Privacy Policy
Effective Date: February 25, 2026
Last Updated: February 25, 2026
1. Introduction
Dear LDS (“we,” “us,” or “our”) operates the website dearlds.com (the “Site”). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our Site, purchase greeting cards (physical or digital), create an account, or otherwise interact with our services.
By using the Site, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Site. We encourage you to read this policy carefully and contact us at support@dearlds.com with any questions.
2. Information We Collect
2.1 Information You Provide Directly
- Account & Profile Information: Name, email address, and password when you create an account.
- Order Information: Billing and shipping addresses, phone number, and payment details (processed securely by Stripe — we never store your full credit card number).
- Card Personalization: Custom text, font preferences, and color selections you choose when personalizing greeting cards.
- Contact & Support Inquiries: Name, email, and message content when you reach out through our contact form.
2.2 Information Collected Automatically
- Device & Browser Data: IP address, browser type and version, operating system, device identifiers, and screen resolution.
- Usage Data: Pages visited, links clicked, time spent on pages, card views, favorites, search queries, and referral URLs.
- Session Identifiers: A randomly generated session ID stored in your browser’s local storage to track card views and favorites without requiring a login. This identifier does not contain personal information. It persists in your browser until you clear your browser data and may be linked to your identity if you later make a purchase from the same browser.
- Cookies & Similar Technologies: We use essential cookies to maintain your session and cart state. See Section 7 for details.
2.3 Information from Third Parties
- Payment Processor (Stripe): Stripe provides us with transaction confirmation, partial card details (last four digits), and billing address for order fulfillment. Stripe’s use of your data is governed by Stripe’s Privacy Policy.
- Hosting & Infrastructure (Vercel, Supabase): Our hosting providers may process server logs containing IP addresses and request metadata.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Order Processing & Fulfillment: To process payments, print and ship physical cards, deliver digital downloads, and send order confirmations.
- Customer Support: To respond to inquiries, troubleshoot issues, and provide assistance.
- Site Improvement: To analyze usage patterns, improve our card catalog, optimize the shopping experience, and fix technical issues.
- Personalization: To render your custom text on card previews and produce personalized printed cards.
- Security & Fraud Prevention: To detect and prevent fraudulent transactions, abuse, and unauthorized access.
- Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
- Communications: To send order updates, shipping notifications, and download links. We will only send marketing emails if you explicitly opt in, and you can unsubscribe at any time.
- Automated Processing: We use automated systems to track card popularity (views and favorites) and may use this data to personalize the shopping experience, such as displaying popular or trending cards. These automated processes do not make significant decisions affecting your rights, access to services, or pricing.
4. How We Share Your Information
We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:
- Service Providers: We share data with trusted third parties who perform services on our behalf (payment processing, hosting, shipping, email delivery). These providers are contractually obligated to use your data only for the services they provide to us.
- Legal Requirements: We may disclose information if required to do so by law, court order, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
- Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our Site before your information becomes subject to a different privacy policy.
- With Your Consent: We may share information for any other purpose with your explicit consent.
4.1 Third-Party Service Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Name, email, billing/shipping address, payment details |
| Supabase | Database & file storage (US-hosted infrastructure) | Account data, order records, card images, contact submissions |
| Vercel | Website hosting & CDN | IP address, request logs |
5. Data Retention
- Order Data: We retain order records, including shipping addresses and transaction details, for a minimum of 7 years to comply with tax and accounting regulations.
- Account Data: Retained for as long as your account is active. You may request account deletion at any time (see Section 8).
- Analytics & Usage Data: Aggregated analytics data is retained indefinitely. Individual session-level data (view logs, favorites) is retained for up to 24 months, after which it is deleted or anonymized.
- Download Tokens: Digital download tokens expire 7 days after purchase and are deleted 90 days after expiry.
- Contact Inquiries: Retained for up to 2 years after the inquiry is resolved.
- Payment Data: Payment card information is processed and stored by Stripe in accordance with their data retention policies. We retain only partial card details (last four digits) and transaction records as part of our order data.
6. Data Security
We implement reasonable administrative, technical, and physical safeguards designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:
- All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
- Payment information is processed directly by Stripe using PCI DSS Level 1 certified systems — we never handle or store your full card number.
- Database access is restricted through Row-Level Security (RLS) policies and role-based access controls.
- Admin access is restricted to authorized personnel with verified email addresses.
- Digital download files are stored in private storage buckets accessible only through time-limited, single-use tokens.
- We conduct regular reviews of our data collection, storage, and processing practices.
While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.
7. Cookies & Tracking Technologies
We use the following types of cookies and similar technologies:
Essential Cookies
Required for the Site to function properly. These include session cookies for authentication and cart state. You cannot opt out of essential cookies without losing Site functionality.
Local Storage
We use browser local storage to persist your shopping cart between visits and to store a random session identifier used for anonymous analytics (card views, favorites). This data remains on your device and is not transmitted to third parties.
Opt-Out Preference Signals
We honor opt-out preference signals, including the Global Privacy Control (GPC) and Do Not Track (DNT) signals sent by your browser. When we detect such a signal, we treat it as a valid opt-out request as required by applicable state law and disable non-essential analytics tracking for your session.
8. Your Privacy Rights
Depending on your location, you may have specific rights regarding your personal information. We are committed to honoring these rights regardless of where you reside.
8.1 All Users
All users of our Site may:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request that we correct inaccurate or incomplete personal information.
- Deletion: Request deletion of your personal information, subject to legal retention requirements.
- Data Portability: Request a copy of your personal information in a commonly used, machine-readable format (such as CSV or JSON).
- Opt-Out of Marketing: Unsubscribe from promotional emails at any time by clicking the unsubscribe link or contacting us.
8.2 California Residents — CCPA/CPRA Rights
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights:
- Right to Know: You may request that we disclose (1) the categories and specific pieces of personal information we have collected about you, (2) the categories of sources from which we collected the information, (3) the business or commercial purpose for collecting or selling the information, and (4) the categories of third parties with whom we share the information.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, detecting security incidents, complying with legal obligations).
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined under the CCPA/CPRA. Therefore, there is no need to opt out. If this practice ever changes, we will provide a conspicuous “Do Not Sell or Share My Personal Information” link.
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond what is necessary to provide our services.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
Categories of Personal Information Collected
| Category (per CCPA) | Examples | Purpose | Third Parties |
|---|---|---|---|
| A. Identifiers | Name, email, IP address | Order processing, customer support, analytics | Stripe, Supabase, Vercel |
| B. Personal Information (Cal. Civ. Code 1798.80(e)) | Name, address, phone number | Order fulfillment, shipping | Stripe, Supabase |
| D. Commercial Information | Purchase history, order details | Order fulfillment, records, analytics | Stripe, Supabase |
| F. Internet/Network Activity | Browsing history, page views, interactions | Site improvement, analytics, personalization | Supabase, Vercel |
| G. Geolocation Data | Approximate location via IP address | Fraud prevention, analytics | Vercel |
| C. Protected Classification | Age, race, religion | Not collected | N/A |
| E. Biometric Information | Fingerprints, face geometry | Not collected | N/A |
| H–K. Other categories | Sensory, professional, education, inferences | Not collected | N/A |
We do not sell or share any of the above categories of personal information to third parties for monetary consideration or cross-context behavioral advertising.
How to Submit a Request: California residents may submit a verifiable consumer request by emailing us at support@dearlds.com. We will verify your identity by matching the information you provide with the information we have on file. We will respond to verifiable requests within 45 days. If we need additional time (up to 90 days total), we will notify you of the extension and the reason.
Authorized Agent: You may designate an authorized agent to submit requests on your behalf. The agent must provide a signed written authorization or a power of attorney. We may still require you to verify your identity directly.
8.3 New York Residents — SHIELD Act & NY Privacy Protections
If you are a New York resident, the New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act) requires us to implement reasonable safeguards to protect your private information. We comply with the SHIELD Act by maintaining:
- Administrative Safeguards: Designated personnel responsible for our security program, risk assessments of our data handling practices, and employee training on security procedures.
- Technical Safeguards: Assessment of risks in our network and software design, encryption of data in transit and at rest, monitoring for security breaches, and regular testing and updating of security measures.
- Physical Safeguards: Secure disposal of data when no longer needed and appropriate access controls for our systems and infrastructure.
In the event of a data breach affecting your private information, we will notify you within 30 days of discovery of the breach in accordance with the SHIELD Act’s notification requirements, and will also notify the New York Attorney General, the New York State Department of State, the Division of State Police, and the New York Department of Financial Services when required.
New York residents may exercise the same access, correction, and deletion rights described in Section 8.1. Contact us at support@dearlds.com to submit a request.
8.4 Other State Privacy Rights
Dear LDS is based in Utah. While we may not currently meet the Utah Consumer Privacy Act (UCPA) revenue and data processing thresholds, we voluntarily honor the privacy rights provided under the UCPA for all Utah residents.
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Tennessee (TIPA), Minnesota (MNCDPA), Maryland (MODPA), Kentucky (KCDPA), Rhode Island (RIDTPPA), Indiana (ICDPA), and other states with consumer privacy laws may have similar rights to access, correct, delete, and opt-out of certain data processing. We will honor these rights consistent with applicable law. Contact us at privacy@dearlds.com to exercise your rights.
For Oregon residents, we do not sell personal data of consumers we know or have reason to believe are under 16 years of age.
If we deny your request, you may appeal by contacting us with the subject line “Privacy Rights Appeal.” We will respond to appeals within 60 days.
9. Children’s Privacy
Our Site is not directed at children under 13 years of age. In compliance with the Children’s Online Privacy Protection Act (COPPA), as amended effective April 22, 2026, we do not knowingly collect personal information — including names, email addresses, online identifiers, geolocation data, or biometric information — from children under 13. If we discover that we have inadvertently collected such information, we will delete it promptly and notify the child’s parent or guardian.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@dearlds.com.
For California residents, we do not knowingly collect or sell personal information of consumers under 16 years of age. For Oregon residents, we do not sell personal data of consumers we know or have reason to believe are under 16 years of age.
10. International Users
Our Site is operated in the United States and currently ships only to US addresses. If you access our Site from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country. By using our Site, you consent to the transfer of your information to the United States.
11. Third-Party Links
Our Site may contain links to third-party websites (e.g., Stripe’s checkout page). We are not responsible for the privacy practices of these sites. We encourage you to read the privacy policies of any third-party sites you visit.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will:
- Update the “Last Updated” date at the top of this page.
- Post a notice on our Site for at least 30 days.
- For changes that materially expand how we use your previously collected information, provide additional notice (such as email notification) and, where required by law, obtain your consent.
13. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices, please contact us:
- Privacy Requests: privacy@dearlds.com
- General Support: support@dearlds.com
- Contact Form: dearlds.com/contact
- Mail: Dear LDS, P.O. Box 1234, Salt Lake City, UT 84101
- Subject Line: “Privacy Inquiry” or “CCPA Request” or “Privacy Rights Appeal”
We aim to respond to all privacy-related inquiries within 10 business days, and to all verifiable consumer requests within the legally required timeframes.
This policy is reviewed at least annually.
This Privacy Policy is provided for informational purposes only and does not constitute legal advice. It is designed to comply with applicable US federal and state privacy laws, including the California Consumer Privacy Act (CCPA/CPRA), the New York SHIELD Act, COPPA, and the FTC Act. For specific legal advice regarding your rights, please consult a licensed attorney. See also our Terms of Service.