Privacy Policy

Introduction

Palvelope (“we,” “us,” “our”) is a pen-pal messaging service operated as a sole proprietorship in the United States. This Privacy Policy explains how we collect, use, store, and share information about you when you use Palvelope through our website, iOS app, or Android app (the “Service”).

This policy is effective as of April 27, 2026. If you have questions, contact us at privacy@palvelope.com.

Information We Collect

We collect the following categories of information:

• Account information: your email address and age range, collected when you sign up.
• Profile information: the display name, bio, interests, home region, and writing-pace preferences you choose to share.
• Messages: the content of conversations you send and receive on the Service.
• Usage data: how you interact with the app, which features you use, and basic session data.
• Device information: device type, operating system, app version, and push-notification tokens (only if you enable notifications).
• Waitlist: if you submit your email address on our website to join the waitlist, we store only that email.

We do not collect precise location data, biometric data, or financial information.

How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service.
• Match you with other users based on shared interests and preferences.
• Send transactional emails such as sign-in links, account notifications, and important service updates.
• Detect, investigate, and prevent abuse, spam, harassment, and policy violations.
• Comply with legal obligations and respond to lawful requests.

We do not sell your personal information to third parties. We do not use your information to serve advertising, and we do not share your information with advertisers or data brokers.

Data Storage and Security

Your data is stored using Supabase, a managed database and authentication provider hosted on Amazon Web Services (AWS). All data is encrypted in transit using TLS and encrypted at rest using AES-256. Authentication tokens are stored securely on your device using the platform’s secure storage primitives.

We retain your personal data for as long as your account is active. If you delete your account, we permanently remove your personal data — including profile, messages, and usage history — within 30 days, except where we are required to retain certain records to comply with legal obligations or resolve disputes.

No system is perfectly secure. While we apply industry-standard safeguards, we cannot guarantee that unauthorized third parties will never defeat those safeguards.

Your Rights (GDPR & CCPA)

Depending on where you live, you may have the following rights regarding your personal information:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate or incomplete data.
• Deletion — ask us to delete your account and associated personal data.
• Portability — receive your data in a structured, machine-readable format.
• Opt-out — limit certain uses of your data, including the right to opt out of the sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising).
• Non-discrimination — we will not deny you service or charge you a different price because you exercised any of these rights.

To exercise any of these rights, email us at privacy@palvelope.com. We will respond within the timeframes required by applicable law (typically 30 days).

Messaging and Conversations

Messages are stored on our servers so that you and your pen pal can read them across devices and over time — that is the core experience of the Service.

We do not read your private messages. The only exceptions are (a) when we investigate a report submitted by another user, or (b) when we are legally compelled to do so. In either case, access is limited to the specific conversation under review and is performed by a small number of authorized staff.

We may build automated systems in the future to detect AI-generated messages or policy-violating content. Such systems are not currently active. If we add them, we will update this policy and notify users.

You can delete a conversation, block another user, or delete your account at any time from within the app.

Children's Privacy

Palvelope is not intended for users under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that a user is under 16, we will delete their account and any associated personal data promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@palvelope.com.

Third-Party Services

We rely on a small number of trusted third-party providers to operate the Service. Each operates under its own privacy policy:

• Supabase — database and authentication. supabase.com/privacy
• Vercel — web hosting and content delivery. vercel.com/legal/privacy-policy
• Expo / EAS — mobile app build and update infrastructure. expo.dev/privacy
• Resend — transactional email delivery (sign-in links and notifications).

We do not share data with these providers beyond what is necessary to deliver the Service.

Cookies and Tracking

On the website, we use a minimal set of first-party cookies strictly necessary to keep you signed in (authentication session cookies). We do not use advertising cookies, third-party tracking pixels, or cross-site analytics.

We log basic server-side request data (such as IP address and user agent) for security and reliability purposes. These logs are retained for a limited period.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the app at least 30 days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision. Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

Contact

For privacy questions or to exercise your rights, contact us at privacy@palvelope.com.

If you are located in the European Economic Area or the United Kingdom and believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection supervisory authority.