🌺

Privacy Policy

Share The Aloha, LLC

Effective Date: 2026-05-30

Your privacy matters. Share The Aloha is built on a simple principle: your memories belong to you and the people you love — not to advertisers, data brokers, or social media algorithms. This Privacy Policy explains exactly what data we collect, why we collect it, how we protect it, and what rights you have. We have written it to be conservative and transparent: where a privacy framework gives us latitude, we have generally chosen the option that gives you more control rather than less.

1. Who We Are

Share The Aloha, LLC (“Company,” “we,” “our,” or “us”) operates the website at sharethealoha.com and the Share The Aloha service (collectively, the “Service”). The Company is a Hawaii limited liability company. This Privacy Policy applies to all users of the Service, including Senders (registered account holders), Tribute Hosts and Contributors, and Recipients (individuals who receive Alohagram or Tribute delivery emails).

For questions about this Privacy Policy or your privacy rights, contact us at support@sharethealoha.com. For security-specific concerns, see Section 13 for the right contact address.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use the Service, you may provide:

  • Account information: your name, email address, and password (stored only as a one-way salted hash — we never have access to your plaintext password).
  • Recipient information: names and email addresses of people you designate to receive Alohagrams.
  • Uploaded content: photos and written notes that you upload to the Service for delivery. (Other media types may be supported in the future.)
  • Delivery preferences: scheduling choices (frequency, time zone, start date) and personal notes attached to individual items.
  • Communications: any messages you send to us via email or through the Service.
  • Payment information: if and when you purchase a paid plan, payment is processed by Stripe. We receive a confirmation token and your billing email; we never see or store your full card number.

2.2 Information Collected Automatically

When you visit our website or use the Service, we may automatically collect:

  • Device and browser information: browser type, operating system, and device type, collected through standard HTTP headers.
  • Usage data: pages visited, features used, and timestamps, collected through server-side logging only.
  • IP address: retained for security, fraud prevention, and abuse investigation. We do not use IP-based geolocation to target advertising and do not share IP addresses with marketing partners.
  • Bot protection signals: Cloudflare Turnstile collects interaction signals to distinguish humans from bots during signup and login. This data is processed by Cloudflare and is not stored by the Company. No CAPTCHAs, tracking cookies, or fingerprinting are used.

2.3 Information We Do NOT Collect

We believe in collecting only what we need. We do not:

  • Use cookies for tracking, profiling, or advertising;
  • Use third-party analytics services (no Google Analytics, no Meta Pixel, no TikTok Pixel, no LinkedIn Insight, no tracking scripts);
  • Use behavioral or interest-based advertising of any kind;
  • Collect precise location data, GPS coordinates, or use device fingerprinting;
  • Use session replay or screen-recording technology (no FullStory, no Hotjar, no Microsoft Clarity, no ContentSquare, no LogRocket);
  • Embed open-tracking pixels in delivery emails. We do not track whether you open an email we send;
  • Scan, analyze, or process the contents of your uploaded photos or notes for any purpose other than secure storage and scheduled delivery to your designated recipients;
  • Use your content to train artificial intelligence or machine-learning models;
  • Build user profiles, behavioral models, or interest graphs; or
  • Knowingly collect personal information directly from children under 18 (see Section 9).

2.4 Tribute Contributor Information

When you participate in a Tribute Alohagram as a Host or Contributor, we additionally process:

  • Contributor name and email address: provided by the Host who invites you, and confirmed by you when you create your account to take part.
  • Account sign-in data: Taking part in a Tribute requires a free Share The Aloha account. We process your account credentials and an authentication session to recognize you, the same as for any account holder.
  • Contributed content: photographs, written stories, captions, and comments you submit to a Tribute.
  • Information about other people: Tribute content often depicts or describes third parties — including the Tribute’s subject (who, in a memorial, may be deceased) and other people who appear in photographs. Contributors are responsible for having the right to share such content (see our Terms of Service Section 7).

2.5 Cookies and Similar Technologies

We use a small number of essential cookies to operate the Service. These are not used for tracking or advertising and you cannot opt out of them without breaking the Service.

  • Session cookies: set by our authentication provider (Supabase) to keep you signed in. Cleared when you sign out.
  • CSRF tokens: set by our application framework to protect against cross-site request forgery attacks during form submission.
  • Cloudflare Turnstile signals: ephemeral, set on the signup and login pages to distinguish humans from bots. Not used for behavioral tracking.

We do not use advertising cookies, third-party analytics cookies, cross-site tracking pixels, session replay technology, or any technology designed to follow you across the web. Our delivery emails contain no open-tracking pixels and no click-tracking redirects.

3. How We Use Your Information

We use the information we collect solely to operate and improve the Service:

  • To provide the Service: store your content, deliver Alohagrams to your designated recipients on schedule, and manage your account.
  • To communicate with you: send account-related emails (verification, password reset, delivery confirmations, service updates).
  • To obtain recipient consent: before the first delivery of a recurring Alohagram or any Tribute Alohagram, we send the intended recipient a single opt-in email that previews the content and gives them an explicit choice to accept or decline. We treat opt-in as the global standard for our recurring deliveries. One-time, specific-date Alohagrams (such as a birthday or anniversary email) are delivered as a single message with an unsubscribe link in the footer, rather than a pre-delivery opt-in step, because a single email is materially different from initiating an ongoing series. Recipients can opt out from any delivery at any time.
  • To protect the Service: prevent abuse, enforce our Terms of Service, investigate reports of violations, and maintain our Trust & Safety system.
  • To understand aggregate use: we look at de-identified, aggregated usage patterns (for example, how many Alohagrams are delivered per week) to improve features and fix bugs. We do not generate individual behavioral profiles.

We will never use your content, personal information, or recipient data for advertising, marketing to third parties, training of AI or machine-learning models, or any purpose unrelated to providing the Service to you.

4. How We Share Your Information

4.1 Service Providers (Sub-Processors)

We share limited data with trusted third-party service providers who help us operate the Service. These providers are contractually obligated to use your data only as necessary to provide their services to us and are subject to confidentiality obligations. The major providers operate their own independent privacy and security programs:

  • Supabase (database, authentication, and storage) — SOC 2 Type II certified. US-based data centers. Stores account data, recipient information, delivery schedules, and uploaded photos.
  • Vercel (website and application hosting) — SOC 2 Type II certified. Global edge network with US-based primary regions. Does not access or store user content.
  • Resend (transactional email delivery) — handles outbound email. Receives recipient email addresses and Alohagram content solely to deliver scheduled emails on your behalf. Uses authenticated SMTP with SPF, DKIM, and DMARC.
  • Amazon Web Services (AWS) (encrypted database backups) — stores encrypted copies of database data for disaster recovery. AWS maintains SOC 1/2/3, ISO 27001, and PCI DSS certifications.
  • Stripe (payment processing) — PCI Service Provider Level 1, the highest payment-card security certification. We never see or store your card number.
  • Cloudflare (bot protection via Turnstile) — processes interaction signals during signup and login to prevent automated abuse. Does not receive personal information.

A current list of our material sub-processors is maintained on this page. If we add a new sub-processor that materially expands the scope of data sharing, we will update this Privacy Policy.

4.2 We Do NOT Sell or ‘Share’ Your Personal Information

We do not sell, rent, lease, share for cross-context behavioral advertising, or trade your personal information or your content with any third party. We do not participate in advertising exchanges, data brokerage, or any monetization scheme involving your personal information. This commitment applies under the California Consumer Privacy Act (CCPA/CPRA), the EU and UK General Data Protection Regulation (GDPR), and equivalent laws in other jurisdictions. This is a core principle of Share The Aloha, not a legal formality.

4.3 Legal Requirements

We may disclose your information if required to do so by law, or if we believe in good faith that such disclosure is reasonably necessary to:

  • Comply with a legal obligation, subpoena, court order, or government request;
  • Protect and defend the rights, property, or safety of the Company, our users, or the public;
  • Prevent or investigate possible wrongdoing in connection with the Service; or
  • Protect against legal liability.

Where permitted by law, we will notify you of any legal demand we receive for your data before responding, so that you have the opportunity to object or seek a protective order.

4.4 Business Transfers

If the Company is involved in a merger, acquisition, bankruptcy, or asset sale, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information. Any acquirer must agree to terms at least as protective as this Privacy Policy with respect to your data.

4.5 Tribute Hosts as Controllers; Share The Aloha as Processor

When a Tribute Host invites Contributors, designates recipients, and chooses the cadence of delivery, the Host is determining the purposes and means of the processing of personal data within that Tribute. For purposes of the GDPR and similar laws, the Host is the “controller” of that data, and Share The Aloha acts as a “processor” on the Host's instructions for that Tribute. We will provide a Data Processing Addendum (DPA) to Hosts who request one. This Privacy Policy continues to govern our role as a controller of account data for the Host's own account and for Contributor accounts that are created to participate in a Tribute.

5. Data Storage and Security

5.1 Where Your Data Is Stored

Your data is stored on servers located in the United States, operated by our service providers (Supabase, Vercel, AWS). All primary storage is within U.S. data centers.

5.2 How We Protect Your Data

We implement industry-standard security measures to protect your information:

  • Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
  • Encryption at rest: stored data — including your photos and account details — is encrypted with AES-256 by our infrastructure providers. Database backups are encrypted before storage on AWS S3.
  • Private media storage: all uploaded media files are stored in a private storage bucket. Files are never publicly accessible. Access is granted only through time-limited signed URLs.
  • Authentication security: passwords are hashed using industry-standard algorithms (bcrypt). We never store passwords in plaintext. Session tokens are managed by Supabase Auth with industry-standard JWT security. Brute-force protection is enabled on login endpoints.
  • Bot protection: Cloudflare Turnstile prevents automated attacks on signup and login endpoints.
  • Row-level security: database policies ensure that each user can only access their own data. One user cannot view, modify, or access another user's content, recipients, or account information.
  • Daily backups: the database is backed up daily with encrypted copies stored on AWS S3 for disaster recovery. Backups are retained for 90 days, then permanently destroyed in the normal course of business.

5.3 Signed URLs for Media

When Alohagram delivery emails include photos, the email contains a time-limited signed URL that grants temporary access to the specific file. These URLs expire after a set period. For emails, signed URLs have a long expiration (up to one year) so recipients can revisit saved emails. For in-app display, signed URLs expire after one hour. Expired URLs cannot be used to access content.

5.4 Security Practices Page

We publish a separate page describing our security practices in more detail at /security. We also operate a Responsible Disclosure Program for security researchers, described at /responsible-disclosure.

5.5 No System Is Perfectly Secure

No method of internet transmission or electronic storage is 100% secure. While we implement industry-standard safeguards and continuously improve them, we cannot guarantee absolute security. In the event of a data incident that requires notification under applicable law, we will notify affected users and regulators within the timeframes required.

6. Recipient Privacy

If you receive an Alohagram, someone who cares about you added your email address to the Service to share personal content with you. Here is what you should know:

6.1 What We Know About You

As a recipient, the only information we have about you is your name and email address, as provided by the Sender. We do not create an account for you, track your behavior, or collect any additional data about you beyond what is necessary to deliver the Alohagram.

6.2 Your Rights as a Recipient

  • Opt-in before recurring deliveries. Recipients of recurring Alohagrams and all Tribute Alohagrams receive a single opt-in email before the first delivery, with explicit accept and decline buttons. A decline is permanent for that sender-recipient pair.
  • Opt out at any time. Every Alohagram email includes an unsubscribe link. You can permanently opt out of receiving messages from a specific Sender at any time with one click.
  • Adjust frequency. Every Alohagram email includes a “manage preferences” link where you can pause or change delivery cadence.
  • Report: every Alohagram email includes a “Report this email” link. If you receive unwanted, harassing, or inappropriate content, you can report it and our Trust & Safety team will investigate.
  • Data deletion: you may request deletion of your information from our system by contacting support@sharethealoha.com.

7. Data Retention

7.1 Active Accounts

We retain your account data, uploaded content, and delivery history for as long as your account is active and the Service is in use. Content scheduled for future delivery is retained until delivered or until you delete it.

7.2 Account Deletion

You can permanently delete your account at any time from your Settings page (Danger Zone), or by contacting support@sharethealoha.com. On deletion we will permanently remove:

  • Your account information (name, email, password hash);
  • All uploaded media files;
  • All recipient information and delivery schedules; and
  • All delivery history and personal notes.

Active deletion is processed within thirty (30) days. Some data may persist in encrypted backups for up to 90 days after deletion, after which backup copies are rotated and overwritten. We do not restore deleted data from backups for any purpose other than disaster recovery of the system as a whole.

7.3 Terminated Accounts

Accounts terminated for violation of our Terms of Service are permanently deleted, including all associated content, as described in our Terms of Service.

7.4 Inactive Accounts

Free tier accounts that remain inactive for more than three (3) years may be subject to deletion after notice. We will send at least two (2) email notifications to the registered email address before deleting an inactive account, with a minimum of 30 days between the final notice and deletion.

7.5 Tribute Retention and Deceased-Subject Data

A Tribute is a shared memorial maintained for the benefit of multiple Contributors and recipients. We treat Tribute content with extra care:

  • Tribute Pro delivery year. Active delivery runs for one year from the date of purchase. After that, the Tribute becomes read-only and its archive remains accessible to Contributors as a keepsake until the Host or all Contributors request deletion, or the account itself is closed.
  • Contributor deletion within a Tribute. A Contributor may request removal of their own contributions from a Tribute. We will remove the Contributor's submissions; we will not, however, alter or remove other Contributors' submissions or comments that may reference them, unless the Host or a person with legal standing (such as a close family member of the subject) requests removal of specific items.
  • Deceased subjects. Where a Tribute memorializes a person who has died, we will consider good-faith requests for removal or correction from the subject's family or others with a legitimate interest, and from anyone with a legal right to act on the subject's behalf. We will balance such requests against the interest of other Contributors in preserving the Tribute. Post-mortem privacy and right-of-publicity rules vary by jurisdiction; we will follow applicable law.

8. Your Privacy Rights

8.1 All Users

Regardless of where you live, and regardless of whether you are legally entitled to the rights of a particular jurisdiction, we voluntarily extend the following rights to all users of the Service:

  • Access: request a copy of the personal information we hold about you.
  • Correction: request correction of inaccurate personal information.
  • Deletion: request deletion of your account and all associated data.
  • Data portability: request an export of your uploaded content in a standard format.
  • Withdraw consent: stop using the Service at any time.

To exercise any of these rights, contact us at support@sharethealoha.com. We will acknowledge your request within five (5) business days and substantively respond within thirty (30) days, or in the timeframe required by applicable law, whichever is shorter.

8.2 California Residents (CCPA/CPRA)

Where the Service does not yet meet a threshold that triggers formal applicability of the California Consumer Privacy Act and California Privacy Rights Act, we nonetheless choose to extend the following CCPA/CPRA rights to California residents:

  • Right to know: request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to delete: request deletion of your personal information, subject to limited exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of ‘sale’ or ‘sharing’: we do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary because no such sale or sharing occurs.
  • Right to limit use of Sensitive Personal Information: CPRA defines certain categories of personal information as “Sensitive Personal Information.” We do not use any Sensitive Personal Information for purposes beyond providing the Service. You may nonetheless request limitation of use; we will treat your request as effective on receipt.
  • Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny service, charge different prices, or provide a different level of service in response to your exercise of these rights.
  • Authorized agent: you may designate an authorized agent to make requests on your behalf. We may require verification of the agent's authority before responding.
  • California ‘Shine the Light’: California residents may request information about disclosures of personal information to third parties for direct-marketing purposes. We do not make such disclosures; there is nothing to disclose.

California residents may exercise these rights by emailing support@sharethealoha.com with the subject line “California Privacy Rights Request.”

8.3 European Economic Area and United Kingdom Residents (GDPR/UK GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR), UK GDPR, and equivalent Swiss law.

Legal bases for processing

  • Consent: for account creation, recipient opt-in, and any optional features that require it.
  • Contractual necessity: for providing the Service in accordance with our Terms of Service.
  • Legitimate interests: for security, fraud prevention, abuse investigation, and basic Service operation, which we have balanced against your privacy interests.
  • Legal obligations: for compliance with applicable laws.

Your GDPR rights

  • Right of access (Art. 15) — a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17) — deletion of your personal data.
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20) — an export of your data in a structured, commonly used format.
  • Right to object (Art. 21) — to processing based on legitimate interests.
  • Right not to be subject to automated individual decision-making (Art. 22). We do not engage in automated decision-making that produces legal or similarly significant effects.
  • Right to withdraw consent at any time (Art. 7(3)), without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to lodge a complaint with a supervisory authority (Art. 77) — your national data protection authority, the UK Information Commissioner's Office, or the Swiss FDPIC.

International data transfers

Your personal data is stored in the United States. When we transfer personal data from the EEA, the UK, or Switzerland to the United States, we rely on appropriate transfer mechanisms. We intend to self-certify under the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as our primary mechanism for these transfers. Where the DPF is not available for a particular flow, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK and Swiss instruments. We supplement these with the technical and organizational measures described in Section 5.

Controller

The data controller for the personal data we process about you in connection with our role as a controller is Share The Aloha, LLC. For data processed in connection with a Tribute, see Section 4.5 (Tribute Hosts as Controllers; Share The Aloha as Processor).

8.4 Other U.S. State Privacy Laws

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other U.S. states with comprehensive consumer privacy laws have rights similar to those listed in Section 8.2. Nevada residents may request that we not sell their personal information; we do not sell personal information of any user, and therefore there is no sale from which to opt out. You may exercise rights under any applicable state law by contacting support@sharethealoha.com.

9. Children’s Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information directly from children under 18. If we learn that we have collected personal information directly from a child under 18, we will take steps to delete that information as quickly as possible.

Photographs that may include children: our Senders and Tribute Contributors may upload photographs that contain identifiable people, including children, who are not themselves users of the Service. Senders and Contributors are responsible for having the rights and permissions necessary to share such content, including any consents required by law from the parents or legal guardians of children depicted. This responsibility is described in Section 7 of our Terms of Service.

If you believe we have inadvertently collected personal information directly from a child under 18, or if you are a parent or guardian who wishes to request removal of content depicting your child, please contact support@sharethealoha.com.

10. Third-Party Links and Services

The Service may contain links to third-party websites or services that are not owned or controlled by the Company. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through the Service.

11. Pre-Launch Notice

Share The Aloha is currently in a pre-launch period. The Service is operational and our security, privacy, and consent commitments described in this Privacy Policy apply now. We are completing final pre-launch steps including a third-party security review and any further legal review. We will update this Privacy Policy and notify users of any material change before launching publicly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice within the Service at least thirty (30) days before the changes take effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

We maintain an archive of previous versions of this Privacy Policy, available on request.

13. Reporting Concerns

The right contact address depends on the concern:

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Share The Aloha, LLC

support@sharethealoha.com

sharethealoha.com

© 2026 Share The Aloha, LLC. All rights reserved.