Last updated: 30 April 2026.
This website www.foldedpetal.com and the Folded Petal mail subscription service are operated by Joydeer Limited, a private company limited by shares incorporated in Hong Kong (Company No. 78997328), with registered office at Room D07, 8/F, Kai Tak Factory Building, No. 99 King Fuk Street, San Po Kong, Hong Kong ("we", "us", "our").
For any privacy-related question, write to us at hello@foldedpetal.com.
We collect only what we need to ship you a postcard and run a small studio.
| Category | Examples | Purpose |
|---|---|---|
| Identity & contact | Name, email, postal address | Account, shipping the envelope, sending tracking and receipts |
| Payment | Last four digits of card, billing country, Stripe customer ID | Processing your subscription. Full card numbers are never stored on our servers — they are handled by Stripe |
| Communication | Emails you send us, support replies, commission briefs | Answering you and improving our product |
| Technical | IP address, browser type, locale, pages viewed | Site security, debugging, basic analytics (aggregated) |
| Cookies | Session cookie, Stripe checkout cookie | Keeping you signed in and processing checkout |
We do not collect: precise location, biometric data, government IDs, or any special-category personal data. We do not buy or sell personal data.
Is providing this data optional? Providing the identity, contact, and payment data above is a contractual requirement — we need it to fulfil your order. If you choose not to provide it, we cannot ship your envelope or process your subscription, and the contract cannot be performed. There is no statutory obligation to give us this data.
Automated decision-making. We do not make any decisions about you using purely automated processing or profiling that produces legal or similarly significant effects.
If you are in the UK or EEA, we process your data under one or more of these bases:
We use a small number of trusted processors. Each one is contractually required to protect your data and use it only for our service:
| Service | Purpose | Region |
|---|---|---|
| Stripe Payments Europe Ltd / Stripe Inc. | Card processing & subscription billing | Ireland / United States |
| Vercel Inc. | Website hosting | United States (Washington D.C.) |
| Neon Inc. | Database (encrypted at rest) | United States (AWS US East) |
| Resend Inc. | Transactional emails (receipts, tracking, dispatch) | United States |
| China Post / commercial mail carriers | Physical mail delivery | Hong Kong / mainland China handover, then your country's postal service |
We never share your information for advertising, profiling, or third-party marketing. Under the California Consumer Privacy Act (CCPA/CPRA), we do not "sell" or "share" your personal information as those terms are defined in §1798.140 — see Section 8 below.
Because our infrastructure is hosted in the United States and our mail leaves from Hong Kong, your data crosses borders. Where required (notably for UK and EU residents), we rely on:
You may request a copy of the transfer safeguards by writing to us.
| Data | Retention |
|---|---|
| Subscription records | Duration of your subscription + 7 years (Hong Kong tax / accounting) |
| Postal addresses (active) | Until you cancel and request deletion |
| Postal addresses (cancelled) | Deleted within 90 days of cancellation, unless you ask sooner |
| Email correspondence | 24 months from last reply, then deleted |
| Server logs | 30 days |
How we destroy data. When personal data reaches the end of its retention period or is the subject of a verified deletion request:
DELETE and cascade, irrecoverable from the live database within minutes.This means a deletion request is fully effective in the live system immediately and across all backup storage within 35 days at the latest.
Wherever you live, you may write to hello@foldedpetal.com to:
We respond within 30 days. To protect your account we may verify your identity by asking you to confirm details we already hold (e.g. order number plus the email on file).
If you wish to lodge a complaint with a regulator, you may contact the supervisory authority in your country. Examples:
For other jurisdictions, please contact your national data protection authority.
This section provides the disclosures required by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA/CPRA").
| Category (CCPA) | Collected? | Sources | Disclosed to |
|---|---|---|---|
| Identifiers (name, email, postal address, IP) | Yes | Directly from you | Service providers in §4 |
| Customer records (billing, order history) | Yes | Directly from you, Stripe | Stripe, our database |
| Commercial information (purchases) | Yes | Stripe, our database | Service providers in §4 |
| Internet/network activity (page views, session data) | Yes | Directly from your device | Vercel (hosting logs only) |
| Geolocation (general, derived from IP) | Yes (general only) | Directly from your device | Vercel |
| Inferences | No | — | — |
| Sensitive personal information | No | — | — |
| Biometric, health, precise geolocation | No | — | — |
We collect the categories above to (i) fulfil orders, (ii) prevent fraud, (iii) provide customer support, (iv) comply with tax and legal obligations, and (v) improve our service. Each purpose is described against the relevant data category in Section 2.
Email hello@foldedpetal.com with the subject line "California Privacy Request". To verify your identity we will ask for two pieces of information already on file (such as the email associated with your account plus your most recent order number). We respond within 45 days, extendable by another 45 days where reasonably necessary.
You may use an authorized agent to make a request. We require: (a) written permission signed by you authorizing the agent, and (b) verification of your own identity directly with us. Powers of attorney are accepted in lieu of (a).
Use the email above and mention "California". We do not maintain a toll-free number — small studio, online only.
This section is the Personal Information Collection Statement required by Data Protection Principle 1 of the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO").
We collect personal data for the following purposes only:
We will not use your personal data for direct marketing without your separate consent (PDPO Part 6A).
Your personal data may be transferred only to the service providers listed in Section 4 (Stripe, Vercel, Neon, Resend) and to postal carriers for the purpose of delivering your envelope.
You have the right under sections 18 and 22 PDPO to:
To make a request, write to hello@foldedpetal.com with the subject line "PDPO Request" stating your full name, email used to register, and the data you wish to access or correct. We will:
If you are dissatisfied with our response you may complain to the Office of the Privacy Commissioner for Personal Data, Hong Kong.
Folded Petal is not directed at children under 13 (or the higher minimum age set by your local data protection law, e.g. 16 in some EU member states). We do not knowingly collect personal data from children. If you believe a child has subscribed, write to us and we will delete the account immediately.
We currently use only strictly necessary cookies as defined under the UK PECR / EU ePrivacy Directive — that is, cookies without which the site or your transaction cannot function. We do not use third-party advertising cookies, behavioural tracking pixels, or analytics cookies as of the date of this policy.
| Cookie family | Set by | Purpose | Type | Duration |
|---|---|---|---|---|
better-auth.* (session token) | foldedpetal.com (first-party) | Keeping you signed in to your account | Strictly necessary | Up to 30 days, refreshed on activity |
__stripe_* / m / cid | stripe.com (third-party, set on checkout pages only) | Fraud prevention and processing your card payment securely | Strictly necessary | Up to 1 year (Stripe-controlled) |
NEXT_LOCALE | foldedpetal.com (first-party) | Remembering your language preference | Strictly necessary | 1 year |
__cf_bm / cf_clearance (only when Cloudflare is in front of a sub-resource) | cloudflare.com | Bot protection and DDoS mitigation | Strictly necessary | 30 minutes – 1 year |
You can clear or block these cookies in your browser at any time, but doing so may break sign-in, checkout, and your language preference. Because they are strictly necessary, no consent is required under PECR / ePrivacy.
If we ever add non-essential cookies (analytics, advertising, social-media pixels, etc.), we will deploy a cookie-consent banner allowing you to accept or reject each non-essential category before any such cookie is set, and we will update this section to list every new cookie by name, purpose, and duration.
Your data is protected with industry-standard measures: TLS 1.2+ in transit, AES-256 encryption at rest at the database layer (Neon), restricted role-based internal access, and Stripe's PCI-DSS Level 1 environment for all card data. No system is perfectly secure; if a breach affects you, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.
We may update this policy from time to time. The "Created" date below reflects the latest revision. Material changes will be notified by email to active subscribers at least 14 days before they take effect.
Joydeer Limited Room D07, 8/F, Kai Tak Factory Building No. 99 King Fuk Street, San Po Kong Hong Kong SAR
Email: hello@foldedpetal.com