Privacy Policy

Effective date: 22 February 2026 Last updated: 22 February 2026

Who we are

Message Deck ("we", "us", "our") is an online service that lets people create and share digital message decks. We are the data controller for the personal data described in this policy.

If you have questions about this policy or your data, contact us at: hello@messagedeck.co

What data we collect and why

Account data

When you create an account we collect your email address and a hashed password (we never store your password in plain text). We use this data to identify you, let you sign in, and send you transactional emails such as password resets and deck delivery confirmations.

Lawful basis: Performance of a contract (providing the service you signed up for).

Deck content

When you create a deck you provide a recipient name, an occasion type, and optionally a title and personal message. When contributors add cards to your deck they provide a first name, last name, email address, and a message. Decks may also contain images and audio recordings uploaded by you or contributors.

We use this data solely to operate the deck, render it for the recipient, and send the delivery email you request.

Lawful basis: Performance of a contract (delivering the deck you created).

Contributor details

Contributors to a deck are not required to have an account. We collect their name and email address as part of the card they submit. These details are visible to the deck creator.

Lawful basis: Legitimate interest (enabling the deck creator to receive contributions they invited).

IP addresses (rate limiting)

We temporarily process IP addresses to enforce rate limits on public-facing endpoints. IP addresses are not stored persistently and are not used for tracking or profiling.

Lawful basis: Legitimate interest (protecting the service from abuse).

Payment information

We do not store your payment card details. Payments are processed by our payment processor. We receive a record that a payment was completed โ€” including the amount and transaction reference โ€” and we update your account accordingly.

Lawful basis: Performance of a contract (processing payment for the service extension you purchased).

Data processors

We use third-party services to operate Message Deck. Each processor handles your data only as instructed by us and under data processing agreements that meet GDPR requirements:

  • Database hosting and authentication โ€” your account data and deck content are stored in a database hosted in the EU (eu-west-2 region).
  • File storage โ€” images and audio recordings uploaded to decks are stored by a file storage service in the EU.
  • Email delivery โ€” transactional emails (delivery confirmations, password resets) are sent via an email delivery service.
  • Payment processing โ€” one-time payments are processed by a PCI DSS-compliant payment processor.
  • Hosting โ€” the application is hosted on a cloud platform. Application logs may temporarily contain request metadata.

No vendor names are listed here intentionally โ€” this allows us to change providers without a policy update, provided equivalent protections remain in place. If you require details of our specific processors, contact us.

Data retention

| Data | Retention period | |------|-----------------| | Account (email, hashed password) | Held while your account is active. Deleted within 30 days of account deletion. | | Deck content and contributor cards | Deleted when you delete the deck or your account. | | Uploaded media (images, audio) | Deleted when the associated card or deck is deleted. | | Payment records | Retained for 7 years to meet legal financial obligations. | | IP addresses (rate limiting) | Not stored persistently โ€” processed in-memory only. |

Your rights under UK GDPR / GDPR

You have the right to:

  • Access โ€” request a copy of your personal data.
  • Rectification โ€” ask us to correct inaccurate data.
  • Erasure โ€” ask us to delete your data (the "right to be forgotten"), subject to legal obligations.
  • Restriction โ€” ask us to limit how we use your data while a dispute is resolved.
  • Portability โ€” receive your data in a machine-readable format.
  • Object โ€” object to processing based on legitimate interest.

To exercise any of these rights, email us at hello@messagedeck.co. We will respond within 30 days.

You also have the right to lodge a complaint with your national data protection authority. In the UK this is the Information Commissioner's Office (ICO) at ico.org.uk. In Ireland it is the Data Protection Commission at dataprotection.ie.

Cookies

We use session cookies only โ€” set by our authentication system to keep you signed in. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies.

You can clear cookies at any time via your browser settings, which will sign you out.

International transfers

Personal data is stored and processed within the European Economic Area (EEA). We do not transfer personal data outside the EEA.

Children

Message Deck is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

Changes to this policy

We may update this policy when our data practices change. The Last updated date at the top of this page will reflect any changes. For material changes we will provide prominent notice on the site or by email.

Contact

hello@messagedeck.co