Privacy notice

1. Who is the controller

The data controller is Chelodo B.V. (“Chelodo”, “we”, “us”). For privacy questions, data-access requests, or to exercise any of the rights described below, contact cards@chivent.com.

2. What we collect and why

The service collects the following categories of data:

• Photos you upload. We process the image you upload so a third-party AI model can illustrate it. The original photo is never published — only the illustrated result is shown on the card. Lawful basis: performance of the contract (Art. 6(1)(b) GDPR).
• Card text you type. Stored alongside the card so the share page can render it to the recipient. Lawful basis: performance of the contract.
• Email address. Collected at checkout and passed to Stripe so it can email your receipt and share link. We do not use your email for marketing. Lawful basis: performance of the contract.
• Anonymous session cookie (chivent_sid). A random identifier that lets you return to your in-progress draft without an account. Strictly necessary for the service to work; no consent required (Recital 30 GDPR / ePrivacy Directive Art. 5(3)).
• Locale cookie (chivent_locale). Records your language preference so the site loads in the right language next time. Strictly necessary.
• Stripe session id and order metadata. Once you check out, Stripe returns a session id that we store alongside your order so you can come back to the success page. Lawful basis: performance of the contract.
• Server-side request logs. Cloudflare and our worker record the IP address, request path, and timestamp for every request, for security, abuse detection, and rate limiting. Lawful basis: our legitimate interest in protecting the service (Art. 6(1)(f) GDPR).

We do not run third-party advertising pixels, behavioural-tracking scripts, or analytics that profile you. The one exception is Cloudflare Web Analytics, which counts aggregate page traffic without cookies, without tracking you across sites, and without building a profile of you. We do not sell personal data.

3. How long we keep it

• Source photos (originals): 24 hours from upload. Removed automatically from our storage thereafter.
• In-progress drafts (cards that never became orders): 24 hours from the last edit. Auto-deleted.
• Stylized artwork and shared cards: 365 days from purchase. After that the share link stops working and the artwork is removed.
• Order records (Stripe session id, line item, sender name, recipient email if provided): 1 year, to support refunds and customer support.
• Promo codes issued to you after a purchase: 90 days.
• Cookies: session cookie persists up to 1 year; locale cookie 1 year. Both are reset if you clear your browser data.
• Stripe-held data(payment records, receipts): governed by Stripe’s retention policy, which we do not control. See stripe.com/privacy.
• Server-side request logs:retained at Cloudflare’s default (typically up to 7 days for security and abuse review).

You can delete a card at any time from the success page Stripe returned you to. This immediately disables the share link so the card is no longer publicly accessible. We retain a minimal order record (marked deleted) for the statutory refund and dispute period; the stylized artwork may persist in our cache for the standard retention window above. The Stripe receipt remains, since Stripe is the payment record-keeper. For full erasure beyond this, contact us and we will process it manually — see “Your rights under GDPR” below.

4. Who we share it with (sub-processors)

We use the following processors to deliver the service. Each acts on our written instructions under a data processing agreement:

• Stripe(Stripe Payments Europe Ltd., Ireland). Payment processing. We never see your card details. Stripe creates and retains a Customer record per buyer (keyed on the email address you provide at checkout) so repeat purchases can be grouped together in Stripe’s dashboard for accounting and customer support.
• Replicate (Replicate, Inc., USA). Runs the AI model that illustrates your photo. Your photo bytes are sent to Replicate for the duration of the generation. Outputs are returned to us; we store them in our EU bucket. International transfer is covered by EU Standard Contractual Clauses.
• Cloudflare(Cloudflare, Inc., USA / EU data residency selected). Hosting (Workers), storage (R2, EU jurisdiction), CDN, and DNS. Your photos and artwork are stored in Cloudflare’s EU R2 region. International transfers, where they occur (e.g. log metadata), are covered by EU Standard Contractual Clauses.

We do not transfer personal data to any other third parties. We may be required to disclose data in response to a valid legal order — in such cases we will tell you unless legally prohibited from doing so.

5. Where the data lives

Photos, generated artwork, drafts, and card metadata are stored in Cloudflare R2 in the EU region. Some processing necessarily happens outside the EU — see Replicate above. All EU-to-non-EU transfers rely on either an adequacy decision or EU Standard Contractual Clauses, with supplementary technical measures (transport encryption, short retention).

6. Automated processing

The AI illustration is an automated transformation of your photo. It produces a creative output, not a decision about you. No profiling or automated decision-making with legal or similarly significant effects (within the meaning of Art. 22 GDPR) takes place.

7. Your rights under GDPR

If you are in the EU, the UK, or another jurisdiction with comparable rights, you have the right to:

• access the personal data we hold about you;
• have it corrected if it is inaccurate;
• have it erased (you can also delete a card yourself from the success page);
• restrict or object to processing;
• data portability;
• lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.

To exercise any of these rights, email cards@chivent.com with enough detail to identify the relevant order or session. Because the service is anonymous, this typically means including the Stripe receipt id or the share URL.

8. Children

Chivent Cards is not directed to children under 16. If you are under 16, please do not use the service or send us any personal data. If you believe a child has used the service, email us and we will delete the relevant data.

9. Security

Data in transit is encrypted (TLS). Data at rest in R2 is encrypted by the storage provider. We minimise what we collect, retain it for as short as the service permits, and isolate session-owned drafts so they are not visible to other users.

10. Changes to this notice

We may update this notice as the service evolves. Material changes will be reflected in the “Last updated” date at the top. The current version is always the one you see on this page.

11. Contact

Chelodo B.V., KVK 94820996, the Netherlands. cards@chivent.com.