Our Privacy Policy

ExpressWithACard | Digital Cards Ltd

Last updated: 21 May 2026

Welcome to ExpressWithACard's privacy notice.

ExpressWithACard collects some personal data from its customers and website users. Where you provide us with personal data, we will take steps to ensure that your data and privacy rights are protected.

This privacy notice explains how we look after your personal data when (a) you visit our website (regardless of where you visit it from), (b) you purchase one of our products, (c) you contribute to a Card or Collection Pot, or (d) you receive a Card or Gift Card. We process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This notice also explains your rights under data protection law and how the law protects you.

Controller

Digital Cards Ltd (trading as ExpressWithACard) is the controller and responsible for your personal data (referred to as "we", "us" or "our" in this privacy notice).

Contact details

• Full name of legal entity: Digital Cards Ltd
• Trading name: ExpressWithACard
• Email address: [email protected]
• Company registration number: 1616503

Changes to this privacy notice

We keep our privacy notice under regular review.

Third-party links

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy notices. When you leave our website, we encourage you to read the privacy notice of every website you visit.

Customer and contributor data

We also collect information about third parties that you provide to us as part of the Services. For example, when you create a Card and invite Contributors, or when you share a Card with a Recipient, you provide us with their email address. Where you provide us with this information, you confirm that you have the authority to share it with us in line with this privacy notice. You are also responsible for ensuring that the personal data you provide about others is accurate.

Where we process the personal data of Contributors and Recipients who do not hold an account with us (for example, a Recipient's email address used to deliver a Card), we rely on our legitimate interests, and those of the card creator, in providing and delivering the Service. Contributors and Recipients can contact us at any time to exercise their rights, including asking us to delete their data.

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

We do what we can to minimise the amount of personal data we collect but we will need to collect different types depending on how you use our Services. We have grouped the types of personal data we collect as follows:

• Identity Data includes your first name, last name, username and any display name you choose when contributing to a Card.
• Contact Data includes your email address.
• Transaction Data includes details about payments to and from you and other details of products you have purchased, including Card purchases, bundle credits, and Collection Pot contributions.
• Technical Data includes your internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.
• Content Data includes messages, images, videos, GIFs, and other content you or Contributors add to a Card.
• Usage Data includes information about how you use our website and Services, including pages visited, features used, and the frequency of your visits.
• Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
• AI Image Generation includes photographs you upload and the AI-generated output image. As a precaution, we treat this data with the additional care appropriate to special category data. See Section 5 for specific details on how we handle it.

How do we collect personal data?

We collect information directly from you through direct interactions, for example when you create an account, purchase a Card, contribute a message or money to a Card, or contact us for support.

We also receive personal data from third parties, including:

• Stripe, our payment processor, which sends us confirmation of successful or failed payments (but never your card details).
• Our third-party gift card provider, which sends us confirmation that a Gift Card has been generated and delivered.
• Analytics providers, such as Google, which provide us with anonymised, aggregated statistics about how our website is used. This information does not identify you individually.

We collect Technical and Usage Data automatically when you interact with our website, using cookies and similar technologies. For more information, see Section 6.

If you fail to provide personal data

Where we need to collect personal data to perform our contract with you and you fail to provide that data, we may not be able to perform the contract (for example, to create or deliver a Card). In this case, we may have to cancel the relevant service, but we will notify you if this is the case.

We will not collect or use your personal data without letting you know (unless required by law). Our use of your personal data will be based on one of the following grounds:

• Where we need to perform the contract we are about to enter into or have entered into with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal obligation.
• Where you have given us your consent.

Generally, we do not rely on consent as a legal basis for processing personal data except for marketing communications and AI image processing (see Section 5). You have the right to withdraw consent at any time by contacting us.

Purposes for which we will use your personal data

We have set out below a description of the ways we use your personal data and the lawful bases we rely on. We have also identified our legitimate interests where appropriate.

• To register you as a new customer
  Data used: Identity, Contact
  Lawful basis: Performance of a contract with you
• To process and deliver your Card order, including managing payments via Stripe
  Data used: Identity, Contact, Transaction
  Lawful basis: Performance of a contract with you
• To deliver a Card to the Recipient by email
  Data used: Contact (Recipient email), Content
  Lawful basis: Performance of a contract with you; Legitimate interest (providing the Service)
• To process Collection Pot contributions from Contributors
  Data used: Identity, Contact, Transaction
  Lawful basis: Performance of a contract with you
• To generate a Gift Card from pot funds and share delivery details with our gift card provider
  Data used: Contact (Recipient email), Transaction (pot total)
  Lawful basis: Performance of a contract with you
• To process AI source images (in your browser only)
  Data used: Face and Image Data
  Lawful basis: Your explicit consent
• To store the AI-generated image on our servers as part of the Card
  Data used: Face and Image Data
  Lawful basis: Your explicit consent
• To manage our relationship with you, including service notifications and updates
  Data used: Identity, Contact, Marketing and Communications
  Lawful basis: Performance of a contract; Legal obligation; Legitimate interest (keeping records updated)
• To retain records after Card deletion (soft delete for audit)
  Data used: Transaction, Content (metadata only)
  Lawful basis: Legitimate interest (fraud prevention, dispute resolution); Legal obligation (tax records)
• To detect, investigate and prevent fraud and security issues
  Data used: Identity, Contact, Technical, Transaction
  Lawful basis: Legitimate interest (protecting our Services and users)
• To send you marketing emails (only with your consent)
  Data used: Identity, Contact
  Lawful basis: Your consent (withdrawable at any time)
• To improve our website and Services using analytics
  Data used: Technical, Usage
  Lawful basis: Legitimate interest (improving and developing our Services)
• To respond to your support queries
  Data used: Identity, Contact, Content
  Lawful basis: Performance of a contract; Legitimate interest (providing support)
• To comply with legal obligations (tax, regulatory, reporting)
  Data used: Identity, Contact, Transaction
  Lawful basis: Legal obligation

Where we rely on legitimate interests, we have carried out a balancing test to ensure our interests do not override your rights and freedoms. You can ask us for details of this assessment by contacting us.

Marketing

From time to time we may send you marketing communications by email about our products, features, and offers. We will only do so where you have given us your express opt-in consent.

You can ask us to stop sending you marketing messages at any time by following the opt-out link in any marketing email or by contacting us. Where you opt out of marketing, this will not affect personal data provided to us as a result of a Card purchase or other transactions.

We will not sell your personal data. We will not share your personal data with any third party for their own marketing purposes without your explicit consent.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.

We may share your personal data with the parties set out below for the purposes described in the table above.

Service providers (data processors)

We share your personal data with service providers we have appointed to act as our processors. They process data on our behalf, under our instructions, and subject to contractual safeguards. These include:

• Stripe, Inc. - payment processing. Stripe processes your payment card details directly; we never see or store them. Stripe's privacy policy: https://stripe.com/gb/privacy.
• Our hosting and infrastructure provider - secure storage of Cards, account data, and AI-generated images.
• Our email delivery provider - sending Card delivery emails, order confirmations, and marketing emails.

Product partners

Where we partner with a third party for certain products, we share personal data with that third party to enable the service to be fulfilled:

Our third-party gift card provider - Gift Card generation and fulfilment. When a Collection Pot closes, we share the Recipient's email address and pot total with our gift card provider so they can generate and deliver the Gift Card. From that point, our gift card provider is an independent data controller for the Recipient's data in connection with the Gift Card.

Other disclosures

We may also share your personal data:

• Where required by law, regulation or court order.
• With third parties in connection with a business transaction such as a merger, acquisition, or sale of assets. If a change happens to our business, the new owners may use your personal data in the same way as set out in this privacy notice.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. If you want more details about the third parties we share data with, please contact us.

Aggregated Data. We may aggregate, anonymise or de-identify your personal data so that it cannot reasonably be used to identify you. Such data is no longer personal data and may be used for any purpose, including research and analysis to improve our Services.

Our AI image Tool involves processing photographs of faces. We use these images only to create a creative image effect, not to identify anyone. We take a cautious approach and handle them with the additional care appropriate to special category data, including by obtaining your explicit consent. We take the following approach to protect your rights:

Source photographs

The photograph you upload is processed in your browser's local cache. It is not uploaded to or stored on our servers. We do not retain, access, or have any control over your source photograph after the AI effect has been applied.

AI-generated output

The AI-generated image is stored on our servers as part of the Card. Where the individual depicted is identifiable, this image constitutes personal data, which we handle with the additional care described above.

How we obtain your consent

Before you upload a photo, we will show you a clear, plain-English explanation of what will happen to your image and a link to the relevant sections of our Privacy Policy. By clicking Continue at that point, you are giving your informed consent to the processing described above. You will not be asked to tick a separate box; the Continue button is the consent mechanism, provided the explanation is clearly displayed before you click.

You can withdraw your consent at any time by contacting us at [email protected], in which case we will delete the AI-generated output image from our servers. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Third-party faces

If you upload a photograph of someone other than yourself, you must have obtained that person's explicit consent before doing so. Photographs of individuals under 18 must not be used with the AI Tool. If you believe an AI-generated image featuring your likeness has been created without your consent, please contact us immediately and we will take appropriate action, including removal.

We use cookies and similar technologies on our website. Cookies are small text files placed on your device that help us provide and improve our Services.

Cookies we use

• Strictly necessary cookies - required for the website to function (e.g. session management, security). These do not require your consent.
• Analytics cookies - help us understand how visitors use our website. We use Google Analytics via Google Tag Manager (GTM) to collect anonymised usage data. We have configured Google Analytics to anonymise IP addresses.
• Functional cookies - remember your preferences and settings to improve your experience.

Managing cookies

You can change your cookie preferences at any time. You can also set your browser to refuse all or some cookies, or to alert you when cookies are set. Please note that disabling certain cookies may affect the functionality of our website.

Google's privacy policy is available at https://policies.google.com/privacy. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

Some of our service providers (including Stripe and Google, and our AI image processing provider if we use one) are based outside the United Kingdom, so their processing of your personal data may involve an international transfer of data.

Whenever we transfer your personal data internationally, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is in place:

• We will only transfer your personal data to countries that the UK government has determined provide an adequate level of data protection.
• Where we use certain service providers, we may use the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses, which give personal data the same protection it has in the UK.

Please contact us if you want further information on the specific mechanisms used when transferring your personal data internationally.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These include:

• Encryption of data in transit (HTTPS/TLS).
• Secure storage of data on servers with appropriate access controls.
• Payment data handled exclusively by Stripe (a PCI DSS Level 1 certified provider) - we never see, store, or process your payment card details.
• Limiting access to your personal data to those who have a business need to know.

We have put in place procedures to deal with any suspected personal data breach. Where we are legally required to do so, we will notify the ICO within 72 hours of becoming aware of a breach, and we will notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms.

How long will we use your personal data for?

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. Our specific retention periods are:

• Card content (messages, images, videos, GIFs, AI-generated images): accessible for a minimum of 12 months from the date of Card creation, after which Cards may be deleted.
• Soft-deleted Card data (transaction records, metadata): retained securely for up to 6 years from the date of deletion, for audit, legal compliance, and fraud prevention purposes, in accordance with HMRC record-keeping requirements.
• Account data: retained for the duration of your account, plus up to 12 months after closure.
• Payment transaction records: retained for 6 years to comply with tax and accounting obligations.
• AI-generated output: retained as part of the Card for the Card's storage period, or until you withdraw consent, whichever is earlier.
• Marketing consent records: retained until you withdraw consent, plus a reasonable period to evidence compliance.

When personal data is no longer needed, we will securely delete or anonymise it. Where we have anonymised your personal data (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.

We are committed to providing you with privacy rights in relation to your personal data. Under data protection law, you have the following rights:

• Your right to be informed: You have the right to understand how we collect and use your data. This privacy notice is our main way of giving you this information.
• Your right of access: You have the right to ask us for copies of your personal data (a "subject access request").
• Your right to rectification: You have the right to ask us to correct any personal data you think is inaccurate or to complete information you believe is incomplete.
• Your right to erasure: You have the right to ask us to erase your personal data in certain circumstances. Note that we may need to retain certain data for legal or audit purposes (see Section 9).
• Your right to restrict processing: You have the right to ask us to stop or restrict our processing of your personal data in certain circumstances.
• Your right to object to processing: You have the right to object to processing where we rely on legitimate interests, and we will stop processing unless we can demonstrate compelling legitimate grounds.
• Your right to data portability: You have the right to ask that we transfer the data you have given us to another organisation, or give it to you, in a structured, commonly used, machine-readable format. This right only applies to data you have provided to us and which we process based on your consent or a contract.
• Your right to withdraw consent: Where we rely on your consent (for example, for marketing emails), you can withdraw it at any time. This will not affect the lawfulness of processing carried out before withdrawal.
• Rights related to automated decision-making: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you. We do not carry out any such automated decision-making. Our AI Tool applies a creative image effect only and does not make any decision or evaluation about you.

How to exercise your rights

If you wish to exercise any of the rights set out above, please contact us at [email protected].

No fee usually required

You will not have to pay a fee to access your personal data or to exercise any of your other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Our Services are not directed at children under the age of 18. To hold an account or make a purchase, you must be at least 18. A person under 18 may contribute to a Card only under the supervision of a parent or guardian who holds the account (see our Terms and Conditions).

We do not knowingly collect personal data from children under 13. If you think that a child has provided us with their personal data, please contact us immediately and we will take steps to delete it.

Our AI image Tool must not be used with photographs of individuals under 18.

We would like the opportunity to deal with any complaint or concern you may have, and you can contact us at [email protected] to raise these with us.

Data protection law also gives you the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

• Website: https://ico.org.uk
• Helpline: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

You also have the right to seek a judicial remedy if you believe your rights have been infringed.

If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact us:

Digital Cards Ltd (trading as ExpressWithACard)
Email: [email protected]
Registered in England and Wales - Company Number: 1616503