Privacy Policy — FeelFlow

Privacy Policy

Protecting your personal data is a priority for FeelFlow. This Privacy Policy explains what data is collected, why it is processed, and your rights under the General Data Protection Regulation (GDPR – EU 2016/679).

1. Data Controller

The data controller is the publisher of FeelFlow. For any questions relating to your personal data, you may contact us via the contact form available in your profile or the administration area.

2. Data We Collect

Depending on how you use the service, FeelFlow may process the following categories of data:

  • Account data: username, email address, password (hashed, not readable), first name, last name (optional), country, preferred language, personal settings.
  • Grade and subscription data: active grade (standard, medium, premium, special), grade change history, any temporary grade and its expiry date, previous grade in the event of automatic downgrade.
  • Card-related data: event name, recipient, target date, theme, shape, text content, media (images, multi-image sliders up to 5 photos, audio, video), guestbook configuration (opening/closing dates, status, title, style), privacy settings (public/private), hashed private access key, display preferences.
  • Guestbook data: text messages, video and audio files posted by visitors, author name, submission date, moderation status, likes, nested replies.
  • Token and transaction data: token balance, transaction history (purchases, credits, spends, refunds, expirations), unlocked actions and their source (purchase, admin, promo code), option and token pack expiry dates.
  • Payment data: token pack purchased, amount, currency, transaction status (pending, completed, failed, refunded), Stripe session identifier. No banking data (card number, CVV) is stored on FeelFlow servers.
  • Promotional and referral data: entered promotional code, referral code or link used, reward status, unlocked benefits, information needed for tracking and abuse prevention.
  • Notification data: system notifications sent and received (upcoming expiry, extension confirmation/rejection, token credits, admin messages), read status.
  • Session and login data: session identifier, IP address, last login date and time, password reset information (temporary hashed token, expiry date).
  • Technical data: technical logs (errors, security), strictly necessary cookies for operation (PHP session).

3. Purposes & Legal Bases

Data is processed for the following purposes:

  • Providing the service (creating, editing, saving and sharing cards and guestbooks) — contract performance;
  • Managing grades and features available by account level — contract performance;
  • Processing token purchases and payments via Stripe — contract performance;
  • Managing the token wallet, unlocked options and their expiries — contract performance;
  • Generating guestbook PDF documents on request — contract performance;
  • Sending system notifications (expiries, confirmations, credits, admin messages) — contract performance / legitimate interest;
  • Managing promotional codes, referrals and associated benefits — contract performance / legitimate interest;
  • Securing the platform (abuse prevention, technical traceability, moderation) — legitimate interest;
  • Providing user support — legitimate interest.

4. Sharing & Hosting

FeelFlow does not sell or rent your personal data to third parties. Some data may be transmitted to the following providers, solely for the operation of the service:

  • Hosting provider (server infrastructure) — data storage on secure servers;
  • Email delivery service — for email notifications;
  • Stripe (PCI-DSS Level 1 certified payment provider) — for processing token purchases. Stripe receives data necessary for the transaction (amount, currency, session identifier). Stripe has its own privacy policy available at stripe.com.

All providers are bound by contractual confidentiality obligations and may only use data for the purposes for which it is transmitted.

5. Public vs Private Cards

Public cards are accessible to anyone with the link. Private cards require an access key defined by the creator. The key is not stored in plain text on our servers. You are responsible for sharing the link and, if applicable, the key.

6. Retention

Data is kept for the following durations:

  • Account data: for the duration of account activity, then deleted on request or per the closure policy.
  • Card and guestbook data: for the lifetime of the card (based on grade + any extensions), then automatically archived or deleted per settings in force.
  • Token transactions and history: retained for the duration of account activity for traceability purposes, and up to 5 years after the last transaction for legal/accounting purposes.
  • Saved guestbook PDFs: retained until manually deleted or account closure.
  • Technical and session logs: retained for a limited period (generally 30–90 days) for security and debugging purposes.
  • Stripe payment data: managed and retained by Stripe under its own retention policies, in compliance with applicable legal obligations.

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access: obtain a copy of data held about you;
  • Right of rectification: correct inaccurate or incomplete data;
  • Right to erasure: request deletion of your data, subject to legal retention obligations;
  • Right to object: object to certain processing based on legitimate interest;
  • Right to portability: receive your data in a structured format;
  • Right to restriction: request processing restriction in certain cases.

You may exercise these rights via your account features (deletion, profile editing) or by contacting us directly. If you are unsatisfied with the response, you have the right to lodge a complaint with your national data protection authority (e.g. ICO in the UK, CNIL in France, APD in Belgium).

8. Cookies

FeelFlow uses only strictly necessary technical cookies for the operation of the service (e.g. PHP session cookie, language preference). No advertising, profiling or third-party tracking cookies are placed without your explicit consent.

9. User Content & AI

Content you create, upload or generate (including with AI assistance if available), as well as content posted by visitors in your guestbook (text, audio, video, replies), remains your responsibility as the card creator. FeelFlow does not pre-moderate content and may act upon abuse reports.

10. Security

FeelFlow implements appropriate technical and organisational measures to protect your data against unauthorised access, loss, alteration or disclosure: password hashing (bcrypt), secure communications (HTTPS), hashed private access keys, restricted access to sensitive data. No security measure is absolute, and we encourage you to use a strong password and keep it confidential.

11. Policy Updates

This policy may be updated to reflect service developments or legal requirements. The version published on the site is the one in force. We encourage you to consult it regularly.

Last updated: 25 March 2026