← AmoreLetters
TermsPrivacyCookies

Privacy Policy

Privacy Policy — AmoreLetters

Last updated: [DATE TO INSERT] Effective: [DATE TO INSERT]

1. Who is the Data Controller

DIGITLESS — sole proprietorship of Luca Papagni VAT: IT17049331006 Registered office: Via Francesco De Santis 13, 00135 Roma, Italy Email: privacy@amoreletters.com

For the purposes of the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR / Data Protection Act 2018, DIGITLESS is the Data Controller for personal data processed through the AmoreLetters service (the "Service").

2. Scope of this Policy

This Policy describes how we collect, use, share and protect personal data when you and your partner subscribe to and use AmoreLetters, available at amoreletters.com.

We process personal data of both partners in a couple. By subscribing on behalf of your couple, you confirm that your partner has consented to the processing of their personal data as described in this Policy.

3. Categories of personal data we collect

CategoryExamplesSource
Identification dataFirst name, last name (optional), gender (optional)Provided by you at signup
Contact dataEmail address (yours and your partner's)Provided by you at signup
Relationship data (optional)Years together, anniversary date, level of current connection (1–10 scale), free-text answers to onboarding questionsProvided by you optionally at onboarding
Payment dataLast 4 digits of card, payment token, billing address, invoice recordsProvided by you at checkout; processed by Stripe/PayPal
Usage dataEmail opens, link clicks, login timestamps, IP address (anonymised), browser, deviceCollected automatically when you use the Service
Support correspondenceMessages sent to our customer supportProvided by you when you contact us

We do not intentionally collect special categories of data under Art. 9 GDPR (data revealing race, religion, health, sexual orientation, etc.) beyond what you may voluntarily share in optional free-text onboarding fields. We recommend not including such information unless necessary.

4. Why and on what legal basis we process your data

PurposeLegal basis (GDPR Art. 6)Retention
Deliver the Service (send daily letters, manage account, customer support)Contract performance (Art. 6(1)(b))For the duration of the subscription + 12 months after termination
Process payments and issue invoicesContract performance (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c) — fiscal/accounting law)10 years (Italian fiscal requirements)
Send service emails (subscription confirmation, billing, important changes)Contract performance (Art. 6(1)(b))For the duration of the subscription
Send promotional emails about new AmoreLetters products to existing subscribersSoft opt-in (Art. 13 PECR for UK, soft opt-in art. 130 Italian Privacy Code) — you can opt out anytimeUntil you opt out or cancel subscription
Send marketing emails about partner products (non-AmoreLetters)Explicit consent (Art. 6(1)(a)) — opt-in at checkoutUntil you withdraw consent
Improve the Service (analytics, A/B testing)Legitimate interest (Art. 6(1)(f)) — to provide a better ServiceAggregated/anonymised after 13 months
Prevent fraud, defend legal claimsLegitimate interest (Art. 6(1)(f))For the duration of any potential legal action + applicable limitation periods
Comply with legal obligations (tax, GDPR requests, court orders)Legal obligation (Art. 6(1)(c))As required by law

5. Partner email consent — special note

When you provide your partner's email address at signup, you represent that you have your partner's explicit consent for us to send them daily emails. We process your partner's email address based on contract performance (Art. 6(1)(b)) on the assumption that this consent has been given.

To ensure compliance:

  • Your partner receives an opening welcome email that clearly states they were enrolled by you, explains what AmoreLetters is, and offers a one-click unsubscribe option
  • If your partner unsubscribes, we cease sending them emails immediately and notify you
  • You can remove your partner's email from the subscription at any time via your dashboard

6. Who we share your data with (Sub-processors)

We share personal data with carefully selected service providers ("sub-processors") who help us deliver the Service. All sub-processors are bound by data processing agreements compliant with Art. 28 GDPR.

Sub-processorServiceLocationTransfer mechanism
Stripe Payments Europe Ltd.Payment processingIreland (data may transit US for Stripe Inc.)Standard Contractual Clauses + EU-US Data Privacy Framework
PayPal (Europe) S.à r.l. et Cie, S.C.A.Payment processingLuxembourgAdequate jurisdiction
Brevo / ActiveCampaignEmail delivery and automationEU (Brevo France) / US (ActiveCampaign Inc.)Standard Contractual Clauses + EU-US DPF
SiteGround / HetznerWeb hostingEUEU jurisdiction
Google LLC (Google Analytics 4, optional)Anonymised analyticsUSEU-US Data Privacy Framework + IP anonymisation enabled
Meta Platforms Ireland LimitedAdvertising pixel (with consent)Ireland / USStandard Contractual Clauses + EU-US DPF
Anthropic PBC / OpenAI LLC (if applicable)Drafting assistance for letters (internal only)USStandard Contractual Clauses; no personal data of subscribers shared with AI providers

We do not sell personal data to third parties. We do not share data with data brokers.

An updated list of sub-processors is maintained at amoreletters.com/subprocessors and changes are notified by email at least 30 days in advance.

7. International data transfers

Some of our sub-processors are located in the United States. For transfers outside the EU/EEA/UK, we rely on:

  • EU-US Data Privacy Framework (DPF) certification of the recipient where applicable
  • Standard Contractual Clauses (2021) Module 3 (processor-to-sub-processor)
  • A Transfer Impact Assessment carried out for each transfer, available on request

A copy of the SCCs and a list of DPF-certified providers is available by writing to privacy@amoreletters.com.

8. Security measures (Art. 32 GDPR)

We adopt the following technical and organisational measures to protect your data:

  • Encryption at rest: AES-256 for sensitive data stored in our database
  • Encryption in transit: TLS 1.2+ for all data transmission
  • Access control: multi-factor authentication on admin panels; principle of least privilege; access logged
  • Backups: daily automated backups, encrypted, retained 30 days; off-site backup retained 90 days
  • Vulnerability management: dependencies updated regularly; quarterly security review
  • Incident response: documented procedure to detect, contain and notify breaches within 72 hours to the Garante (Italian DPA) and ICO (UK), and to affected users where required by Art. 34 GDPR
  • Training: any future staff handling personal data will receive GDPR training before access

A more detailed description is available on request to privacy@amoreletters.com.

9. Your rights

Under GDPR (and UK GDPR) you have the following rights:

  • Access: obtain a copy of your personal data
  • Rectification: correct inaccurate data
  • Erasure ("right to be forgotten"): request deletion of your data, subject to legal retention obligations
  • Restriction: limit the processing of your data
  • Portability: receive your data in a structured, commonly used format
  • Object: object to processing based on legitimate interest or for marketing purposes
  • Withdraw consent: where processing is based on consent, withdraw it at any time (without affecting prior lawful processing)
  • Lodge a complaint: with your data protection authority

To exercise your rights, write to privacy@amoreletters.com. We will respond within 30 days (extendable by 60 days for complex requests; we will notify you of any extension).

To complain to a supervisory authority:

  • Italy: Garante per la Protezione dei Dati Personali (garanteprivacy.it)
  • UK: Information Commissioner's Office (ico.org.uk)
  • Other EU country: see edpb.europa.eu/about-edpb/board/members_en

10. Cookies and tracking

We use cookies and similar technologies as described in our Cookie Policy. Non-essential cookies (analytics, advertising) are activated only with your consent through the consent banner displayed on first visit.

11. Data of minors

The Service is intended for adults (18+). We do not knowingly process data of minors. If we discover that we have collected data of a minor, we will delete it without delay. Parents or guardians who become aware of such processing should contact privacy@amoreletters.com.

12. Automated decision-making and profiling

We do not make decisions about you based solely on automated processing that produce legal or significantly similar effects on you. We may use light analytics (segments based on engagement, preferences from onboarding) to personalise the content of letters, but this does not constitute "automated decision-making" within the meaning of Art. 22 GDPR.

13. AI-assisted content

Some AmoreLetters content may be drafted with the assistance of AI tools. Personal data of subscribers is not shared with AI providers. All letters are reviewed and finalised by the human authors (Luca and Roberta) before delivery. The role of AI is limited to drafting suggestions and editorial assistance.

14. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email at least 30 days in advance. The "Last updated" date at the top will always reflect the current version. Previous versions are archived and available on request.

15. Transfer of business

In the event of a future transfer of the business to a different legal entity (e.g. transformation of DIGITLESS into a limited liability company), we will notify you in advance and ensure that the receiving entity assumes the same obligations under this Policy. The legal basis for processing remains unchanged.

16. Contact

For any privacy-related question:

  • Email: privacy@amoreletters.com
  • Postal: DIGITLESS — Via Francesco De Santis 13, 00135 Roma, Italy
  • VAT: IT17049331006

© 2026 DIGITLESS — VAT IT17049331006