Privacy Policy
Last updated: February 2025
1. Introduction
At That Lovely Box, operated by Maradin, we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our digital gift box service.
This policy applies to all users of the That Lovely Box platform, including those who create accounts, send gift boxes, and recipients who receive gift boxes.
Data Controller:
Maradin
Stationsweg 18, 3764CJ Soest
The Netherlands
VAT: NL170003966B03
Email: privacy@thatlovelybox.com
2. Information We Collect
2.1 Information You Provide Directly
| Category | Data Collected | Purpose |
|---|---|---|
| Account Information | Name, email address, password (encrypted) | Account creation, authentication, communication |
| Box Content | Messages, photos, videos, documents you upload | Delivering your gift box to recipients |
| Recipient Information | Email addresses of people you send boxes to | Delivering gift boxes and notifications |
| Payment Information | Transaction data (card details processed by Lemon Squeezy) | Processing purchases |
| Communication | Messages you send to our support team | Customer service and support |
2.2 Information Collected Automatically
| Category | Data Collected | Purpose |
|---|---|---|
| Usage Data | Pages visited, features used, time spent | Service improvement, analytics |
| Device Information | Browser type, operating system, device type | Ensuring compatibility, security |
| Log Data | IP address, access times, error logs | Security, troubleshooting |
| Cookies | Session data, preferences | Authentication, functionality |
For detailed information about cookies, please see our Cookie Policy.
2.3 Information About Recipients
When you send a gift box, we collect the recipient's email address. Recipients do not need to create an account to view their gift box. We only use recipient email addresses to deliver the gift box notification and related communications.
3. Legal Basis for Processing (GDPR)
Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:
| Legal Basis | Processing Activities |
|---|---|
| Contract Performance (Article 6(1)(b) GDPR) |
|
| Legitimate Interests (Article 6(1)(f) GDPR) |
|
| Consent (Article 6(1)(a) GDPR) |
|
| Legal Obligation (Article 6(1)(c) GDPR) |
|
4. How We Use Your Information
4.1 Primary Purposes
- Service Delivery: Creating accounts, processing payments, delivering gift boxes
- Communication: Sending transactional emails, notifications, and support responses
- Security: Protecting against unauthorized access, fraud, and abuse
4.2 Secondary Purposes
- Service Improvement: Analyzing usage patterns to enhance user experience
- Marketing: Sending promotional content (only with your consent)
- Legal Compliance: Meeting our legal and regulatory obligations
4.3 What We Don't Do
- We do not sell your personal information to third parties
- We do not use your content for advertising purposes
- We do not share recipient email addresses with marketers
- We do not create advertising profiles based on your gift box content
5. Information Sharing and Disclosure
We may share your information with the following categories of recipients:
5.1 Service Providers
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | Account data, content, files | EU (Frankfurt) |
| Vercel | Website hosting | Usage data, logs | Global (EU data centers available) |
| Brevo | Email delivery | Email addresses, names | EU (France) |
| Lemon Squeezy | Payment processing | Payment and billing data | USA (with EU safeguards) |
5.2 Recipients of Gift Boxes
When you send a gift box, the recipient will receive access to the content you created. Depending on your settings, recipients may see your name or the box may be sent anonymously.
5.3 Legal Requirements
We may disclose your information when required to:
- Comply with applicable laws or legal processes
- Respond to lawful requests from public authorities
- Protect our rights, privacy, safety, or property
- Enforce our Terms of Service
5.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your information becomes subject to a different privacy policy.
6. International Data Transfers
While we primarily process data within the European Economic Area (EEA), some of our service providers are located outside the EEA. When we transfer data internationally, we ensure appropriate safeguards are in place:
- Adequacy Decisions: Transfers to countries with adequate data protection
- Standard Contractual Clauses: EU-approved contractual safeguards
- Data Processing Agreements: Binding contracts with all processors
You can request more information about specific safeguards by contacting us at privacy@thatlovelybox.com.
7. Data Retention
We retain your information only as long as necessary for the purposes outlined in this policy:
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Data | Until account deletion | Service provision |
| Gift Box Content | 30 days after recipient opens | Allow recipient access and downloads |
| Unopened Boxes | 90 days after scheduled delivery | Allow late access by recipients |
| Draft Boxes | 30 days of inactivity | User convenience |
| Deleted Content | 7 days | Recovery window, then permanent deletion |
| Payment Records | 7 years | Legal and tax requirements |
| Support Communications | 2 years | Service quality and dispute resolution |
8. Data Security
We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:
8.1 Technical Measures
- Encryption in Transit: All data transmitted via HTTPS/TLS
- Encryption at Rest: Sensitive data encrypted in our databases
- Secure Authentication: Password hashing, session management
- Access Controls: Role-based access to systems and data
8.2 Organizational Measures
- Limited employee access to personal data
- Data processing agreements with all service providers
- Regular security reviews and updates
- Incident response procedures
8.3 Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, as required by GDPR.
9. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Right of Access | Request a copy of your personal data and information about how it's processed |
| Right to Rectification | Request correction of inaccurate or incomplete personal data |
| Right to Erasure | Request deletion of your personal data ("right to be forgotten") |
| Right to Restrict Processing | Request limitation of processing in certain circumstances |
| Right to Data Portability | Receive your data in a structured, machine-readable format |
| Right to Object | Object to processing based on legitimate interests or for direct marketing |
| Right to Withdraw Consent | Withdraw consent at any time where processing is based on consent |
| Right to Lodge a Complaint | File a complaint with a supervisory authority |
9.1 How to Exercise Your Rights
To exercise any of these rights, you can:
- Use the account settings to update or delete your information
- Email us at privacy@thatlovelybox.com
We will respond to your request within 30 days. We may need to verify your identity before processing your request.
9.2 Supervisory Authority
If you are in the Netherlands, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):
Autoriteit Persoonsgegevens
Postbus 93374
2509 AJ Den Haag
The Netherlands
Website: autoriteitpersoonsgegevens.nl
10. Children's Privacy
Our Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@thatlovelybox.com, and we will take steps to delete such information.
11. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Our systems may use automated processing for fraud detection and security purposes, but these do not result in automated decisions about your access to the Service.
12. Third-Party Links
Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party sites you visit.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make changes:
- We will update the "Last updated" date at the top of this policy
- For material changes, we will notify you via email or a prominent notice on our Service
- We will obtain your consent where required by law
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
We aim to respond to all privacy-related inquiries within 30 days.