Privacy Policy

PRIVACY POLICY

HollyCo Labs LLC
Last Updated: February 23, 2026

HollyCo Labs LLC (“HollyCo,” “we,” “us,” or “our”) is a New York limited liability company located in New York, New York. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use our website and mobile applications (the “Service”).

By using the Service, you agree to this Privacy Policy.

Scope and Role

HollyCo acts as a data controller with respect to personal information collected through account registration, subscriptions, analytics, and support communications.

HollyCo acts as a data processor with respect to contact information and card images uploaded by users.

Information We Collect

Account Information

• Email address
• Authentication information via Google or Apple

User-Uploaded Content

• Photographs of holiday or greeting cards
• Names
• Mailing addresses
• Phone numbers
• Email addresses of third parties
• Notes or freeform text entered by users

We access uploaded content only:

• For debugging purposes
• With user consent

Payment Information

Payments are processed by:

• Apple (in-app purchases)
• Stripe (web checkout)

We do not store full payment card information.

Communications

• Transactional emails
• Optional marketing emails
• Support emails or support transcripts
• Push notifications

Users may opt out of marketing communications at any time.

Technical Information

• Crash logs
• Usage analytics (via Google Analytics)

We do not collect:

• IP addresses directly
• Device identifiers
• Precise or inferred location data

Cookies and Tracking Technologies

We use:

• Essential cookies necessary for Service functionality
• Analytics cookies through Google Analytics

We do not use:

• Advertising cookies
• Marketing pixels
• Cross-context behavioral tracking

Users may control cookies through browser settings where applicable.

How We Use Personal Information

We use personal information to:

• Provide and operate the Service
• Process subscriptions
• Store and organize uploaded content
• Perform OCR processing
• Send transactional communications
• Send marketing communications (if opted in)
• Improve Service functionality
• Diagnose technical issues
• Comply with legal obligations

We do not sell personal data.

We do not share personal data for cross-context behavioral advertising.

Legal Bases for Processing (GDPR)

For users located in the European Economic Area (EEA), United Kingdom, or similar jurisdictions, we process personal data under the following legal bases:

• Performance of a contract (providing the Service)
• Legitimate interests (security, fraud prevention, system improvement)
• Consent (analytics cookies, marketing communications)

You may withdraw consent at any time where processing is based on consent.

International Data Transfers

All data is stored in the United States using Supabase infrastructure and other U.S.-based service providers.

By using the Service, users located outside the United States consent to the transfer of personal data to the United States.

Data Retention

We retain:

• Account and uploaded content while the account is active
• Data for thirty (30) days after subscription cancellation unless the user requests deletion
• Backup copies for up to thirty (30) days after deletion
• System logs and crash logs for up to one (1) year

After applicable retention periods, data is deleted or anonymized.

Data Sharing

We share personal data only with:

• Supabase (cloud hosting provider)
• Google Analytics (analytics provider)
• Email service providers
• Payment processors (Apple, Stripe)
• Customer support tools (if implemented)
• Legal authorities where required

All service providers process data pursuant to contractual obligations.

We do not sell personal data.

Your Rights

GDPR Rights (EEA / UK Users)

You have the right to:

• Access your personal data
• Correct inaccurate data
• Request deletion
• Restrict processing
• Object to processing
• Request data portability

You may lodge a complaint with your local supervisory authority.

Requests may be submitted to: privacy@holly.company

California Privacy Rights (CCPA / CPRA)

California residents have the right to:

• Know what personal information we collect
• Request deletion
• Request correction
• Opt out of sale (we do not sell personal data)
• Non-discrimination for exercising rights

Requests may be submitted to: privacy@holly.company

We do not sell or share personal data as defined under California law.

Children's Privacy

The Service is not intended for individuals under 18.

Users may upload children's names as part of contact information, but the Service is not designed to collect information directly from children.

We do not knowingly collect personal information from minors.

Security

We implement reasonable administrative and technical safeguards, including:

• Encryption in transit
• Encryption at rest

We do not currently conduct:

• SOC 2 certification
• Regular penetration testing
• Formal administrative access logging

No method of transmission or storage is completely secure.

Automated Processing

OCR functionality extracts text from uploaded images.

OCR does not produce automated legal or financial decisions.

Marketing Communications

Users may opt out of marketing communications at any time via:

• Email unsubscribe link
• Account settings

Opting out of marketing does not affect transactional communications.

Changes to This Policy

We may update this Privacy Policy periodically. Continued use of the Service constitutes acceptance of changes.

Contact Information

HollyCo Labs LLC
New York, New York
Email: privacy@holly.company