Privacy Policy

Effective: 14 February 2026

Introduction

Thirty Loves ("we", "us", "our") operates the Thirty Loves platform, a digital gift service where senders compose personalised messages for recipients to unlock daily. We are based in Ireland and act as the data controller for personal data collected through our service. This privacy policy explains what data we collect, how we use it, and your rights under the General Data Protection Regulation (GDPR). If you have questions, contact us at privacy@thirtyloves.com.

Data We Collect

We collect the following categories of personal data:

Account Data
When you create an account via our authentication provider (Clerk), we receive your name, email address, and OAuth provider identifier (e.g. Google or Apple ID). We do not store your passwords — authentication is handled entirely by Clerk.
User Content
Messages, photos, and gift metadata you create are stored in our database (Convex). This includes the text of your 30 messages, any attached photos (compressed to reduce file size), recipient details, and scheduling preferences.
Recipient Data
Recipients access gifts via a unique token-based link. No account is required. We collect minimal data from recipients: only access timestamps and the token used. Recipients do not need to provide personal information to view their gift.

How We Use Your Data

We use your data for the following purposes:

  • To create, store, and deliver your gifts to recipients on your chosen schedule.
  • To manage your account, authenticate your sessions, and provide access to your dashboard.
  • To process orders, track delivery status, and manage subscriptions.
  • To analyse content in aggregate and derive anonymised, non-attributable insights for product improvement, research, and commercial purposes (e.g. trending themes, message templates). No individual messages are ever shared or sold.
  • To send transactional emails (gift link delivery, order confirmations, pre-deletion notices) and to process support requests. When you contact support while logged in, we share your account ID and order summaries with our helpdesk provider (Crisp) to facilitate faster resolution.

We do not sell your personal data. We do not profile you for advertising. We do not share individual messages with any third party.

Third-Party Services

We use the following third-party services to operate Thirty Loves. Each receives only the data necessary for its function:

Clerk

Purpose: Authentication and account management

Data shared: Name, email, OAuth provider ID

Privacy policy
Convex

Purpose: Database and backend services

Data shared: Messages, photos, gift metadata, account references

Privacy policy
LemonSqueezy

Purpose: Payment processing (Merchant of Record)

Data shared: We do not handle payment details directly. LemonSqueezy processes all billing, VAT, and refunds as the Merchant of Record. Newsletter subscribers' email addresses are stored and managed by LemonSqueezy for marketing communications.

Privacy policy
Crisp

Purpose: Customer support helpdesk (EU-hosted)

Data shared: Name, email, support message content. For authenticated users: account ID and order summaries to facilitate support resolution.

Privacy policy
Postmark

Purpose: Transactional email delivery

Data shared: Recipient email address for gift link delivery. No message content is shared.

Privacy policy

Analytics and Crash Reporting

We may use analytics and crash reporting tools to understand how our service is used and to identify technical issues. These tools collect non-personally-identifiable information only, such as page views, device type, browser version, and error logs. No personal data (messages, photos, names, or email addresses) is shared with analytics providers. You may opt out of analytics collection through your browser settings or by contacting us.

Cookies

We use a minimal number of cookies, all of which are strictly necessary for the service to function. We do not require a cookie consent banner because we do not use any non-essential cookies.

  • Our authentication provider (Clerk) sets session cookies on our domain to keep you signed in and manage your session securely. These are essential for the service to function and cannot be disabled.
  • cookies.items.analytics

We do not set any analytics, tracking, advertising, or third-party marketing cookies on our domain.

Data Retention

We retain your data according to the following schedule:

Active Viewing Period
Gift content remains fully accessible during the 30-day reveal period and for 30 days after the final message is revealed.
Archive Period
After the active viewing period, your gift is archived. Archived content is retained for one year.
Pre-Deletion Notice
We will send an email notification 30 days before archived content is scheduled for permanent deletion, giving you the opportunity to extend access.
Automatic Deletion
Archived content is permanently deleted after one year unless extended by a subscription.
Subscription Extension
Either the sender or recipient may purchase a yearly subscription to extend access to gift content indefinitely. Content is retained for as long as the subscription is active.
Account Data
Account data is retained while your account is active. When you close your account, your data is deleted in accordance with this retention schedule.
Payment Records
Payment records are managed and retained by LemonSqueezy in accordance with their legal obligations.

You may request deletion of your data at any time by using the account deletion feature in your settings or by contacting privacy@thirtyloves.com.

Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

  • The right to request a copy of the personal data we hold about you.
  • The right to request correction of inaccurate or incomplete data.
  • The right to request deletion of your personal data, including support correspondence stored by our helpdesk provider.
  • The right to receive your data in a structured, machine-readable format.
  • The right to request that we restrict processing of your data.
  • The right to object to processing of your data, including for anonymised insights.

To exercise any of these rights, contact us at privacy@thirtyloves.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Irish Data Protection Commission (dataprotection.ie) if you believe your rights have been violated.

Children's Privacy

Thirty Loves is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child under 16 has provided us with personal data, please contact us at privacy@thirtyloves.com.

Data Security

We take the security of your data seriously. All data is encrypted in transit using TLS (Transport Layer Security). Our third-party providers (Clerk, Convex) encrypt data at rest using industry-standard encryption. We do not store sensitive data in plaintext. Access to production systems is restricted to authorised personnel only.

International Data Transfers

Your data may be processed outside the European Economic Area by our third-party providers (Clerk and Convex), whose infrastructure spans multiple regions. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives an adequate level of protection regardless of where it is processed.

Changes to This Policy

We may update this privacy policy from time to time. For material changes, we will notify you by email before the changes take effect. The effective date at the top of this page will be updated accordingly. Continued use of the service after changes take effect constitutes acceptance of the revised policy.