Privacy Policy
Last updated June 23, 2026
This Privacy Policy explains how Handfelt (“Handfelt,” “we,” “us”) collects, uses, shares, and protects information when you visit our website, use our customer portal, and use our handwritten-mail services (together, the “Service”). It should be read together with our Terms of Service and our Subprocessors page.
1. Who this policy covers
This policy concerns three groups of people:
- Site visitors — people who browse our website or contact us.
- Customers — the businesses and their team members who use the portal.
- Recipients— the people our customers choose to mail, whose names and addresses customers upload to the Service.
2. Controller and processor roles
For information our customers upload about their Recipients (“Recipient Data”), the customer is the data controller and Handfelt acts as the customer’s processor— we process Recipient Data only to deliver the Service on the customer’s instructions. The customer decides which Recipients to upload, what to send, and how long to keep that data, and is responsible for having a lawful basis and any required consent. For a customer’s own account and billing information, Handfelt is the controller.
3. Information we collect
Information you give us directly. Account and contact details (name, email, company, phone); billing information collected through our payment processor, Stripe (we do not receive or store your full card number); the Recipient Data you upload (names, mailing addresses, optional email addresses, and any custom fields you include); message content, designs, logos, signatures, and handwriting samples; and the content of any inquiry you send us.
Information collected automatically.Limited usage and device information — such as pages viewed, general device or browser type, and activity in the portal (for example, campaigns created and Credits spent) — used to operate, secure, and improve the Service.
Information from third parties. Billing and identity details from Stripe, and authentication signals from our email provider when you sign in.
4. How and why we use information
We use information to:
- provide, operate, and deliver the Service, including rendering, printing, and mailing;
- process payments, calculate any applicable tax, and keep billing records;
- respond to inquiries and provide support;
- protect the Service, detect and prevent fraud and abuse, and enforce our terms;
- comply with legal obligations; and
- understand and improve the Service using aggregate, de-identified analytics.
We do not sell personal information, and we do not use it for third-party advertising. Where required by law, our legal bases include performance of our contract with you, our legitimate interests in operating and securing the Service, compliance with law, and consent where applicable.
5. Recipient data and your responsibilities
When a customer uploads Recipient Data, the customer warrants that it has the right and any necessary consent to provide that data and to mail those Recipients. Handfelt processes Recipient Data only to deliver the Service and does not use it to contact Recipients for our own purposes. Customers are responsible for complying with laws that apply to their mailings — for example, applicable junk-mail and do-not-mail rules, and, where their campaigns involve email, the CAN-SPAM Act. See our Acceptable Use Policy.
6. How information is shared
We share information with vendors that help us deliver the Service (“subprocessors”), including our handwriting-rendering service, our print and mail-fulfillment vendor, our payment processor, our email provider, and cloud storage and hosting providers. These vendors process information on our behalf under contractual restrictions and may not use it for their own purposes. The current list is on our Subprocessors page, and a data processing agreement is available on request. We may also disclose information where required by law or to protect our rights, and in connection with a merger, acquisition, or sale of assets (with notice as required by law).
7. Data retention and deletion
We keep account and billing records for as long as your account is active and afterward as needed to meet legal, tax, accounting, and legitimate business requirements. We use soft-deletion: when a customer deletes a list or contact, it is hidden and marked deleted but is not immediately and permanently erased. If you require permanent (“hard”) deletion — for example, to meet a legal obligation — contact support@handfelt.co and we will permanently delete the data unless we are required to retain it. Rendered images held in temporary storage are removed after they are no longer needed to fulfill the order. Once a piece has been printed and mailed, it cannot be recalled.
8. Your privacy rights
Depending on where you live, you may have rights to access, correct, delete, or receive a copy of your personal information, and to object to or restrict certain processing — for example, under the California Consumer Privacy Act (CCPA) or the EU/UK General Data Protection Regulation (GDPR). We do not sell personal information. To make a request, email support@handfelt.cowith “Privacy Request” in the subject line; we will respond as required by applicable law. If your request concerns Recipient Data held on a customer’s behalf, we will refer you to, or coordinate with, that customer as the controller.
9. Cookies and analytics
Cookies are small files stored on your device. Our website uses a small number of cookies that are necessary for it to work — for example, an hf_auth hint cookie set across handfelt.co so we can tell whether you are signed in to the portal, and standard session and security cookies. For understanding site traffic we use a privacy-friendly analytics tool (Vercel Analytics) that measures aggregate usage and does not use cookies to identify you individually. Our portal and our payment processor may set their own necessary cookies when you sign in or check out.
You can block or delete cookies through your browser settings, though some features (such as staying signed in) may not work without them. Where required by law, we will ask for your consent before setting non-essential cookies. California residents may ask about the categories of information we collect through cookies; see your rights above.
10. Security
We use reasonable, industry-standard measures to protect the information we hold, including encryption in transit and access controls. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If a breach affecting personal information occurs, we will notify affected parties and authorities as and when required by applicable law.
11. International data transfers
We process information in the United States. If you or your Recipients are located outside the United States, you are responsible for ensuring a lawful basis for the transfer; where we act as your processor, we will enter into appropriate transfer mechanisms (such as Standard Contractual Clauses) as part of a data processing agreement on request.
12. Children
The Service is intended for businesses and is not directed to children, and we do not knowingly collect personal information from children. If we learn that we have done so, we will delete it.
13. Changes to this policy
We may update this policy from time to time. When we do, we will revise the “Last updated” date above and, for material changes, provide reasonable notice.
14. Contact
Questions or requests about this policy? Email support@handfelt.co.