Privacy Policy

Last Updated: November 2025

Your Privacy Matters
We take your privacy seriously. This policy explains how we collect, use, and protect your personal information.

1. Who We Are

Letters2Santa is operated by Traxrift Pty Ltd (ABN: 49 648 079 841), registered in Australia.

Contact Us:

2. Information We Collect

2.1 Personal Information You Provide

When you use our service, you provide us with:

  • Child's Information:
    • First name
    • Age range (3-5, 6-8, or 9-12 years)
    • Message to Santa
    • Optional: Photo (for cartoon character creation)
  • Parent/Guardian Information:
    • Full name
    • Email address
    • Mobile phone number
  • Payment Information:
    • Processed securely by Stripe (we never see your full card details)
    • We only receive payment confirmation and transaction ID

2.2 Information Automatically Collected

  • Technical Data: IP address, browser type, device information
  • Usage Data: Pages visited, time spent, interactions
  • Cookies: Essential cookies for site functionality (see Cookie Policy below)

3. How We Use Your Information

We use your information to:

3.1 Provide Our Service

  • Create personalised e-books with your child's name
  • Generate cartoon characters from uploaded photos (if provided)
  • Deliver digital content on Christmas Day
  • Process payments securely

3.2 Communication

  • Send order confirmations
  • Provide customer support
  • Send delivery notifications
  • Respond to your inquiries

3.3 Legal & Business Operations

  • Comply with legal obligations
  • Prevent fraud and abuse
  • Resolve disputes
  • Improve our service

4. How We Protect Your Information

4.1 Security Measures

  • Encryption: All data transmitted via SSL/TLS encryption
  • Secure Storage: Data stored in encrypted AWS cloud servers
  • Payment Security: PCI-DSS compliant payment processing via Stripe
  • Access Controls: Strict internal access limitations
  • Regular Audits: Security reviews and updates

4.2 Photo Security

If you upload a child's photo:

  • Stored in private, encrypted AWS S3 buckets
  • Accessible only via unique, time-limited URLs
  • Automatically deleted within 7 days after e-book delivery
  • Never shared with third parties
  • Never used for marketing or AI training

5. Data Retention

Data Type Retention Period Reason
Order information 7 years Tax and legal requirements
Child's photo 7 days after delivery Then automatically deleted
Email records 1 year Customer support and compliance
Payment records 7 years Financial compliance

6. Who We Share Your Information With

6.1 Essential Service Providers

  • Stripe: Payment processing (PCI-DSS compliant)
  • AWS (Amazon Web Services): Cloud hosting and storage
  • Email Service: Transactional email delivery

All service providers are bound by strict confidentiality and data protection agreements.

6.2 We NEVER Share Data With:

  • ❌ Marketing companies
  • ❌ Data brokers
  • ❌ Advertisers
  • ❌ Social media platforms
  • ❌ Any third party for their marketing purposes

6.3 Legal Requirements

We may disclose information if required by law or to:

  • Comply with legal process (court orders, subpoenas)
  • Protect our legal rights
  • Prevent fraud or illegal activity
  • Protect child safety

7. Your Rights

You have the right to:

7.1 Access

  • Request a copy of your personal data
  • Ask what information we hold about you

7.2 Correction

  • Update incorrect or incomplete information
  • Request corrections to your data

7.3 Deletion

  • Request deletion of your personal data
  • Note: We must retain some data for legal/tax purposes (7 years)
  • Photos are automatically deleted after 7 days

7.4 Objection

  • Object to processing of your data for certain purposes
  • Withdraw consent at any time

7.5 Portability

  • Request your data in a portable format
  • Transfer your data to another service

To exercise your rights: Email workshop@letters2santa.com with your request and order ID. We'll respond within 30 days.

8. Children's Privacy

We take children's privacy very seriously.

  • Our service is intended for use by parents/guardians, not children
  • We only collect minimal child information (first name, age range, message)
  • We comply with global children's privacy laws
  • Photos are optional and deleted within 7 days
  • We never contact children directly
  • We never use child data for marketing

9. International Data Transfers

Your data may be stored and processed in:

  • Australia: Primary data center location
  • AWS Regions: Secure cloud infrastructure (Asia-Pacific region)
  • All transfers comply with international data protection laws
  • We use standard contractual clauses for data protection

10. Cookies & Tracking

10.1 Essential Cookies

We use cookies for:

  • Session management (keeping you logged in)
  • Security (preventing fraud)
  • Payment processing

10.2 We DO NOT Use

  • ❌ Advertising cookies
  • ❌ Social media tracking
  • ❌ Third-party analytics (like Google Analytics)
  • ❌ Behavioral tracking

11. Third-Party Links

Our website may contain links to:

  • Stripe payment pages
  • Social media (if you choose to share)
  • Charity partners

These sites have their own privacy policies. We're not responsible for their practices.

12. Marketing Communications

We do NOT send marketing emails.

You will only receive:

  • Order confirmation (transactional)
  • Delivery notification (transactional)
  • Customer support responses

No newsletters, no promotional emails, no spam. Ever.

13. Data Breach Notification

In the unlikely event of a data breach:

  • We'll notify affected users within 72 hours
  • We'll inform relevant authorities as required by law
  • We'll take immediate action to secure systems
  • We'll provide guidance on protective measures

14. Changes to This Policy

We may update this privacy policy to reflect:

  • Changes in laws or regulations
  • New features or services
  • Improved privacy practices

We'll notify you of significant changes via:

  • Email notification
  • Website announcement
  • Updated "Last Updated" date

15. Legal Basis for Processing (GDPR)

For users in the EU/UK, we process data based on:

  • Contract: To fulfill our service to you
  • Consent: For optional photo uploads
  • Legal Obligation: For tax and compliance records
  • Legitimate Interest: For fraud prevention and service improvement

16. Complaints

If you're unhappy with how we handle your data:

  1. Contact us first: workshop@letters2santa.com
  2. We'll investigate and respond within 30 days
  3. If unresolved, you can contact your local data protection authority
Questions About Privacy?
We're here to help! Email us at workshop@letters2santa.com with any privacy concerns or questions.
Back to Home