1. Introduction

ModernMail ("we," "our," or "us") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our ModernMail iOS application (the "App").

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access or use the App.

2. Information We Collect

2.1 Account Information

When you create an account with ModernMail, we collect:

• Email Address: Used for account authentication via AWS Cognito
• Username: Your chosen username for account identification
• Authentication Credentials: Securely hashed passwords (we never store passwords in plain text)

2.2 Drawing and Letter Content

• Hand-Drawn Content: Drawings you create using Apple Pencil or touch input are stored as PencilKit data
• SVG Conversions: We automatically convert your drawings to SVG format for processing
• Letter Metadata: Product selections, letter status (draft, cart, sent)

2.3 Recipient Information

• Recipient Names: Names of people you're sending letters to
• Mailing Addresses: Physical addresses for letter delivery
• Address Validation Data: Validated address information from SmartyStreets API

2.4 Purchase Information

• Product Selections: Items you add to cart
• Order History: Records of letters you've sent
• Payment Processing: Handled exclusively by Shopify (we do NOT store credit card information)

2.5 Technical Data

• Device Information: Device type, iOS version
• App Usage Analytics: Feature usage, screen views, crash reports
• Network Data: API request logs for debugging and performance monitoring

2.6 Guest User Data

• Temporary Identity: If you use the app without signing in, we assign a temporary guest identity
• Guest Letters: Letters created as a guest are automatically migrated to your account when you sign in

3. How We Use Your Information

We use the collected information for the following purposes:

3.1 Core App Functionality

• Process and fulfill letter sending orders
• Validate recipient addresses for accurate delivery
• Store and sync your letter drafts across devices
• Convert drawings to production-ready formats

3.2 Account Management

• Authenticate and manage your account
• Migrate guest data when you create an account
• Process account deletion requests

3.3 Payment Processing

• Facilitate secure checkout through Shopify
• Track order status and delivery

3.4 App Improvement

• Analyze usage patterns to improve features
• Debug crashes and errors
• Monitor performance and reliability
• Develop new features based on user needs

3.5 Customer Support

• Respond to your inquiries and support requests
• Troubleshoot technical issues
• Provide updates about your orders

4. Data Sharing and Third-Party Services

We share your data with the following trusted third-party services:

4.1 AWS (Amazon Web Services)

Purpose: Cloud infrastructure provider

Data Shared: All data (authentication, drawings, letters, metadata)

Services Used:

• AWS Cognito (authentication)
• AWS S3 (file storage)
• AWS DynamoDB (database)
• AWS Lambda (processing)

Privacy Policy: https://aws.amazon.com/privacy/

4.2 Shopify

Purpose: E-commerce platform for product sales and checkout

Data Shared: Product selections, recipient addresses, order information

Services Used:

• Shopify Storefront API (product catalog)
• Shopify Checkout (payment processing)

Privacy Policy: https://www.shopify.com/legal/privacy

4.3 SmartyStreets

Purpose: Address validation and verification service

Data Shared: Recipient addresses (for validation only)

Services Used: US Address Autocomplete API

Privacy Policy: https://www.smarty.com/legal/privacy-policy

4.4 Apple

Purpose: App distribution and in-app services

Data Shared: App crash reports, usage analytics (via Apple's built-in frameworks)

Services Used: App Store, PencilKit

Privacy Policy: https://www.apple.com/legal/privacy/

5. Data Security

We implement industry-standard security measures to protect your information:

5.1 Encryption

• In Transit: All data transmitted via HTTPS/TLS encryption
• At Rest: S3 storage with server-side encryption
• Authentication: AWS Cognito with secure password hashing

5.2 Access Control

• Owner-Based Authorization: You can only access your own letters (enforced via GraphQL schema)
• Identity-Based Storage: S3 files scoped to your unique identity
• IAM Policies: Strict AWS permissions limiting data access

5.3 Data Isolation

• Guest data isolated by temporary identity
• Authenticated user data isolated by Cognito user ID
• Automatic cleanup of orphaned files (90-day lifecycle policy)

6. Data Retention

6.1 Active Accounts

• Letters and Drawings: Stored indefinitely while your account is active
• Drafts: Retained until you delete them or delete your account
• Sent Letters: Historical records retained for order tracking

6.2 Deleted Accounts

• Immediate: Cognito user account deleted
• Immediate: DynamoDB letter records deleted
• Within 90 Days: S3 files automatically deleted via lifecycle policy

6.3 Guest Data

• Before Sign-In: Stored with temporary guest identity
• After Sign-In: Automatically migrated to authenticated account
• Abandoned Guest Sessions: Subject to 90-day cleanup policy

7. Your Privacy Rights

7.1 Access to Your Data

You have the right to:

• View all letters and drawings you've created
• Export your data (contact support for assistance)
• Review account information in the app

7.2 Data Deletion

You can:

• Delete individual letters and drafts within the app
• Delete your entire account via Account Settings → Account Management → Delete Account
• Request deletion by contacting support at [YOUR_SUPPORT_EMAIL]

7.3 Data Portability

You have the right to:

• Request a copy of your data in machine-readable format
• Transfer your data to another service (where technically feasible)

To request data export: Email [YOUR_SUPPORT_EMAIL]

7.4 California Residents (CCPA)

If you are a California resident, you have additional rights:

• Right to Know: Request details about personal data we collect
• Right to Delete: Request deletion of your personal data
• Right to Opt-Out: We do NOT sell personal information
• Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise CCPA rights: Email [YOUR_SUPPORT_EMAIL] with subject line "CCPA Request"

7.5 EU Residents (GDPR)

If you are in the European Economic Area, you have the right to:

• Access: Request access to your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion ("right to be forgotten")
• Portability: Receive data in structured, machine-readable format
• Object: Object to processing of your data
• Restrict Processing: Request limitation of data processing
• Lodge a Complaint: Contact your local data protection authority

To exercise GDPR rights: Email [YOUR_SUPPORT_EMAIL] with subject line "GDPR Request"

8. Children's Privacy

ModernMail is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [YOUR_SUPPORT_EMAIL], and we will delete such information immediately.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Changes will be posted on this page with an updated "Last Updated" date.

Material Changes: If we make material changes, we will notify you by:

• In-app notification
• Email to your registered address
• Prominent notice in the app

Your continued use of the App after changes constitutes acceptance of the updated Privacy Policy.

10. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We use AWS data centers, which may be located globally.

For EU Users: We rely on AWS's compliance with GDPR and EU-US Data Privacy Framework for international transfers.

11. Do Not Track Signals

We do not currently respond to "Do Not Track" browser signals, as there is no industry standard for handling such signals. We collect usage analytics to improve the app.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [YOUR_SUPPORT_EMAIL]

Address: [YOUR_BUSINESS_ADDRESS]

For Data Protection Inquiries:
Email: [YOUR_SUPPORT_EMAIL] with subject line "Privacy Inquiry"

Response Time: We aim to respond to all privacy-related inquiries within 30 days.

13. Legal Basis for Processing (GDPR)

For EU residents, we process your personal data based on:

1. Contract: Processing necessary to provide the App services
2. Consent: You have given explicit consent (e.g., for analytics)
3. Legitimate Interests: Processing necessary for our business operations
4. Legal Obligation: Compliance with applicable laws

14. Automated Decision-Making

We do NOT use automated decision-making or profiling that produces legal effects or similarly significant effects on you.

15. Third-Party Links

The App may contain links to third-party websites or services (e.g., Shopify checkout). We are not responsible for the privacy practices of these third parties. Please review their privacy policies separately.

16. State-Specific Rights

16.1 Nevada Residents

Nevada residents may opt out of the sale of personal information. We do NOT sell personal information.

16.2 Virginia, Colorado, Connecticut, Utah Residents

Residents of these states have rights similar to CCPA. Contact us at [YOUR_SUPPORT_EMAIL] to exercise your rights.

Appendix: Data Processing Summary

Important Placeholders to Fill In

1. [YOUR_SUPPORT_EMAIL] — Your customer support email address
2. [YOUR_BUSINESS_ADDRESS] — Your business mailing address (required for legal notices)
3. Last Updated Date — Update to the date you publish the policy

Optional Enhancements:

• Add a Data Protection Officer (DPO) contact if you have one
• Specify AWS region(s) where data is stored
• Add information about data retention for specific use cases
• Include cookie policy if you add web components