Privacy Policy

Handwrytten, Inc.

Effective Date: 1/16/2026  |  Last Updated: 1/16/2026
Previous Version: August 24, 2020

1. Introduction

Handwrytten, Inc. (“Handwrytten,” “we,” “us,” or “our”) offers services that enable customers to send handwritten notes and associated gift cards on their behalf. You may interact with Handwrytten and provide information through our online platform at app.handwrytten.com and www.handwrytten.com (and all associated subdomains) (the “Website”), our API, our mobile applications for iPhone and Android, or by communicating with our team in support of your writing project (collectively, the “Services”).

This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our Website and Services. It applies when Handwrytten acts as a data Controller (i.e., when we determine the purposes and means of processing your personal data). This Privacy Policy does not describe how we process personal data on our customers’ instructions when acting as a Processor.

We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable privacy regulations.

For information about our security practices and certifications, please visit our Trust Center.

2. Information We Collect

2.1 Information You Provide Directly

• Account information: first and last name, email address, phone number, company name, and password when you create an account.
• Order information: names, mailing addresses (sender and recipient), and the content of handwritten messages you submit for fulfillment.
• Payment information: credit card or payment details necessary to complete transactions. Handwrytten does not store credit card numbers; this information is transmitted directly to our PCI DSS-compliant payment processor.
• Contact and address books: names and addresses of your contacts to whom you send notes.
• Custom content: custom-designed cards, logos, or other materials you upload or store using your account.
• Communications: information you provide when you contact us for support, submit feedback, participate in surveys, or otherwise communicate with us.

2.2 Information Collected Automatically

• Log data: IP address, browser type, operating system, referring URLs, pages visited, date/time stamps, and clickstream data.
• Cookies and similar technologies: we use cookies, pixel tags (web beacons), and similar technologies to recognize your browser, understand usage patterns, and improve our Website. See Section 8 (Cookies and Tracking Technologies) for details.
• Analytics data: we use third-party analytics services (such as Google Analytics) to analyze Website usage. These services collect information such as how often you visit, what pages you view, and what sites you visited before arriving at our Website.

2.3 Information We Do Not Collect

We do not collect Special Categories of Personal Data as defined under GDPR (such as racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, or biometric data). We do not collect information about criminal convictions or offenses.

3. How We Use Your Information

We use your personal data only for the purposes for which it was collected, or for compatible purposes. Specifically, we use your information to:

• Provide, operate, and maintain our Services, including fulfilling handwritten note orders.
• Create and manage your account.
• Process payments and complete transactions.
• Communicate with you, including sending order confirmations, service updates, and responding to inquiries.
• Improve our Website and Services through usage analysis and feedback.
• Send promotional communications about our Services (with your consent or where permitted by law).
• Detect, prevent, and address fraud, security issues, and technical problems.
• Comply with legal obligations and enforce our terms.

4. Legal Bases for Processing (GDPR)

Where GDPR applies, we rely on the following legal bases for processing your personal data:

• Contractual Necessity: processing necessary to perform a contract with you or to take steps at your request before entering into a contract (e.g., fulfilling orders, managing your account).
• Legitimate Interests: processing necessary for our legitimate business interests, provided those interests are not overridden by your rights (e.g., improving our Services, fraud prevention, direct marketing to existing customers).
• Consent: where you have given clear consent for us to process your personal data for a specific purpose (e.g., marketing communications, non-essential cookies).
• Legal Obligation: processing necessary to comply with a legal or regulatory requirement.

5. How We Share Your Information

We do not sell your personal data. We share your information only in the following circumstances:

5.1 Service Providers

We share personal data with third-party service providers who perform services on our behalf, including:

• Cloud infrastructure hosting (Amazon Web Services, US-East region)
• Payment processing (PCI DSS-compliant processor; we do not store card data)
• Customer relationship management and marketing automation (HubSpot)
• Email and collaboration tools (Microsoft 365)
• Payroll and HR administration (Gusto, for employee data only)
• Compliance monitoring (Sprinto)
• Analytics (Google Analytics)

These providers are contractually obligated to use your data only for the purposes of providing services to us and to maintain appropriate security measures. We do not share order data, including recipient addresses, message content, or payment information, with third parties for their own marketing purposes.

5.2 Postal and Shipping Carriers

To fulfill handwritten note orders, sender and recipient mailing addresses are physically printed on envelopes and cards that are handed to USPS or other shipping carriers for delivery. This is inherent to the nature of our postal mail service.

5.3 Business Transfers

In connection with a merger, acquisition, financing, dissolution, or sale of all or a portion of our business or assets, your personal data may be transferred as a business asset. We will notify you of any such change in ownership or control of your personal data.

5.4 Legal Requirements

We may disclose your personal data if required to do so by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

6. Cross-Border Data Transfers

Handwrytten is based in the United States. If you are located outside the United States, your personal data will be transferred to and processed in the United States, where our servers and service providers are located.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with service providers where applicable.
• Data Processing Agreements (DPAs) with our sub-processors that include appropriate safeguards.
• Your explicit consent, where applicable.

We take reasonable steps to ensure that your personal data receives an adequate level of protection in the jurisdictions in which we process it, including encryption in transit (TLS 1.2+) and at rest (AES-256).

7. Data Retention

We retain your personal data only for as long as reasonably necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. Our general retention practices are:

When personal data is no longer required, it is securely deleted or anonymized in accordance with our internal data disposal and classification policies.

8. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

Essential Cookies

Required for the Website to function properly (e.g., session management, authentication). These cannot be disabled.

Analytics Cookies

Help us understand how visitors use our Website by collecting anonymized usage data. We use Google Analytics for this purpose. These cookies are placed only with your consent where required by law.

Marketing Cookies

Used to deliver relevant advertisements and track marketing campaign effectiveness. These include HubSpot tracking cookies. These cookies are placed only with your consent.

Managing Your Cookie Preferences

When you first visit our Website, you will be presented with a cookie consent banner that allows you to accept or decline non-essential cookies. You can change your preferences at any time through your browser settings. Please note that disabling certain cookies may affect Website functionality.

We do not currently respond to Do Not Track (DNT) browser signals, as no uniform standard for responding to such signals has been established.

9. Your Privacy Rights

9.1 Rights Under GDPR (EEA, UK, and Swiss Residents)

If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights:

• Right of Access: obtain a copy of the personal data we hold about you.
• Right to Rectification: request correction of inaccurate or incomplete personal data.
• Right to Erasure: request deletion of your personal data where there is no legitimate reason for us to continue processing it.
• Right to Restrict Processing: request that we suspend processing of your personal data in certain circumstances.
• Right to Data Portability: receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object: object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: withdraw consent at any time where processing is based on consent.

You also have the right to lodge a complaint with your local data protection supervisory authority.

9.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act provides you with the following rights:

• Right to Know: request information about the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to Delete: request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct: request correction of inaccurate personal information.
• Right to Opt Out of Sale/Sharing: Handwrytten does not sell your personal information and does not share it for cross-context behavioral advertising.
• Right to Non-Discrimination: you will not be discriminated against for exercising any of these rights.

9.3 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at:

• Email: contact@handwrytten.com
• Phone: 888-284-5197

We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA/CPRA). If we need additional time, we will notify you of the extension and the reason. We may request specific information to verify your identity before fulfilling your request. There is no fee for exercising your rights, except where requests are manifestly unfounded or excessive.

10. Data Security

We implement commercially reasonable technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of data at rest using AES-256.
• Role-based access controls following the principle of least privilege.
• Multi-factor authentication for access to critical systems.
• Regular vulnerability assessments and penetration testing.
• Employee security awareness training upon hire and annually thereafter.
• Incident management procedures with defined response and notification protocols.

Handwrytten maintains a SOC 2 Type II compliance program covering Security, Confidentiality, and Availability. For more information, visit our Trust Center.

11. Text Messages

If you opt in to receive text messages from Handwrytten, your mobile information will not be shared with third parties or affiliates for marketing or promotional purposes. Text messaging opt-in data and consent will not be shared with any third parties. To opt out, text STOP at any time.

12. Children’s Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at contact@handwrytten.com.

13. Third-Party Links

Our Website may contain links to third-party websites that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites. We encourage you to review the privacy policy of every site you visit.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on our Website with a revised “Last Updated” date, and where required by law, by sending notice to the email address associated with your account. Your continued use of our Services after the effective date of the revised policy constitutes your acceptance of the changes.

We review this Privacy Policy at least annually in accordance with our compliance review schedule.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

If you are located in the EEA or UK and believe your data protection rights have not been adequately addressed, you have the right to lodge a complaint with your local data protection supervisory authority.

Version History