Your data, handled with care

Merchants: account email, password hash, business profile fields you enter (name, address, phone, logo, hours, social links), the cards and content you create, billing metadata when you subscribe to a paid plan, and operational logs (sign-ins, sends, errors).

Card visitors: optional contact details you submit through a merchant's card (name, email, phone, message, booking time), and basic analytics events (page views, link taps, device type, approximate region) tied to the card you viewed.

Automatic: IP address, user-agent, and cookies or local-storage entries required to keep you signed in and remember your language preference.

We use the data above to operate the service: authenticate users, render merchant cards, deliver booking and complaint notifications, send transactional emails and SMS reminders, show merchants their own analytics, fight abuse, and improve the product.

We do not sell personal information. We do not use card-visitor messages or contact details for advertising.

Where GDPR applies, we rely on: contract (to provide the service you signed up for), legitimate interests (to secure the platform and improve features), consent (for optional cookies and marketing messages where required), and legal obligation (to keep billing and abuse records).

We share data only with vetted infrastructure providers that process it on our behalf: managed hosting and database, authentication, email delivery, SMS delivery, payment processing, and analytics. Each provider is bound by its own data-processing terms.

We may disclose information when required by law, to protect our rights, or in connection with a merger or acquisition (in which case affected users will be notified).

We use strictly necessary cookies and local-storage entries for sign-in sessions, CSRF protection, and language preference. We do not use third-party advertising cookies. You can clear these at any time from your browser settings; doing so will sign you out.

Our infrastructure providers operate global networks and may store or process data in jurisdictions outside your country of residence. Where required, transfers rely on standard contractual clauses or equivalent safeguards offered by the provider.

We retain account data while your account is active. When you delete a card, its public content and analytics are removed from public surfaces. When you delete your account, we remove personal data within 30 days, except where we are required to keep limited records for billing, fraud prevention, or legal compliance.

Depending on your jurisdiction, you may have the right to access, correct, export, restrict, or delete your personal data, and to object to certain processing. Merchants can edit or delete most data directly from the dashboard. For other requests, email us at the address below — we will verify your identity before acting.

thank-you.today is intended for businesses and adults. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA). If you believe a child has provided data, contact us and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be announced in the merchant dashboard or by email. The "Last updated" date above always reflects the current version.

Privacy questions, data requests, or complaints can be sent to hello@thank-you.today. We aim to respond within 30 days.