Privacy Policy

1. Introduction

This privacy policy explains how Escargot, Inc. (“we,” “us,” or “our”) collects, uses, shares, and protects personal information when you use our websites, mobile applications, and services (collectively, the “Services”). We respect your privacy and are committed to protecting your personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA).

By using our Services, you acknowledge that you have read and understood this privacy policy. If you do not agree with the practices described here, please do not use our Services.

2. Important Information and Who We Are

Escargot is the data controller responsible for your personal data. Our Services allow you to send physical greeting cards from your phone. Our principal place of business is 210 5th Ave, Suite 301, New York, NY 10010.

It is important that you read this privacy policy together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you.

Our Services are not intended for children under the age of 13, and we do not knowingly collect data relating to children. If we learn that we have collected personal information from a child under 13, we will take steps to delete that information promptly.

3. The Data We Collect About You

Personal data means any information about an individual from which that person can be identified. We collect, use, store, and transfer different kinds of personal data about you, which we have grouped together as follows:

• Identity Data: first name, last name, username, or similar identifier.
• Contact Data: email address, phone number, and mailing addresses (including recipient addresses for card delivery).
• Financial Data: payment card details and billing address. Note: payment processing is handled by Stripe, Inc. We do not store your full payment card numbers on our servers.
• Transaction Data: details about payments, orders, cards sent, and other transactions you carry out through our Services.
• Technical Data: internet protocol (IP) address, browser type and version, device type and model, operating system and version, time zone setting and location, mobile network information, and other technology identifiers on the devices you use to access our Services.
• Device and Advertising Identifiers: your device's Identifier for Advertisers (IDFA) on iOS, Google Advertising ID (GAID) on Android, and other unique device identifiers used for analytics and advertising attribution.
• Profile Data: your username and password, your preferences, feedback, and survey responses.
• Usage Data: information about how you use our Services, including app opens, features used, pages visited, and in-app events and actions.
• Marketing and Communications Data: your preferences for receiving marketing from us and our third parties, your communication preferences, and SMS consent and opt-out preferences.

We also collect, use, and share aggregated data such as statistical or demographic data. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity.

4. How We Collect Your Personal Data

We use different methods to collect data from and about you, including:

• Direct interactions: you provide data when you create an account, place an order, subscribe to our services, enter information into our app, provide feedback, or contact us.
• Automated technologies or interactions: as you use our Services, we automatically collect Technical Data, Device and Advertising Identifiers, and Usage Data through our mobile app, cookies, server logs, and similar technologies. This includes data collected through third-party software development kits (SDKs) integrated into our app, as described in Section 5 below.
• Third parties or publicly available sources: we may receive personal data about you from analytics providers, advertising networks, and search information providers.

5. Third-Party SDKs, Analytics, and Advertising Technology

Our mobile application integrates third-party software development kits (SDKs) and services to help us measure the effectiveness of our advertising campaigns, understand how users interact with our app, and optimize our marketing spend. These third-party services may collect data from your device as described below.

5.1 AppsFlyer (Mobile Attribution and Analytics)

We use AppsFlyer, a mobile attribution and analytics platform, to measure the performance of our advertising campaigns and understand how users find and use our app. The AppsFlyer SDK integrated into our app may collect the following types of data:

• Technical information: device type and model, operating system version, language, screen resolution, network status, and time zone.
• Technical identifiers: IP address, IDFA (on iOS), GAID (on Android), IDFV, and other device identifiers.
• Attribution data: information about which advertisement or campaign led you to install or use our app, including campaign names, ad IDs, and click/impression timestamps.
• In-app event data: information about actions you take within our app, such as purchases, sign-ups, and other key events we have configured for measurement purposes.

AppsFlyer processes this data on our behalf to provide us with attribution analytics, marketing measurement, and fraud detection services. AppsFlyer does not sell end-user personal data to third parties. For more information, please review AppsFlyer's Services Privacy Policy at appsflyer.com/legal/services-privacy-policy.

5.2 Meta (Facebook) Ads

We run advertising campaigns on Meta platforms (including Facebook and Instagram) to promote our Services. To measure the effectiveness of these campaigns and optimize ad delivery, we share certain data with Meta Platforms, Inc. through our integration with AppsFlyer. This includes:

• Installation and attribution data: information about whether you installed our app after viewing or clicking a Meta ad.
• In-app event data: information about actions you take in our app after engaging with a Meta ad (for example, completing a purchase), which helps Meta optimize ad delivery.
• Device identifiers: IDFA (where you have provided consent through Apple's App Tracking Transparency prompt) and other identifiers used for ad measurement.

Meta uses this data to provide us with advertising analytics and to optimize ad delivery. Meta's use of this data is governed by Meta's Data Policy. For more information, please review Meta's Privacy Policy at facebook.com/privacy/policy.

5.3 Apple SKAdNetwork (SKAN)

On iOS, we participate in Apple's SKAdNetwork (SKAN) framework, a privacy-preserving system for measuring the effectiveness of advertising campaigns without revealing individual user data to advertisers. Through SKAN:

• Conversion values: our app may send aggregated, non-personally-identifiable conversion data to Apple and participating ad networks. This data indicates general categories of post-install activity (such as whether a purchase occurred) without identifying you personally.
• No personal data shared: SKAN postbacks do not contain personal identifiers. Apple processes this data in a way that limits the ability to track individual users across apps.

We use AppsFlyer's SDK to manage SKAN conversion value updates on our behalf. The conversion value schema is shared with participating ad networks (including Meta) to enable campaign optimization.

5.4 Apple App Tracking Transparency (ATT)

On iOS 14.5 and later, Apple requires apps to request your permission before tracking your activity across other companies' apps and websites. When you first use our app, you will see Apple's App Tracking Transparency prompt asking for your consent.

• If you allow tracking: we may collect your IDFA and share it with our advertising partners (including Meta and AppsFlyer) for the purposes of advertising measurement, attribution, and campaign optimization.
• If you deny tracking: we will not collect your IDFA, and advertising measurement will rely on privacy-preserving methods such as SKAdNetwork and aggregated data. Core app functionality is not affected by your choice.

You can change your tracking preference at any time in your device's Settings > Privacy & Security > Tracking.

5.5 Advanced Data Sharing (Meta)

We may enable Meta's Advanced Data Sharing feature within AppsFlyer to improve advertising measurement for iOS devices that have not made their Advertising ID (IDFA) available. When enabled, Meta may receive event postbacks with limited device-level identifiers for attribution purposes, subject to a maximum 24-hour attribution window. You can limit this data sharing by declining the App Tracking Transparency prompt on iOS.

6. How We Use Your Personal Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• To perform our contract with you: to process and deliver your card orders, manage your account, and handle payments.
• For our legitimate interests: to improve our Services, measure advertising effectiveness, prevent fraud, and grow our business, where your interests and fundamental rights do not override those interests.
• To comply with legal obligations: to meet our legal and regulatory requirements.
• With your consent: where we rely on your consent to process personal data (such as for tracking via Apple's ATT prompt or sending marketing communications), you have the right to withdraw consent at any time.

7. SMS Communications

If you provide your mobile phone number and consent to receive SMS messages from Escargot, we collect and use this information as follows:

Data we collect: your mobile phone number and your consent to receive SMS communications. We may also collect records of SMS messages sent to you and your responses or opt-out requests.

How we use this data: we use your phone number and consent to send you transactional messages related to your orders (such as delivery confirmations and recipient notifications), customer support communications, and, where you have opted in, promotional messages about our Services.

Who we share this data with: we share your phone number with our SMS service provider solely for the purpose of delivering messages to you. We do not sell your phone number or SMS consent data to third parties, and we do not share it for third-party marketing purposes.

Opting out: you may opt out of SMS messages at any time by replying STOP to any message or by contacting us at [email protected]. Opting out of promotional SMS will not affect transactional messages related to your orders.

8. Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. You can opt out of receiving marketing communications from us at any time by following the unsubscribe links on any marketing message sent to you or by contacting us.

9. Disclosures of Your Personal Data

We may share your personal data with the following categories of recipients for the purposes set out in this policy:

• Service providers: companies that provide services on our behalf, including payment processing (Stripe), card printing and fulfillment, SMS delivery, email delivery, cloud hosting, and customer support tools.
• Analytics and attribution providers: AppsFlyer for mobile analytics and attribution, as described in Section 5.
• Advertising partners: Meta Platforms (Facebook/Instagram) and other advertising networks for campaign measurement and optimization, as described in Section 5. Data shared with advertising partners is limited to what is necessary for ad measurement and is subject to those partners' own privacy policies.
• Professional advisors: lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services.
• Regulatory authorities: government agencies, regulators, and other authorities where required by law.
• Business transfers: third parties to whom we may choose to sell, transfer, or merge parts of our business or assets. If a change happens to our business, the new owners may use your personal data in the same way as set out in this privacy policy.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not sell your personal data to any third party.

10. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. All data transmitted through our app and third-party SDKs is encrypted in transit. We also limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know.

11. Data Retention

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Attribution and analytics data collected through AppsFlyer is retained in accordance with AppsFlyer's data retention policies and our configuration settings within the AppsFlyer platform.

12. Your Legal Rights

Depending on your location, you may have the following rights under applicable data protection laws:

• Right of access: you can request a copy of the personal data we hold about you.
• Right to rectification: you can request that we correct inaccurate personal data.
• Right to erasure: you can request that we delete your personal data in certain circumstances.
• Right to restrict processing: you can request that we restrict the processing of your personal data in certain circumstances.
• Right to data portability: you can request a copy of your personal data in a structured, commonly used, machine-readable format.
• Right to object: you can object to our processing of your personal data in certain circumstances, including processing for direct marketing purposes.
• Right to withdraw consent: where we rely on your consent to process personal data, you can withdraw consent at any time.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the CCPA and CPRA, including the right to know what personal information we have collected, the right to delete your personal information, the right to opt out of the sale or sharing of personal information, and the right to non-discrimination for exercising your privacy rights. We do not sell your personal information as defined by the CCPA. To exercise your rights, please contact us using the details in Section 15.

Meta Ads Data and CCPA

We comply with the California Consumer Privacy Act with respect to data shared with Meta for advertising purposes. We limit Meta's use of personal information from California-based users in accordance with CCPA requirements through the compliance controls available in our AppsFlyer integration.

To exercise any of these rights, please contact us using the details provided in Section 15. We will respond to your request within the timeframe required by applicable law.

13. International Data Transfers

Your personal data may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different from the laws of your country. Our service providers, including AppsFlyer (headquartered in Israel), Stripe, and Meta, may process data in various jurisdictions. Where we transfer your personal data outside your jurisdiction, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by relevant authorities.

14. Third-Party Links

Our Services may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website or app, we encourage you to read the privacy policy of every website you visit.

15. Contact Details

If you have any questions about this privacy policy, our privacy practices, or wish to exercise your data protection rights, please contact us at:

Email: [email protected]

Postal address: Escargot, Inc., 210 5th Ave, Suite 301, New York, NY 10010

You have the right to make a complaint at any time to the relevant data protection supervisory authority in your jurisdiction. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.

16. Changes to This Privacy Policy

We keep our privacy policy under regular review. This version was last updated on the date shown at the top of this document. We may update this policy from time to time. If we make material changes, we will notify you through the Services or by other means. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.