-5 messages per phone number per year, depending on how often you receive cards.

To stop receiving SMS messages, reply STOP to any message we send. You will receive one confirmation message and no further messages will be sent. You can also remove your phone number at any time in your Vault Settings.

For help, reply HELP to any message or email us at privacy@entwinedheart.com.

Message and data rates may apply. SMS delivery is handled by Twilio. See their Privacy Policy for details on how message data is handled.

We do not share your phone number with third parties or affiliates. Phone numbers are used solely to deliver Entwined Heart notifications as described above.

Section 6

Your Privacy Rights

EU residents (GDPR): You have the right to access, correct, or delete your personal data. You also have the right to object to processing and to data portability.

California residents (CCPA): You have the right to know what personal data we collect, to request deletion, and to opt out of the sale of personal data. We do not sell personal data.

To exercise any of these rights, email us at privacy@entwinedheart.com. We will respond within 30 days.

Section 7

Data Retention

Cards are retained in recipient vaults until the recipient deletes them
Scheduled card content (message, recipient details) is deleted from our systems within 24 hours of delivery
Email addresses are retained as long as accounts are active
Phone numbers are retained only while stored in your Contacts
Contact records (including names, birthdays, and notes) are retained until you delete them or close your account
Device push tokens are retained until you disable notifications or delete your account
Payment information is managed and retained by Stripe — we do not store card details
IP addresses used for rate limiting are held in memory only and reset when our servers restart

When you delete your account: we permanently delete your personal data — your profile, the cards and postcards you've sent and received, your contacts and contact groups, reminders, scheduled cards, notifications, and push/device tokens.

Limited safety exception: to protect our users and prevent abuse, we retain a minimal set of safety records even after account deletion — namely records of content-moderation actions, policy violations, and block lists. This lets us keep an existing block effective if someone re-registers and preserves a record of safety actions. We keep only what is necessary for these purposes. This retention is permitted under applicable law (including, for EU residents, the GDPR's grounds for the establishment, exercise, or defense of legal claims and our legitimate interest in safety and abuse prevention).

Section 8

Cookies & Local Storage

Entwined Heart does not use tracking cookies or analytics. We use browser localStorage only to save your session, language preference, and card drafts locally on your device.

      This data never leaves your device and is not accessible to us or any third party. If we ever add analytics or tracking tools, this policy will be updated and a notice will be displayed.
    

Section 9

Children's Privacy

Entwined Heart is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect personal information from children.

If you believe a child has provided us with personal information, please contact us immediately at privacy@entwinedheart.com.

Section 10

Contact

Privacy questions or data requests: privacy@entwinedheart.com

Entwined Heart is operated by Entwined Heart LLC.