Privacy Policy

Effective date: March 17, 2026

1. Introduction

HuddleCard ("we", "us", "our") operates huddlecard.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

By using the Service, you consent to the practices described in this policy. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

Information you provide directly

Account information: name, email address, company name, time zone, and password.
Profile information: profile photos and date of birth.
Card content: messages, images, GIFs, and other media you post to cards. This content is authored by you and shared with other members of your group.
Billing information: payment details are collected and processed directly by Stripe. We store only your Stripe customer identifier and subscription identifiers — we never see or store your full credit card number.
Communications: any emails or messages you send to us directly.

Information from integrations

Slack: When you connect your Slack workspace, we receive your workspace identifier, the identifiers of channels you configure for notifications, and basic user profile data (display name, email address, and profile picture) for members of your workspace. We use this data solely to deliver card notifications and facilitate signing within Slack. We do not read, store, or process your Slack messages, files, or any other workspace content beyond what is described here.

Information collected automatically

Log data: IP address, browser type, pages visited, and timestamps.
Cookies: session cookies to maintain your login state and preferences. See Section 5 for details.

3. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the Service.
Create and deliver group cards and notifications, including transmitting card content via email through our email delivery provider (Mailgun).
Process billing and manage subscriptions through Stripe.
Send transactional emails such as card notifications, account verification, and billing alerts.
Monitor and resolve errors and service issues.
Respond to your support requests.
Comply with legal obligations.

We do not use your personal information for advertising, profiling, or automated decision-making. We do not sell your personal information to any third party.

4. Third-Party Service Providers

We share your information with the following third-party processors, solely to operate the Service:

Provider	Purpose	Data Shared
Stripe	Payment processing & billing	Email, company name, subscription data
Slack	Workspace integration	User profiles (name, email, avatar), card notification content
Cloudinary	Media storage & image processing	Uploaded images and media files
Mailgun	Transactional email delivery	Recipient email addresses, email content (including card messages compiled into delivered cards)
Sentry	Error tracking & monitoring	Error logs and request metadata (no personal content)
Giphy	GIF search & embedding in cards	Search queries entered when browsing GIFs
Unsplash	Stock photo search for card images	Search queries entered when browsing photos
Google Fonts	Web font delivery	IP address and page URL (standard browser request)
CDN providers (cdnjs, unpkg, jsDelivr, MaxCDN)	Hosting open-source JavaScript and CSS libraries	IP address and page URL (standard browser request)

Each provider processes data in accordance with their own privacy policies. We maintain agreements with these providers to ensure your data is handled securely and only for the purposes described above.

5. Cookies and Tracking

We use the following types of cookies:

Essential cookies: required to keep you logged in and maintain your session. These cannot be disabled without breaking core functionality.

We do not use any analytics cookies or third-party tracking cookies. You can configure your browser to refuse all cookies, though some features of the Service may not function properly without essential cookies.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. If you or your company administrator removes a team member, we delete that person's profile data and card content. Full account closure (deletion of all company data) is handled upon request — contact us at info@huddlecard.com. In all cases, we may retain billing records for the period required by applicable tax and accounting regulations.

Card content (messages and media) is retained for the lifetime of the card unless deleted by the card creator or a group administrator.

7. Data Security

We implement industry-standard security measures to protect your information, including:

Encrypted connections (HTTPS/TLS) for all data in transit.
Secure password hashing (bcrypt).
Role-based access controls.
Regular security updates and dependency monitoring.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we take reasonable and appropriate steps to protect the personal information we process.

Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users and, where required, the relevant supervisory authorities, within the timeframes mandated by applicable law (72 hours under GDPR). Notification will include a description of the breach, the types of data affected, and the steps we are taking in response.

8. Your Rights

All users

You may at any time:

Access and update your personal information through your account settings.
Request a copy of your personal data by contacting us. We will provide it in a reasonable timeframe.
Request deletion of your personal data or closure of your account by contacting us.

GDPR rights (EEA and UK residents)

If you are located in the European Economic Area or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR) and the UK GDPR, including:

Right of access: request a copy of the personal data we hold about you.
Right to rectification: request correction of inaccurate data.
Right to erasure: request deletion of your data ("right to be forgotten").
Right to data portability: request your data in a structured, machine-readable format.
Right to restrict processing: request that we limit how we use your data.
Right to object: object to processing based on legitimate interests.

Our legal bases for processing your data are: (a) performance of our contract with you (providing the Service), (b) your consent (where applicable), and (c) our legitimate interests (service improvement, security, and error monitoring).

To exercise any of these rights, contact us at info@huddlecard.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.

CCPA rights (California residents)

If you are a California resident, under the California Consumer Privacy Act (CCPA) you have the right to:

Know what personal information we collect and how it is used.
Request deletion of your personal information.
Opt out of the sale of personal information. (We do not sell personal information.)
Not be discriminated against for exercising your privacy rights.

To make a request, contact us at info@huddlecard.com.

9. Data Processing Agreements

If your organization requires a Data Processing Agreement (DPA) to comply with GDPR or other data protection regulations, we are happy to provide one. Please contact us at info@huddlecard.com to request a DPA.

10. Children's Privacy

The Service is designed for use by businesses and organizations and is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected information from a child under 16, we will promptly delete it. If you believe a child has provided us with personal information, please contact us.

11. International Data Transfers

HuddleCard is based in the United States. If you are accessing the Service from outside the United States, your information will be transferred to and processed in the United States, where our servers and service providers are located.

For transfers of personal data from the EEA or UK to the United States, we rely on the EU-U.S. Data Privacy Framework where applicable, or Standard Contractual Clauses (SCCs) approved by the European Commission, to provide appropriate safeguards for your data. You may request a copy of the relevant transfer mechanisms by contacting us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a security concern, contact us at:

info@huddlecard.com