Privacy Policy

When you create an account or use the Service, you may provide:

• Account information: your name, email address, and password.
• Recipient information: names and email addresses of people you designate to receive Alohagrams.
• Uploaded content: photos, videos, audio recordings, documents, written notes, and web links that you upload to the Service for delivery.
• Delivery preferences: scheduling choices (frequency, time zone, start date) and personal notes attached to individual items.
• Communications: any messages you send to us via email or through the Service.

When you visit our website or use the Service, we may automatically collect:

• Device and browser information: browser type, operating system, and device type, collected through standard HTTP headers.
• Usage data: pages visited, features used, and timestamps, collected through server-side logging only.
• Bot protection data: Cloudflare Turnstile collects interaction signals to distinguish humans from bots during signup and login. This data is processed by Cloudflare and is not stored by the Company. No CAPTCHAs, tracking cookies, or fingerprinting are used.

We believe in collecting only what we need. We do not:

• Use cookies for tracking or advertising purposes;
• Use third-party analytics services (no Google Analytics, no Meta Pixel, no tracking scripts);
• Collect location data, GPS coordinates, or IP-based geolocation;
• Scan, analyze, or process the contents of your uploaded media for any purpose other than storage and delivery;
• Build user profiles, behavioral models, or interest graphs; or
• Collect data from children under 18 (see Section 9).

When you participate in a Tribute Alohagram as a Host or Contributor, we additionally process:

• Contributor name and email address: provided by the Host who invites you, or by you when joining a Tribute.
• Passwordless sign-in data: Contributors may join through a secure, single-purpose link sent by email rather than a password. We process the associated email token and an authentication session to recognize you. Because possessing the link grants access, it should not be forwarded to anyone you do not intend to invite.
• Contributed content: photographs, written stories, captions, and comments you submit to a Tribute.
• Information about other people: Tribute content often depicts or describes third parties — including the Tribute’s subject (who, in a memorial, may be deceased) and other people who appear in photographs. Contributors are responsible for having the right to share such content (see our Terms of Service).

We share limited data with trusted third-party service providers who help us operate the Service. These providers are contractually obligated to use your data only as necessary to provide their services to us and are subject to confidentiality obligations:

• Supabase: database hosting and user authentication. Stores account data, recipient information, delivery schedules, and uploaded media files.
• Resend: email delivery. Receives recipient email addresses and Alohagram content solely to deliver scheduled emails on your behalf.
• Vercel: website hosting. Serves the web application. Does not access or store user content.
• Cloudflare: bot protection (Turnstile). Processes interaction signals during signup and login to prevent automated abuse. Does not receive personal information.
• Amazon Web Services (AWS): encrypted database backups. Stores encrypted copies of database data for disaster recovery. Media files are not included in these backups.
• Stripe: payment processing (for future paid features). Will process payment information directly; the Company does not store credit card numbers.

We do not sell, rent, lease, or trade your personal information or your content to any third party. We do not share data with advertisers, data brokers, or marketing companies. We do not participate in data exchanges or data monetization schemes of any kind. This is a core principle of Share The Aloha, not a legal formality.

We may disclose your information if required to do so by law, or if we believe in good faith that such disclosure is reasonably necessary to:

• Comply with a legal obligation, subpoena, court order, or government request;
• Protect and defend the rights, property, or safety of the Company, our users, or the public;
• Prevent or investigate possible wrongdoing in connection with the Service; or
• Protect against legal liability.

If the Company is involved in a merger, acquisition, bankruptcy, or asset sale, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.

Your data is stored on servers located in the United States, operated by our service providers (Supabase and AWS). All data is stored within U.S. data centers.

We implement industry-standard security measures to protect your information:

• Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• Encryption at rest: database backups are encrypted before storage on AWS S3.
• Private media storage: all uploaded media files are stored in a private storage bucket. Files are never publicly accessible. Access is granted only through time-limited signed URLs.
• Authentication security: passwords are hashed using bcrypt. We never store passwords in plaintext. Session tokens are managed by Supabase Auth with industry-standard JWT security.
• Bot protection: Cloudflare Turnstile prevents automated attacks on signup and login endpoints.
• Row-level security: database policies ensure that each user can only access their own data. One user cannot view, modify, or access another user's content, recipients, or account information.
• Daily backups: the database is backed up daily with encrypted copies stored on AWS S3 for disaster recovery.

When Alohagram delivery emails include photos or media, the email contains a time-limited signed URL that grants temporary access to the specific file. These URLs expire after a set period. For emails, signed URLs have a long expiration (up to one year) so recipients can revisit saved emails. For in-app display, signed URLs expire after one hour. Expired URLs cannot be used to access content.

As a recipient, the only information we have about you is your name and email address, as provided by the Sender. We do not create an account for you, track your behavior, or collect any additional data about you beyond what is necessary to deliver the Alohagram.

• Opt out: every Alohagram email includes an unsubscribe link. You can permanently opt out of receiving messages from a specific Sender at any time with one click.
• Report: every Alohagram email includes a “Report this email” link. If you receive unwanted, harassing, or inappropriate content, you can report it and our Trust & Safety team will investigate.
• Consent: recipients of recurring Alohagrams go through an opt-in process early in the delivery cycle to confirm they welcome the messages.
• Data deletion: you may request deletion of your information from our system by contacting support@sharethealoha.com.

We retain your account data, uploaded content, and delivery history for as long as your account is active and the Service is in use. Content scheduled for future delivery is retained until delivered or until you delete it.

When you request account deletion (by contacting support@sharethealoha.com), we will permanently delete:

• Your account information (name, email, password hash);
• All uploaded media files;
• All recipient information and delivery schedules; and
• All delivery history and notes.

Deletion is processed within thirty (30) days of your request. Some data may persist in encrypted backups for up to 90 days after deletion, after which backup copies are rotated and overwritten.

Accounts terminated for violation of our Terms of Service are permanently deleted, including all associated content, as described in our Terms of Service.

Free tier accounts that remain inactive for more than three (3) years may be subject to deletion after notice. We will send at least two (2) email notifications to the registered email address before deleting an inactive account, with a minimum of 30 days between the final notice and deletion.

Regardless of where you live, you have the right to:

• Access: request a copy of the personal information we hold about you.
• Correction: request correction of inaccurate personal information.
• Deletion: request deletion of your account and all associated data.
• Data portability: request an export of your uploaded content in a standard format.
• Withdraw consent: stop using the Service at any time.

To exercise any of these rights, contact us at support@sharethealoha.com. We will respond to all requests within thirty (30) days.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know: you may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: you may request deletion of your personal information, subject to certain exceptions.
• Right to opt out of sale: we do not sell your personal information. No opt-out is necessary because no sale occurs.
• Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA/CPRA rights.

If you are located in the European Economic Area (EEA) or the United Kingdom, you have rights under the General Data Protection Regulation (GDPR) and UK GDPR:

• Legal basis: we process your data based on your consent (account creation), contractual necessity (providing the Service), and legitimate interests (security, abuse prevention).
• Right to erasure: you may request that we delete your personal data.
• Right to restrict processing: you may request that we limit how we use your data.
• Right to object: you may object to our processing of your data based on legitimate interests.
• Right to lodge a complaint: you may file a complaint with your local data protection authority.
• International transfers: your data is stored in the United States. By using the Service, you consent to the transfer of your data to the U.S. We rely on standard contractual clauses and the data protection measures described in Section 5 to safeguard your data.