Privacy Policy

Postli Privacy Policy
Effective date: April 20, 2026

This Privacy Policy explains how Andrea Vaiuso ("we," "us," or "our") processes personal data in connection with the Postli iOS application and the backend APIs that support it. This policy is written to support transparency under the EU General Data Protection Regulation ("GDPR") and the revised Swiss Federal Act on Data Protection ("nFADP").

1. Data Controller Identification
Controller:
Andrea Vaiuso
St. Gallerstrasse 73
8400 Winterthur
Switzerland
Telephone: +41 079 238 41 08
E-mail: vaiu-app-assistance@outlook.com

We have not appointed a separate EU representative under Article 27 GDPR for this policy version.
We have not appointed a separate Data Protection Officer for this policy version.

2. Scope of This Policy
This Privacy Policy covers:
- the Postli iOS app;
- the backend APIs used by that app, including authentication, profile, contacts, postcards, cards, grammar, subscriptions, explore, assets, legal endpoints, and authenticated public-profile APIs;
- personal data relating to app end users; and
- personal data relating to featured artists whose data appears in app-facing artist, artwork, and story features

3. Categories of Personal Data We Process
We process the following categories of personal data in the current implementation.

A. Identification and profile data for end users
- Apple Sign in identifier (`apple_subject`);
- first name and last name;
- e-mail address if shared during Sign in with Apple or later added by the user;
- username;
- profile picture or avatar storage key;
- preferred language and languages to learn;
- canton and residence country;
- date of birth;
- EULA acceptance timestamp;
- subscription tier and entitlement override status;
- achievement and profile display data such as collected stamps, objective codes, and virtual currency;
- account status information such as whether the account has been marked as removed.

B. Authentication and security data for end users
- access tokens created by our backend;
- hashed refresh tokens stored server-side;
- refresh-token expiry timestamps, revocation state, and issuance timestamps;
- APNs device tokens and APNs environment (development or production);
- IP-based actor identifiers used for selected authentication and abuse-prevention rate limits, especially sign-in, token refresh, and logout protection;
- request and error metadata processed through our hosting and security providers as part of service operation, debugging, observability, and abuse prevention.

C. Usage and interaction data for end users
- contact relationships between users;
- postcard sending, receipt, read state, delivery timing, rerouting, expiry, and moderation state;
- likes on artworks;
- objective and game statistics, such as postcard counts, flashcard creation counts, keyboard/audio game counts, and perfect game counts;
- rate-limit events keyed to a user or IP-based actor identifier for security and plan enforcement;
- user-report activity, including whether you have reported another user or have been reported by another user, the timestamp of the report, and any reason text you provide.

D. User-generated content
- postcard front images;
- postcard back text;
- imported and exported `.postcard` files and locally stored postcard copies on the device;
- report reasons and content snapshots when a postcard is reported (including the front image, back text, font, language, and canton at the time of the report);
- report reasons and related identifiers when a user is reported to moderation;
- grammar-check input text and corrected output;
- requested vocabulary words, grammar topics, and generated learning content returned by the service;
- profile information and public-profile data intentionally shared with other authenticated users through the app.

E. Location-related data
- on-device location may be requested to suggest a postcard origin region;
- the backend stores only the selected or resolved postcard origin region or canton;
- the current backend implementation does not intentionally store raw GPS coordinates from end users.

F. Subscription and payment-related data
- App Store subscription transaction data needed to validate entitlements, including product identifier, original transaction identifier, latest transaction identifier, app account token, subscription status, environment, expiry timestamp, and signed App Store payloads;
- webhook and notification processing metadata related to App Store subscription events.

We do not currently process end-user credit card numbers, bank account details, or other direct payment instrument data in the in-scope implementation. Paid subscriptions are handled through Apple's App Store billing environment.

G. Artist data
- first name and last name;
- birthdate;
- e-mail address;
- website URL;
- biography text;
- profile picture URL;
- canton;
- slug and publication identifiers;
- story content, cover image URLs, artwork metadata, preview URLs, download counts, like counts, and related publication status information.

4. Sources of Personal Data
We receive personal data:
- directly from end users through account creation, onboarding, profile editing, postcard creation, contact management, likes, reports, card and grammar requests, subscription sync, and support/privacy requests;
- from Apple when users use Sign in with Apple, App Store subscriptions, device permissions, and APNs-related services;
- from device-level app interactions and local permissions, such as camera, photo library, microphone, speech recognition, notifications, file import/export, and location-assisted postcard origin selection;
- from other users when they send postcards, create contacts, like content, or report content;
- from artists or their authorized representative, or through our curation/publication process, for featured artist and artwork content;
- from Cloudflare-hosted service operations and observability as part of running the backend APIs and storage infrastructure.

5. Purposes of Processing
We process personal data for the following purposes:

A. Service provision and account management
- create and maintain user accounts;
- sign users in with Apple;
- complete onboarding;
- personalize profile, language, and residence settings;
- show authenticated user profiles and certain profile details to other authenticated users where the app is designed to do so.

B. Core app functionality
- manage contacts;
- create, send, route, store, sync, download, import, export, delete, and display postcards;
- provide flashcard, grammar lesson, grammar check, and game-related features;
- track achievements, stamps, and progress;
- provide explore, artist, artwork, story, and likes features in the app-facing experience.

C. Authentication, security, moderation, and abuse prevention
- verify Apple identity tokens;
- issue, rotate, revoke, and validate tokens;
- enforce rate limits and feature limits;
- detect misuse and protect the service;
- receive, store, and review postcard-content reports submitted by users, including the content snapshot, the reason provided, and the identities of the reporting user and the sender;
- receive, store, and review user-to-user reports submitted by users, including the reporter identity, the reported user identity, and the reason provided;
- assess reports and update their moderation status (pending, reviewed, resolved) through an admin interface accessible only to the controller;
- apply account bans where a user is found to have violated the terms of service, including recording the ban reason and ban timestamp and revoking active sessions and device tokens at the time of the ban;
- remove bans where a ban is determined to be incorrect or no longer applicable;
- maintain limited operational logs and service diagnostics.

D. Subscription and entitlement management
- sync App Store subscription status;
- determine whether a user has standard, premium, or unlimited access;
- process App Store server notifications relevant to entitlement status.

E. Communications and support
- respond to support, complaint, and privacy-rights requests;
- deliver push notifications for postcard and birthday-related features where enabled by the user at device level.

F. Legal and compliance purposes
- comply with legal obligations;
- handle lawful requests from authorities;
- retain records where needed for security, legal, accounting, fraud-prevention, or dispute-handling reasons.

6. Legal Bases for Processing
Where GDPR applies, we rely on the following legal bases. Listing these legal bases is also part of our transparency approach under Swiss law.

A. Contract performance or steps at the user's request (Art. 6(1)(b) GDPR)
We rely on contract performance to provide the app and backend services you request, including:
- account creation and sign-in;
- onboarding and profile management;
- contacts;
- postcards and local/server sync;
- flashcards, grammar, and gameplay features;
- subscription entitlement checks tied to the service;
- artist-content display where necessary to provide the curated in-app experience.

B. Legitimate interests (Art. 6(1)(f) GDPR)
We rely on legitimate interests to:
- secure and operate the service;
- prevent fraud, spam, abuse, and unauthorized access;
- enforce rate limits, moderation controls, and service integrity rules;
- receive and process reports about postcard content and user conduct, review them through an internal admin interface, and take action (including status updates and, where necessary, account bans) to protect users and the integrity of the service;
- maintain and improve reliability, troubleshoot errors, and protect users;
- operate curated artist, story, explore, like, and public-profile features;
- retain limited records needed to investigate reports, defend legal claims, or preserve service continuity.

Our legitimate interests are balanced against your rights and expectations. We do not use these interests as a basis for unrelated advertising or broad third-party profiling in the in-scope services.

C. Consent (Art. 6(1)(a) GDPR)
We rely on consent where processing depends on optional device permissions or optional user actions, including:
- camera access;
- photo-library access;
- microphone access;
- speech-recognition access;
- push-notification permission;
- location permission used to suggest postcard origin regions.

If you withdraw or deny a permission, some features may not function or may function with reduced capability.

D. Legal obligation (Art. 6(1)(c) GDPR)
We rely on legal obligation where we must retain, disclose, or otherwise process data to comply with applicable law, binding regulatory obligations, tax/accounting duties, or lawful authority requests.

7. Recipients and Data Sharing
We do not sell personal data processed in the in-scope services.

We may disclose personal data to the following categories of recipients:

A. Apple
- Sign in with Apple for authentication-related processing;
- App Store and App Store Server APIs for subscription and entitlement processing;
- Apple Push Notification service (APNs) for device-token-based notifications;
- Apple device and OS frameworks for permissions and device capabilities.

B. Cloudflare
- Cloudflare Workers for backend API hosting;
- Cloudflare D1 for database storage;
- Cloudflare R2 for asset storage;
- Cloudflare Workers AI for vocabulary-card, grammar-lesson, and grammar-check processing;
- Cloudflare observability and related infrastructure operations used to run the service.

C. Other users of the app
The service intentionally shares certain data with other users when needed for product features, for example:
- postcards and postcard metadata shared with senders and recipients;
- usernames and selected profile information displayed in contacts and authenticated public-profile views;
- artwork likes and similar visible interactions;
- birthday reminder notifications sent to a user's contacts and using that user's display name and age on the date of notification, where the feature applies.

D. Featured artists and artist content viewers
Artist profile and publication data may be shown to users through the in-app explore and related app-facing APIs.

E. Authorities, advisers, and transaction counterparties
We may disclose personal data if required by law, legal process, or enforceable authority request, or where reasonably necessary to establish, exercise, or defend legal claims. We may also disclose relevant data in connection with a merger, acquisition, financing, sale of assets, or similar business transfer.

8. International Data Transfers
The service infrastructure and third-party providers may process personal data in Switzerland, the European Economic Area, the United States, and other countries where Apple, Cloudflare, or their subprocessors operate.

Where personal data is transferred outside Switzerland or the EEA to a country that does not benefit from an adequacy decision recognized under applicable law, we rely on contractual safeguards and comparable legally recognized protections, including provider commitments intended to support cross-border compliance. Where adequacy is available, we may rely on it.

Despite these safeguards, international transfers can involve residual legal or access risks in foreign jurisdictions. We use these providers because they are necessary to operate the in-scope services and because they provide contractual, organizational, and security commitments relevant to data protection.

For provider information, see:
- Apple Privacy: https://www.apple.com/privacy/
- Sign in with Apple & Privacy: https://www.apple.com/my/legal/privacy/data/en/sign-in-with-apple/
- Cloudflare Privacy & Data Protection: https://www.cloudflare.com/trust-hub/privacy-and-data-protection/
- Cloudflare Data Processing Addendum: https://www.cloudflare.com/cloudflare-customer-dpa/

9. Data Retention
We retain personal data for different periods depending on the category of data and the operational purpose.

A. Authentication data
- Access tokens are short-lived and expire after 15 minutes.
- Refresh tokens are retained for up to 30 days unless rotated, revoked, or deleted sooner.
- Revoked or expired refresh-token records may remain for security and audit purposes until they are deleted under our operational processes.

B. Device tokens
- APNs device tokens are kept until replaced, invalidated, removed on account deletion, or otherwise no longer needed for notifications.

C. Rate-limit and abuse-prevention data
- Rate-limit events are retained only for the relevant active window of the feature or endpoint involved, which may be as short as minutes or as long as daily enforcement windows.
- Older rate-limit events are eligible for cleanup when the corresponding checks run.

D. Postcards and postcard-related data
- Downloaded inbox postcards are removed from backend storage after successful confirmation of device download.
- Direct postcards have a 30-day expiration path in the current backend logic if they remain server-side.
- Randomly assigned postcards may be rerouted and, if they can no longer be delivered under the service rules, may be deleted operationally.
- Reported postcard snapshots and moderation-related records may be retained longer where needed for safety, abuse review, dispute handling, or legal compliance.
- Local postcard files and local postcard copies stored on your device remain on your device until you delete them, remove the app, or otherwise clear local data.

G. Moderation records and account-ban data
- User-to-user reports are stored in a dedicated moderation table containing the report identifier, the reporter's user identifier, the reported user's identifier, the reason text if any, the report status (pending, reviewed, or resolved), and the creation timestamp.
- A unique constraint prevents a user from submitting more than one report against the same other user. Rate limits (currently a maximum of 20 user-to-user reports per 24-hour window per user) apply to submission of reports.
- Postcard-content reports are stored with a content snapshot (front image, back text, font, language, canton), the reporter's user identifier, the sender's and recipient's identifiers, and related metadata at the time of the report.
- Moderation records are accessible only to the controller through an authenticated admin interface and are not visible to other end users of the app.
- Account-ban records are stored within the user's account record and include the ban timestamp and, where available, a reason recorded by the administrator. Active bans prevent the user from using the service; all active sessions and device push tokens are revoked when a ban is applied.
- Ban records may be retained after a ban is lifted to preserve an audit trail for safety and legal-compliance purposes.
- We retain moderation records and ban records for as long as necessary to investigate abuse, defend legal claims, comply with legal obligations, or preserve the safety and integrity of the service. There is no fixed automatic deletion period for moderation records in the current implementation.

E. Account, profile, contact, achievement, like, entitlement, and artist records
- User profile records, contacts, likes, objective statistics, subscription entitlement records, and artist/publication records do not all have fixed automatic deletion periods in the current codebase.
- These records are retained until deletion, manual erasure handling, archival, feature removal, or other operational, legal, security, accounting, or recordkeeping criteria require a different outcome.

F. Backups and provider-managed copies
- We do not currently publish a separate app-level backup retention schedule in this policy.
- Provider-managed backups, replication, and recovery copies may continue for limited operational periods even after live records are changed or deleted.

10. Account Deletion, Bans, and Manual Erasure Workflow
The app currently includes an in-app account deletion action, but that action does not currently perform full immediate server-side erasure.

In the current implementation, the in-app deletion flow:
- marks the user account as removed;
- resets onboarding completion;
- revokes refresh tokens; and
- deletes registered APNs device tokens.

That in-app action alone does not automatically erase all other related server-side records, such as certain profile data, postcards, contacts, likes, entitlement history, objective statistics, moderation/report records, or other data that may still exist under operational or legal retention needs.

Account bans are a separate action from account deletion. An account ban:
- prevents the user from accessing the service while the ban is in effect;
- revokes all active sessions and removes registered APNs device tokens;
- does not by itself delete the user's account or personal data from the backend.

A banned user's data remains stored subject to normal retention rules. The ban record (ban timestamp and reason) is retained as part of the account record. A ban can be lifted by the controller. If you believe you have been banned in error, you may contact us using the details in this policy to appeal.

If you want broader erasure beyond the current in-app deletion behavior, contact us using the privacy contact details in this policy. We aim to respond without undue delay and generally within one month. Where operationally possible, we will delete or anonymize data that no longer needs to be retained. We may keep limited records where retention is necessary for legal compliance, security, fraud prevention, accounting, dispute resolution, or to document that a request was handled.

11. Data Subject Rights
Depending on the law that applies to you, you may have the right to:
- access your personal data;
- receive information about how it is processed;
- request correction or rectification of inaccurate data;
- request deletion or erasure of personal data;
- request restriction of processing;
- receive data portability for data you provided to us where applicable;
- object to processing based on legitimate interests;
- withdraw consent at any time where consent is the basis;
- lodge a complaint with a competent supervisory or data-protection authority.

Under Swiss law, rights of access, correction, deletion, and data portability may apply. Under GDPR, access, rectification, erasure, restriction, portability, objection, consent withdrawal, and complaint rights may apply.

You can exercise rights by contacting:
Andrea Vaiuso
E-mail: vaiu-app-assistance@outlook.com
Telephone: +41 079 238 41 08

We aim to respond without undue delay and generally within one month. We may need to verify your identity before acting on a request.

If you are in Switzerland, you may also contact the Federal Data Protection and Information Commissioner (FDPIC). If GDPR applies to you, you may lodge a complaint with the supervisory authority in your habitual residence, place of work, or place of the alleged infringement.

12. Automated Decision-Making and Profiling
We do not currently disclose solely automated decision-making that produces legal effects or similarly significant effects within the meaning usually associated with GDPR Article 22.

The service does use limited automation for operational purposes, including:
- random postcard assignment and rerouting;
- rate limiting and anti-abuse controls;
- subscription entitlement syncing and status calculation;
- achievement/objective calculations.

These processes support service operation, eligibility, safety, and feature delivery, but they are not currently used by us as the sole basis for decisions with legal or similarly significant effects on users. We do not currently disclose high-risk profiling under the nFADP in this policy version.

13. Security Measures
We use technical and organizational measures designed to protect personal data, including:
- encryption in transit through HTTPS/TLS;
- signed and validated authentication tokens;
- server-side hashing of refresh tokens rather than storing them in plaintext;
- authenticated API access for protected routes;
- upload validation for supported image types, sizes, and dimensions;
- rate limiting and abuse-prevention controls;
- provider-managed access controls and infrastructure protections through Apple and Cloudflare services;
- moderation, review, and operational controls intended to limit abuse and unauthorized access.

No internet-based service can guarantee absolute security, and you should also protect your device, credentials, and local files.

14. Cookies and Tracking
For the in-scope app and backend-API surfaces covered by this policy, we do not currently operate a separate advertising-cookie, marketing-cookie, or analytics-SDK consent regime.

The iOS app does not use browser cookies in the ordinary sense. If you open hosted legal or asset URLs in a browser, your browser and infrastructure providers may still process ordinary request metadata needed to deliver the page or file, but we do not currently run a separate cookie-banner or advertising-tracker framework for the in-scope services described here.

15. Third-Party Services
Key third-party services used by the in-scope implementation include:

Apple
- Sign in with Apple
- App Store / App Store Server subscription and entitlement services
- APNs
- Apple device and permission frameworks
Policies:
- https://www.apple.com/privacy/
- https://www.apple.com/my/legal/privacy/data/en/sign-in-with-apple/

Cloudflare
- Cloudflare Workers
- Cloudflare D1
- Cloudflare R2
- Cloudflare Workers AI
- Cloudflare trust, privacy, and DPA resources
Policies:
- https://www.cloudflare.com/trust-hub/privacy-and-data-protection/
- https://www.cloudflare.com/cloudflare-customer-dpa/

We do not currently disclose separate in-scope analytics SDKs, crash-reporting SDKs, ad-tech providers, newsletter systems, or direct payment processors beyond Apple and Cloudflare services visible in the current codebase.

16. Children's Data
Postli is not intended for children under 16, and the current onboarding rules require users to be at least 16 years old.

We do not knowingly collect personal data from children under 16 for the in-scope services. If we learn that we hold personal data from a child under 16 in violation of this policy, we will take reasonable steps to delete, restrict, or otherwise handle the data appropriately.

17. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes to the service, data practices, legal requirements, or operational needs.

When we update this policy, we will post the updated version through the hosted legal text and in-app legal links and will revise the effective date at the top of the policy. Unless otherwise required by law, continued use of the app after the effective date of the updated policy means the updated policy will apply from that date forward.

18. Contact Information
For privacy questions, complaints, or rights requests, contact:

Andrea Vaiuso
St. Gallerstrasse 73
8400 Winterthur
Switzerland
Telephone: +41 079 238 41 08
E-mail: vaiu-app-assistance@outlook.com

19. Swiss-Specific Transparency Notes
For transparency under the nFADP, this policy expressly identifies:
- the categories of personal data we process;
- the categories of recipients to whom we disclose data;
- the fact that cross-border processing may occur, including outside Switzerland;
- the safeguards we rely on for such transfers; and
- that we do not currently disclose high-risk profiling in this policy version.

20. Practical Implementation Notes
To make this policy operationally accurate:
- in-app account deletion currently performs a soft-delete style server action and should not be read as immediate full erasure;
- broader erasure requests should be sent to the controller contact above;
- consent for optional device permissions is handled by Apple platform permission prompts and can generally be changed in device settings;
- some learning content, local postcard copies, authentication tokens, and app data may remain stored locally on the device until the user deletes them or removes the app;
- this policy is versioned by its effective date and should remain aligned with the EULA and the live backend implementation.