Privacy Policy
Last Updated: December 17, 2025
TL;DR (The Human Version)
This summary is for convenience only. The full Policy below is the actual legal document.
- ✅ We collect only what we need — email, profile info, content you create
- ✅ No advertising cookies — we use Plausible (privacy-friendly analytics)
- ✅ AI prompts are not used for training — OpenAI doesn't train on API data
- ✅ Export & delete your data — use CSV export anytime, or request deletion via Legal page
- ✅ Newsletter is opt-in — checkbox on signup, unsubscribe anytime
- 🇪🇺 Data stored in EU — Supabase (Paris), Render (Frankfurt)
1. Introduction
This Privacy Policy explains how we collect, use, and protect your personal data when you use the I Love Cards platform.
"I Love Cards" is a trade name operated by Stormz SAS, a French company. See the Legal page for company details.
We comply with the French Data Protection Act (Loi Informatique et Libertés) and the General Data Protection Regulation (GDPR).
2. Data We Collect
2.1 Information You Provide
When you create an account or use the platform, we collect:
- Account information: email address
- Profile information (optional): display name, avatar, bio, professional title, website, social media links (LinkedIn, Twitter, Instagram, Facebook)
- Content you create: decks, cards, templates, images, and text
2.2 Information from Payment Provider
Payments are processed by Lemon Squeezy, our merchant of record. They collect:
- Payment details (card number, expiry date)
- Billing address
- Email address
We receive confirmation of payment and license status but do not store your payment card details.
2.3 Information from Newsletter and Events
When you create an account:
- Onboarding emails: You will receive getting-started guides to help you use the platform. These are service-related and sent automatically.
- Product newsletter: You may choose to subscribe to platform updates and announcements. This is opt-in only — you must check the box during signup.
If you register for events (webinars, workshops), we collect:
- Email address
- Name (if provided)
- Event attendance status
This data is processed by Mailcoach (cloud service).
You can unsubscribe at any time via the link in any email or by contacting us.
2.4 Information Collected Automatically
When you use the platform, we automatically collect:
- Usage data: pages visited, features used, interactions with the platform
- Device information: browser type, operating system, screen resolution
- Connection data: IP address, approximate location (city/country), access times
We use Plausible Analytics, a privacy-friendly analytics service that does not use cookies and does not track individuals across sites.
3. How We Use Your Data
We use your personal data for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Provide and operate the platform | Contract performance |
| Manage your account and authentication | Contract performance |
| Process payments and licenses | Contract performance |
| Send transactional emails (confirmations, password resets) | Contract performance |
| Send onboarding emails to help you use the platform | Legitimate interest |
| Send newsletters and product updates (if subscribed) | Consent |
| Send event communications (if registered) | Contract performance |
| Improve the platform and fix bugs | Legitimate interest |
| Analyze usage patterns (anonymized) | Legitimate interest |
| Comply with legal obligations | Legal obligation |
| Prevent fraud and abuse | Legitimate interest |
4. AI Features and Data Processing
I Love Cards offers AI-powered features for content generation (cards, images, templates).
When you use AI features:
- Your prompts and relevant deck context are sent to OpenAI for processing
- OpenAI processes this data to generate responses
- OpenAI does not use API data to train its models (per their API data usage policy)
- We do not store AI prompts beyond what is necessary to deliver the feature
AI features are optional and require explicit user action.
5. Cookies and Tracking
Technical Cookies (Required)
We use essential cookies for:
- Authentication: Supabase session management
- These cookies are necessary for the platform to function
Analytics (No Cookies)
We use Plausible Analytics, which:
- Does not use cookies
- Does not collect personal data
- Does not track users across websites
- Is GDPR-compliant by design
What We Don't Use
- ❌ Advertising cookies
- ❌ Social media tracking cookies
- ❌ Third-party marketing pixels
6. Data Sharing and Third Parties
We share your data with the following service providers:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, storage | Account data, content | EU (Paris) |
| Render | Platform hosting | Server logs, IP addresses | EU (Frankfurt) |
| Lemon Squeezy | Payment processing | Payment info, email | US |
| Amazon SES | Authentication emails | Email addresses | EU |
| Mailcoach | Newsletter and event emails | Email, name, preferences | EU (Belgium) |
| OpenAI | AI content generation | Prompts, deck context | US |
| Unsplash | Image search | Search queries | US |
| Plausible | Analytics | Anonymized usage data | EU |
We do not sell your personal data to third parties.
7. International Data Transfers
Some of our service providers are located outside the European Union (notably Lemon Squeezy, and OpenAI in the US).
When data is transferred outside the EU, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs)
- Privacy frameworks and certifications of our providers
- Data processing agreements
8. Data Retention
Account Data
We retain your data for as long as your account is active.
After account closure:
- Your data may be retained for up to three (3) years for legal and administrative purposes
- After this period, data is permanently deleted
Payment Records
Payment and invoice records are retained for the period required by applicable tax law (typically 10 years in France).
Newsletter Subscriptions
If you unsubscribe from the newsletter, your email is added to a suppression list to prevent future mailings. You can request complete deletion via the Legal page.
Event Registrations
Event registration data is retained for up to three (3) years after the event date.
9. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encrypted connections (HTTPS/TLS)
- Secure authentication (magic link, no passwords stored in plain text)
- Access controls and authentication for admin functions
- Regular security reviews
- Data stored on reputable, certified infrastructure providers
Despite these measures, no system is 100% secure. We encourage you to use strong, unique passwords and keep your account credentials confidential.
10. Your Rights Under GDPR
You have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Rectification | Correct inaccurate or incomplete data |
| Erasure | Request deletion of your data ("right to be forgotten") |
| Restriction | Request limited processing of your data |
| Portability | Receive your data in a machine-readable format |
| Objection | Object to processing based on legitimate interest |
| Withdraw Consent | Withdraw consent for optional processing (e.g., newsletter) |
Self-service data export: You can export your deck data (cards, categories, metadata, and image URLs) at any time using the CSV export feature. This allows you to keep a local backup of your work in a portable, machine-readable format.
To exercise other rights, contact us via the Legal page.
We will respond to your request within one (1) month. This period may be extended by two months for complex requests.
11. Data Breach Notification
If we discover a data breach that poses a high risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority (CNIL in France) within 72 hours
- Inform affected users without undue delay
- Describe the nature of the breach and measures taken
12. Children's Privacy
I Love Cards is not intended for users under 16 years old.
We do not knowingly collect personal data from children under 16. If we discover that we have collected data from a child under 16, we will delete it promptly.
13. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority.
For France, this is the Commission Nationale de l'Informatique et des Libertés (CNIL):
- Website: www.cnil.fr
- Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
14. Changes to This Policy
We may update this Privacy Policy from time to time.
When changes are made:
- The "Last Updated" date at the top will be revised
- For significant changes, we may notify you via email or platform notification
Continued use of the platform after changes take effect constitutes acceptance of the revised Policy.
15. Contact
For questions about this Privacy Policy or to exercise your data rights, please contact us:
- Email: contact@stormz.me
- Address: See the Legal page for full company details
16. Entry into Force
This Privacy Policy is effective as of December 17, 2025.