Privacy Policy

Thortful Limited ('we', 'our', 'us' or 'Thortful') is committed to protecting the privacy of all users ('you', 'users', 'individuals', 'customers') of our website thortful.com, or mobile applications (together, the 'Sites'). Please read the following privacy policy that explains how we use and protect your information. We'll be the 'data controller' of the information you provide to us.

This policy was last updated on May 13th 2025

1. Contact Details

If you have any queries or requests concerning this privacy policy or how we handle your data more generally, please get in touch with us using the following details.

By contacting our general customer services team at: [email protected]
By contacting our Data Protection Officer: [email protected]

2. How we collect your information

We collect your personal information when you interact with us or use our services, such as when you use our Sites to place an order. We also look at how users use our Sites, to help us improve our services and optimise customer experience. We collect information:

when you create an account with us or you change your account settings;
when you start checkout and throughout the order process;
when you sign up to receive marketing communications from us;
when your information is used by someone to send you a product via our services;
when you contact us directly via email, phone, post, message or via our chat function
when you browse and use our Sites (before and after you create an account with us); and
when your information is used by someone to send you a product via our services;

3. Information that we collect from you

When you make a thortful order through the Sites, you are asked to provide information about yourself including your name, contact details, delivery address, order details and payment information such as credit or debit card information.

We also collect information about your usage of the Sites and information about you when you contact us or provide us with feedback, including via email, letter, phone or our chat function. If you contact us by phone, we record the call for training and service improvement purposes, and make notes in relation to your call.

We collect technical information from your mobile device or computer, such as its operating system, the device and connection type and the IP address from which you are accessing our Sites.

We also collect information about your interactions with marketing content sent via thortful's advertising partners. This allows us to understand if you are interacting with or viewing this content, if this content leads to a purchase on the thortful Sites, or if you would like to unsubscribe from the content.

We may indirectly collect personal data via our customers in order to send products to non-customers (card recipients). In these situations, our customers are responsible for ensuring that they have the appropriate authority or consent to provide personal data for this purpose.

4. Use of your information

We will only process the data we collect about you if there is a reason for doing so, and if that reason is permitted under data protection law. We will have a lawful basis for processing your information:

if we need to process your information in order to provide you with the service you have requested or to enter into a contract;
where it is necessary for our legitimate interests;
we have your consent;
or we are under a legal obligation to do so.

A. Where we need to in order to provide you with the service you have requested or to enter into a contract, we use your information:

to enable us to provide you with access to the relevant parts of the Sites;
to supply the services you have requested;
to enable us to collect payment from you;
to contact you where necessary concerning our services, such as to resolve issues you may have with your order; and
to enforce our contractual terms with you and any other agreement, and for the exercise or defence of legal claims and to protect the rights of Thortful, creators or others (including to prevent fraud).

B. Where it is necessary to do so for our own legitimate interests, we use your information:

to improve the effectiveness and quality of service that our customers can expect from us in the future;
to enable our customer support team to help you with any enquiries or complaints in the most efficient way possible;
to contact you for your views and feedback on our services and to notify you if there are any important changes or developments to the Sites or our services;
to analyse your activity on the Sites so that we can administer, support, improve and develop our business and for statistical and analytical purposes and to help us to prevent fraud;
if you submit comments and feedback regarding the Sites and the services, we may use such comments and feedback on the Sites and in any marketing or advertising materials. We will only identify you for this purpose by your first name;
to send you direct marketing communications from thortful by email and Direct Mail.

C. Where we have your consent:

We will send you direct marketing by SMS, Web Push notifications, Mobile Push notifications and online about thortful products and services which we think may be of interest to you.
- This will only be sent where you have given your consent to thortful during the online sign-up process, the checkout process, via your online account on the website, through the SMS opt in journey via the mobile site, via a pop-up on your browser or mobile app, or verbally or in writing when communicating with our customer happiness team, or (where permissible) you have been given an opportunity to opt out.
- You will be able to opt-out of electronic direct marketing for each of the channels listed above, by clicking the unsubscribe link contained in the email, following the instructions in the SMS, Web Push or Push notification itself and, in all other cases, by contacting us on the contact details provided below. If you have provided consent to web push notifications on our website, you can withdraw your consent to this via your browser settings.
- Opting out of electronic direct marketing via each marketing channel applies to this channel only and does not represent a global opt-out, for example opting out of SMS communications does not represent an opt-out from receiving emails.
- We tailor content that we or advertising partners display to you, for example so that we can show you cards you may like or make sure you see the advertising which is most relevant to you, based on characteristics determined by us.
Where you have provided your consent by choosing to participate in our loyalty programme “Rewardful”, we will also send you marketing communications relating specifically to this programme, including information about your rewards, offers and benefits. You may withdraw your consent at any time using the opt-out methods described above.

D. Where we are under a legal obligation to do so we may use your information to:

create a record of your order(s);
comply with any legal obligation or regulatory requirement to which we are subject.

5. Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of the Site may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Policy

6. Children's Privacy

Our website and services are not directed to individuals under the age of 13, and we do not knowingly collect personal data from children under that age or generally. If we become aware that a child under 13 has provided us with personal data, we will take appropriate steps to delete it. If you do become aware that a child has provided us with personal data, please contact us immediately at the address above.

7. Retention of your information

We will not retain your information for any longer than we think is necessary.

Information that we collect will be retained for as long as needed to fulfil the purposes outlined in the ‘Use of my information’ section above, in line with our legitimate interest or for a period specifically required by applicable regulations or laws, such as retaining the information for regulatory reporting purposes.

When determining the relevant retention periods, we will take into account factors including:

our contractual obligations and rights in relation to the information involved;
legal obligation(s) under applicable law to retain data for a certain period of time;
statute of limitations under applicable law(s);
(potential) disputes; and
guidelines issued by relevant data protection authorities.

8. Disclosure of your information

The information we collect about you will be transferred to and stored on our servers located within the EU. We are very careful and transparent about who else your information is shared with.

Sharing your information with third parties

We share your information with third party service providers. The types of third party service providers whom we share your information with include:

Payment providers: for the purposes of providing services to us, for example when they process information such as credit card payments for us, provide support services to you or carry out fraud checks for us;
IT service providers (including cloud providers): for the purposes of data storage and analysis;
Printing & fullfilment partners: for the purpose of creating the product you have ordered from us and packaging it, resolving issues, or improving their services;
Royal Mail and their international partners: for the purpose of delivering your order to its recipient;
Customer support system providers: who will help us to track the communications you have with us; and
Marketing and advertising partners: so that they can ensure that you see advertising which is more relevant to you and send you direct marketing on our behalf.

Thortful will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy when it is transferred to third parties.

If our business enters into a joint venture with, purchases or is sold to or merged with another business entity, your information may be disclosed or transferred to the target company, our new business partners or owners or their advisors.

We may also share your information:

if we are under a duty to disclose or share your information in order to comply with (and/or where we believe we are under a duty to comply with) any legal obligation or regulatory requirement. This includes exchanging information with other companies and other organisations for the purposes of fraud protection and prevention;
in order to enforce our contractual terms with you and any other agreement;
to protect the rights of thortful, creators, or others, including to prevent fraud; and
with such third parties as we reasonably consider necessary in order to prevent crime, e.g. the police.

International transfers of data

In some cases the personal data we collect from you might be processed outside the European Economic Area ('EEA'), such as the United States. These countries may not have the same protections for your personal data as the EEA has. However, we are obliged to ensure that the personal data that is processed by us and our suppliers outside of the EEA is protected in the same ways as it would be if it was processed within the EEA. There are therefore certain safeguards in place when your details are processed outside of the EEA. We ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

your personal data is transferred to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
we use the EU approved Standard Contractual Clauses; and
where your personal data is transferred to third party providers based in the US, data may be transferred to them if they have self-certified under the Privacy Shield framework in relation to the type of data being transferred, which requires them to provide similar protection to personal data shared between the EU and the US.

Please contact us using the contact details above if you want further information on the countries to which personal data may be transferred and the specific mechanism used by us when transferring your personal data out of the EEA.

Our Services may contain features or links to websites and services provided by third parties, including (but not limited to) social media networks. Any information which you provide to third-party sites or services or via those third-party sites and services is provided directly to their operators and is subject to their policies, if any, governing privacy, security and the processing of personal data, even if accessed through Our Services. We are not responsible for the privacy, security and data processing practices and policies of third-party sites or services to which links or access are provided through Our Services, and we encourage you to learn about their privacy, security and data processing policies before providing them with information, even if you only intend to do so to access Our Services via a social login or otherwise.

9. Security

We adopt robust technologies and policies to ensure the personal information we hold about you is suitably protected.

We take steps to protect your information from unauthorised access and against unlawful processing, accidental loss, destruction and damage.

Where you have chosen a password that allows you to access certain parts of the Sites, you are responsible for keeping this password confidential. We advise you not to share your password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will take steps to protect your information, we cannot guarantee the security of your data transmitted to the Sites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

10. Your Rights

Under data protection law, you may have a number of rights concerning the data we hold about you. If you wish to exercise any of these rights, please contact our Data Protection Officer using the contact details set out above and we'll process your request within 1 month. For additional information on your rights please contact your data protection authority and see below.

The right to be informed about how we use your information and your rights.
The right of access to your information (if we’re processing it).
The right to correct your personal data if it is inaccurate or incomplete.
The right to erasure. This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of the information that we hold about you by contacting us.
The right to restrict processing. You have rights to 'block' or 'suppress' further use of your information. When processing is restricted, we can still store your information, but will not use it further.
The right to data portability. You have the right to obtain your personal information in an accessible and transferrable format so that you can re-use it for your own purposes across different service providers. This is not a general right however and there are exceptions.
The right to lodge a complaint. You have the right to lodge a complaint about the way we handle or process your information with the national data protection authority.
The right to withdraw consent. If you have given your consent to anything we do with your information (i.e. we rely on consent as a legal basis for processing your information), you have the right to withdraw that consent at any time.
The right to object to processing. You have the right to object to certain types of processing, including processing for direct marketing and profiling. You can object by changing your marketing preferences or disabling cookies as set out above.

11. Faceswap cards

1. Information we collect and process:

**Uploaded Images:** When customers use the Faceswap Card Service, they may upload a photograph of a person. This image is temporarily processed by our third-party data processor solely for the purpose of creating the Faceswap effect. Customers who use this feature are required to only upload photographs they have permission to use.
Data Processor: A third party provides the software to transform the uploaded image but does not store or retain any customer data. The uploaded images are processed on their platform and are only used to create the Faceswap effect on the greeting card.
Name of the creator: We collect the name of the person creating the Faceswap card. This name is printed on the back of the card as part of the personalisation service.

2. Data Retention

Image Storage: We store customer-uploaded images only if the image is used to produce a greeting card. This allows us to fulfil the order and ensure the quality of the final product. Once the card is produced, data retention policies apply in accordance with our standard order processing and retention policies.

3. Purpose and Use of Data

Purpose: The uploaded images and transformed photos are used exclusively for creating personalised greeting cards at the customer’s request. These images are not used for any other purpose.

Changes to Our Privacy Policy

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see if we have made any updates or changes to our privacy policy.

Strictly Necessary Cookies
Cookies	Cookie Subgroup	Lifespan	Cookies used	Description
OptanonConsent	.thortful.com	365 Days	First Party	This cookie is set by the cookie compliance solution from OneTrust. It stores information about the categories of cookies the site uses and whether visitors have given or withdrawn consent for the use of each category.
OptanonAlertBoxClosed	.thortful.com	365 Days	First Party	This cookie is set by OneTrust, after visitors have seen a cookie information notice and in some cases only when they actively close the notice down. It enables the website not to show the message more than once to a user.
kameleoonVisitorCode	thortful.com	364 Days	First Party	This statistical cookie contains the uniqueID visitor code used for the full stack experiment.
registered_user	thortful.com	Session	First Party	Used to store the state of the user registration as true or false.
__stripe_sid	www.thortful.com	A few seconds	First Party	This cookies stores information about computers and web browsers used to access Stripe Services. This information helps us monitor for and detect potentially harmful or illegal use of our Services.
OTVariant	www.thortful.com	1 Year	First Party	This cookie is used to measure and optimize CMP banner implementation.
__stripe_mid	www.thortful.com	1 Year	First Party	This cookie is set by Stripe for fraud prevention purposes and helps Stripe assess the risk associated with an attempted transaction of credit card payments.
enforce_policy	www.paypal.com	1 Year	Third Party	This cookie is set by PayPal once the user chooses this payment method and it stores privacy preferences
ts	www.paypal.com	1 Year	Third Party	Used in context with the PayPal payment-function on the website. The cookie is necessary for making a safe transaction through PayPal.
tsrce	www.paypal.com	3 Days	Third Party	This is a cookie set by PayPal that enables the PayPal payment option for users making purchases online. Paypal utilizes the tsrce cookie as part of its security efforts to protect users and their payment information.
x-pp-s	www.paypal.com	Session	Third Party	A functional cookie used for PayPal on our website. This cookie is used to process payments from the site.
ts_c	www.paypal.com	1 Year	Third Party	This cookie is provided by PayPal when a website is in association with PayPal payment function. This cookie is used to make safe payment through PayPal.
nsid	www.paypal.com	Session	Third Party	This cookie Used in connection with the PayPal payment function on the website. The cookie is necessary to enable a secure transaction via PayPal.
l7_az	www.paypal.com	A few seconds	Third Party	This cookie is necessary for the PayPal login-function on the website.
JSESSIONID	nr-data.net	Session	Third Party	This domain is controlled by New Relic, which provides a platform for monitoring the performance of web and mobile applications.

Functional Cookies
Cookies	Cookie Subgroup	Lifespan	Cookies used	Description
_detectRootDomain	thortful.com	A few seconds	First Party	Temporary test cookie (value=testRootDomain) that Kameleoon uses to detect the main domain of the site.
LANG	www.paypal.com	A few seconds	Third Party	This cookie is associated with PayPal for storing language preferences from the user.
mm_allocation	.mention-me.com	180 Days	Third Party	Used by Mention me referral program manager to keep track of which offers the users are participating in order to provide a more consistent experience.
mm_id	.mention-me.com	180 Days	Third Party	This is a Mention Me tracking ID which serves to identify any unique browser using Mention me flow.
_cfuvid	vimeo.com	Session	Third Party	This domain is owned by Vimeo. The main business activity is: Video Hosting/Sharing
__cf_bm	vimeo.com	A few seconds	Third Party	This is a CloudFoundry cookie

Performance Cookies
Cookies	Cookie Subgroup	Lifespan	Cookies used	Description
_hjCookieTest	www.thortful.com	Session	First Party	This cookie checks to see if the Hotjar Tracking Code can use cookies. If it can, a value of 1 is set. It is deleted almost immediately after it is created.
noibu	cdn.noibu.com	Session	First Party	This cookie collects anonymised data related to session performance, error occurrences, and user interactions to help us identify and resolve issues across the website. This cookie does not store personal or identifiable information.
_ga	thortful.com	729 Days	First Party	This cookie from Google Universal Analytics is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports.
_gat	thortful.com	A few seconds	First Party	This cookie is placed by Google Analytics and its functionality is to read and filter requests from bots, with statistics purpose.
ajs_user_id	thortful.com	A few seconds	First Party	This cookie stores an user id and is used for Analytics and help count how many people visit a certain site by tracking if you have visited before.
_ga_xxxxxxxxxx	thortful.com	2 Years	First Party	This is the main cookie used by Google Analytics, and enables the service to distinguish one visitor from another and is used for statistics purposes such as page view count.
ajs_anonymous_id	thortful.com	364 Days	First Party	This cookie stores an anonymous id and is used for Analytics and help count how many people visit a certain site by tracking if you have visited before.
analytics_session_id	thortful.com	364 Days	First Party	This cookie set by Segment determines when the visitor last visited the different subpages on the website, as well as sets a timestamp for when the session started.
_hjTLDTest	thortful.com	Session	First Party	This cookie from HotJar is used to try to store it for different URL substring alternatives until it fails. It enables HotJar to try to determine the most generic cookie path to use, instead of page hostname. After this check, this cookie is deleted.
_gid	thortful.com	A few seconds	First Party	The _gid cookie registers a unique ID that is used to generate statistical data for Google Analytics, on how the visitor uses the website.
_hjSessionUser_1268133	thortful.com	364 Days	First Party	Hotjar cookie that is set when a user first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
analytics_session_id.last_access	thortful.com	364 Days	First Party	This cookie set by Segment determines when the visitor last visited the different subpages on the website, and is updated with a timestamp every time a request is made to segment.
__tld__	thortful.com	Session	First Party	This cookie is used by Segment to track visitors on multiple websites in order to present relevanadvertisement based on their preferences.
_hjSession_1268133	thortful.com	A few seconds	First Party	A cookie that holds the current session data. This ensues that subsequent requests within the session window will be attributed to the same Hotjar session.
_gat_gtag_xxxxxxxxxxxxxxxxxxxxxxxxxxx	thortful.com	A few seconds	First Party	This cookie is used for throttling analytics requests to Google Analytics Servers. The information collected includes number of visitors, pages visited and time spent on the website.
ajs_user_id	sudo-thortful.com	A few seconds	First Party	This cookie stores an user id and is used for Analytics and help count how many people visit a certain site by tracking if you have visited before.
__exponea_time2__	sudo-thortful.com	A few seconds	First Party
_hjSession_1268133	sudo-thortful.com	A few seconds	First Party	This cookie holds current HotJar session data and ensures subsequent requests in the session window are attributed to the same session.
ajs_anonymous_id	sudo-thortful.com	364 Days	First Party	This cookie stores an anonymous id and is used for Analytics and help count how many people visit a certain site by tracking if you have visited before.
S	docs.google.com	A few seconds	Third Party	This domain is part of Google Docs, a suite of online productivity applications that offer collaborative editing on documents, spreadsheets, presentations, and more.
COMPASS	docs.google.com	A few seconds	Third Party	This domain is part of Google Docs, a suite of online productivity applications that offer collaborative editing on documents, spreadsheets, presentations, and more.

Targeting Cookies
Cookies	Cookie Subgroup	Lifespan	Cookies used	Description
intercom-device-id-*	madewithintent.ai	270 Days	First Party
_pin_unauth	thortful.com	364 Days	First Party	This cookie groups actions for users who cannot be identified by Pinterest. It is placed by the Pinterest tag when we are unable to match the user. It contains a unique UUID to group actions across pages.
_uetsid	thortful.com	A few seconds	First Party	This cookie is associated with Microsoft Bing's Universal Event Tracking (UET) service. This cookie stores a unique session ID and is used to determine what ads should be shown that may be relevant to the end user per using the site.
_tt_enable_cookie	thortful.com	389 Days	First Party	This cookie collects data about behaviour and purchases on our website and to measure the effect of our advertising, and this data is used to measure how different campaigns and marketing strategies perform on TikTok. Used to identify a visitor.
_ttp	thortful.com	389 Days	First Party	This cookie is used to measure and improve the performance of advertising campaigns and to personalize the user's experience (including ads) on TikTok.
_fbp	thortful.com	89 Days	First Party	This cookie is set by Facebook, and it saves an unique identifier, for Facebook’s advertising and analytics purposes. It doesn’t collect personally identifiable information.
_uetvid	thortful.com	389 Days	First Party	This cookie is utilised by Microsoft Bing ads (“Microsoft”). It allows us to engage with users that have previously visited our website by determining what ads should be shown that may be relevant to the users.
__exponea_etc__	www.thortful.com	3 Years	First Party	This cookie is used to determine which products the visitor has viewed. This information is used to promote related products and optimize ad-efficiency.
__exponea_time2__	www.thortful.com	1 Days	First Party	This cookie is used to determine which products the visitor has viewed. This information is used to promote related products and optimize ad-efficiency.
xnpe_[project-token]	www.thortful.com	400 Days	First Party	This cookie registers data on the visitor. The information is used to optimize advertisement relevance.
_pinterest_ct_ua	ct.pinterest.com	364 Days	Third Party	Cookie placed by the Pinterest tag when we are unable to match the user. It contains a unique UUID to group actions across pages.
ar_debug	pinterest.com	364 Days	Third Party	From Pinterest, it checks whether a technical debugger-cookie is present.
personalization_id	twitter.com	729 Days	Third Party	This cookie is set by Twitter to allow the visitor to share content from the website onto their Twitter profile.
muc_ads	t.co	729 Days	Third Party	This cookie is set by Twitter for advertising. It is used for optimizing ad relevance by collecting visitor navigation data.
_ttp	tiktok.com	389 Days	Third Party	This cookie is used to measure and improve the performance of advertising campaigns and to personalize the user's experience (including ads) on TikTok.
MSPTC	bing.com	389 Days	Third Party	MSPTC cookie is used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
MUID	bing.com	389 Days	Third Party	This cookie identifies unique web browsers visiting Microsoft sites. These cookies are used for advertising, site analytics, and other operational purposes.
	www.facebook.com	Session	Third Party	This is used to show targeted ads to its users when they are logged into its services.
NID	google.com	182 Days	Third Party	This cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language, how many search results you wish to have shown per page, and whether or not you wish to have Google’s SafeSearch filter turned on.