Legal docs

Postcards.ai Privacy Notice

Last Modified: May 18, 2026

This Privacy Notice explains how PostPilot, Inc. and its affiliates, doing business as Postcards.ai (collectively, "Postcards.ai", "we", "us", or "our"), collect, use, disclose, and otherwise process personal information in connection with Postcards.ai's direct-mailing services and professional services directly related to the direct-mailing process (the "Services") and the websites, applications, APIs, dashboards, design tools, AI-assisted tools, integrations, data products, and other tools made available to facilitate the Services.

This Privacy Notice applies to personal information we process about business customers, account users, website visitors, prospects, mailing recipients, and other individuals in connection with the Services and the related tools described above. It does not apply to third-party websites, platforms, or services that we do not own or control.

1. How We Collect and Use Personal Information

Information You Provide Directly

We collect personal information you provide directly to us, including:

  • account information, such as first and last name, company name, business email address, user ID, password, role, business information, and any other information you provide;
  • payment and billing information, such as billing contact details, payment method identifiers, invoices, credits, transaction history, and purchase records;
  • support, sales, and communications information, such as messages, emails, call notes, support requests, survey responses, demo requests, and feedback;
  • campaign and creative information, such as designs, templates, images, logos, text, copy, offers, URLs, PDFs, postcard content, prompts, brand materials, websites, and creative assets;
  • customer, recipient, and audience information, such as names, mailing addresses, email addresses, phone numbers, customer tags, transaction history, products ordered, order value, dates, customer source, uploaded lists, CRM records, route selections, audience filters, suppression data, and campaign history;
  • integration information made available through systems Customer connects or enables, such as commerce, CRM, scheduling, job-management, and related platforms;
  • AI and assistant information, such as prompts, chat messages, files, instructions, conversation history, generated outputs, website intake, brand information, and workflow requests; and
  • any other information you choose to provide.

We use this information to administer accounts, provide the Services, communicate with you, process transactions, provide customer support, create and manage campaigns, build audiences, render and submit mailings, provide AI-assisted features, improve the Services, enforce agreements, comply with law, and protect rights and security.

Information You Provide Through Communications and Events

If you communicate with us, attend an event, request a demo, participate in a survey, subscribe to content, download materials, or otherwise interact with us, we may collect contact details, company information, role information, preferences, communications, event attendance information, and any other information you choose to provide. We use this information to respond to requests, provide information about the Services, improve sales and support processes, personalize communications, and conduct ordinary business operations.

Payment Information

If you sign up for Services requiring payment, we collect information provided in connection with payment. We use third-party payment processors to process credit card and other payments. We do not store full payment card numbers through the Services. Payment information is provided directly to payment processors and processed under their terms and privacy practices.

Information We Receive From Customers

Our customers may submit personal information about their own customers, prospects, website visitors, or mailing recipients to use the Services. This may include names, mailing addresses, email addresses, phone numbers, transaction information, order details, customer tags, audience criteria, route selections, and similar information. We process this information to provide direct mail marketing, audience creation, matching, append, retargeting, attribution, analytics, AI-assisted workflows, and related Services.

Information From Third-Party Data Providers and Other Sources

To provide direct mail marketing and related services, we may purchase or receive personal information from data providers and other third parties. This may include name, mailing address, phone number, email address, transactional data, demographic information, education information, income or financial-status ranges, professional information, interests, approximate location, and inferences based on some or all of this data. We use this information to send Postcards.ai mailings, identify mailing addresses, build audiences, support attribution, provide prospecting and retargeting services, and improve the Services.

We may also receive information from integration partners, payment processors, print and mail providers, postal providers, analytics providers, advertising partners, fraud prevention providers, identity and address-matching providers, public sources, and other business partners.

Information From Social Media and Public Sources

If you interact with us on social media or other public channels, we may receive information such as profile information, handle, message or comment content, and engagement information, depending on your settings and the platform's rules. We may also collect publicly available information about businesses and business contacts for sales, marketing, verification, security, and service-improvement purposes.

Information Collected Automatically

When you visit our websites, use related tools, or use the Services, we and our service providers may automatically collect information such as IP address, device identifier, browser type, operating system, pages viewed, links clicked, referring URLs, timestamps, session information, approximate geographic location, and usage information. We may collect this information through cookies, pixels, web beacons, SDKs, server logs, and similar technologies.

We use automatically collected information to operate, secure, measure, personalize, debug, and improve the Services; understand usage; measure campaigns; support advertising and analytics; prevent fraud; and enforce agreements.

Information Related to Postcards.ai AI

If you use AI-assisted features, we may process prompts, inputs, uploaded materials, brand information, website content, campaign information, customer or recipient data, conversation history, and AI outputs. We may use third-party AI providers, including OpenAI and Google, to provide AI-assisted features.

We use this information to generate designs, copy, images, creative direction, workflow suggestions, audience suggestions, assistant responses, and other AI-assisted outputs; improve service quality; maintain safety; prevent abuse; and support the Services.

Business and Commercial Purposes

We may use personal information for the following business and commercial purposes:

  • providing, operating, maintaining, securing, and improving the Services;
  • creating, maintaining, and authenticating accounts;
  • processing transactions, managing credits, administering billing, and collecting amounts owed;
  • providing direct mail production, mailing, delivery, tracking, address validation, address matching, prospecting, attribution, retargeting, and analytics services;
  • creating, previewing, saving, segmenting, and managing audiences;
  • enabling integrations and syncing data at Customer's direction;
  • generating, parsing, improving, and assisting with designs, copy, images, campaigns, and workflows;
  • communicating about the Services, account matters, transactions, support, security, legal notices, product updates, and marketing;
  • personalizing and improving websites, dashboards, content, and user experience;
  • measuring performance and effectiveness of campaigns, ads, and product features;
  • conducting research, analytics, testing, and product development;
  • preventing, detecting, investigating, and responding to fraud, abuse, security incidents, illegal activity, and violations of agreements;
  • complying with legal obligations, responding to lawful requests, enforcing agreements, resolving disputes, and protecting rights, property, and safety; and
  • carrying out any other purpose described when the information is collected or for which consent is obtained.

2. How We Use Cookies and Other Tracking Technology to Collect Information

We and our service providers use cookies, pixels, tags, web beacons, SDKs, and similar technologies to collect information about your interactions with our websites and Services. These technologies help us:

  • keep you signed in and operate the Services;
  • remember preferences and settings;
  • analyze traffic and performance;
  • understand usage and improve features;
  • personalize content;
  • measure marketing campaigns;
  • support advertising and retargeting;
  • detect and prevent fraud, abuse, and security incidents; and
  • provide SiteMatch, attribution, and related services where enabled.

You may be able to manage cookies through your browser settings or device controls. If you disable cookies, some Services may not function properly.

Some browsers offer "Do Not Track" or similar signals. Because there is not yet a uniform industry standard for such signals, our websites may not respond to all such browser signals. Where legally required, we honor applicable opt-out preference signals in the manner required by law.

3. Sharing of Your Personal Information

We may share personal information with:

  • service providers and Sub-processors that provide hosting, infrastructure, database, storage, security, support, analytics, billing, payment, AI, direct mail production, postal processing, delivery, tracking, data processing, and related services;
  • print, production, mail, postal, address validation, address matching, data, and fulfillment partners;
  • Third-Party Providers whose products or data are used in connection with the Services;
  • integration partners and platforms at Customer's direction or configuration;
  • affiliates and companies under common ownership or control, which may use personal information consistent with this Privacy Notice;
  • professional advisors, including lawyers, auditors, insurers, consultants, and financial advisors;
  • law enforcement, regulators, courts, government authorities, or other third parties where we believe disclosure is required or appropriate to comply with law, enforce agreements, protect security or integrity of the Services, prevent harm or financial loss, prevent fraud or illegal activity, or protect rights, property, and safety;
  • parties involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of assets, or similar transaction; and
  • other parties with consent or at the direction of Customer or the individual.

The Approved List of Sub-Processors provides additional information about Sub-processors that may process Customer Personal Data in connection with the Services.

We may disclose each category of personal information described in this Privacy Notice for the business and commercial purposes described above. We do not require service providers to use personal information for their own independent purposes except where they act as independent controllers or businesses under applicable law and provide their own notices.

4. Third-Party Data Collection and Online Advertising

We may participate in interest-based advertising, retargeting, analytics, and similar activities. Third-party advertising networks, social media companies, analytics providers, and other third-party businesses may collect information directly from your browser or device through cookies, pixels, tags, web beacons, SDKs, or similar technologies when you visit or interact with our websites or Services or otherwise engage with us.

These third parties may collect information about your online activities over time and across different websites and services and may use that information to provide measurement services, personalize advertising, or deliver advertising that may be relevant to your interests. We do not control the privacy practices of these third parties.

Depending on your location, you may have the right to opt out of certain targeted advertising, sale, or sharing activities. You may contact us at team@postcards.ai to exercise applicable rights.

We may use hashed identifiers, cookies, pixels, tags, or similar technologies to match or measure audiences, support direct mail attribution, identify likely mailing addresses, and understand whether online activity is associated with a household, device, or mailing recipient. Customers are responsible for providing required notices and obtaining required consents for their own websites and marketing activities.

5. Control Over Your Information

Account Information

You may access, update, or correct certain account information through the Services. You are responsible for maintaining accurate account information.

Communications Preferences

You may unsubscribe from marketing emails by using the unsubscribe link in those emails or by contacting us at team@postcards.ai. We may continue sending transactional, administrative, billing, support, legal, and security communications.

Privacy Rights Requests

Depending on where you live, you may have rights to request access to, correction of, deletion of, or a copy of your personal information; to opt out of sale, sharing, targeted advertising, or certain profiling; to restrict or object to certain Processing; or to appeal a decision regarding a privacy request.

To exercise rights, contact us at team@postcards.ai. We may need to verify your identity and request before responding. If your request relates to personal information we process on behalf of a customer, we may direct you to that customer or assist the customer in responding.

We may decline a request where permitted by law, including where we cannot verify your identity, where we need to retain information to provide the Services or comply with law, where the request is excessive or manifestly unfounded, or where an exception applies. We will explain our decision where required by law.

Direct Mail Opt-Outs

If you receive a mail piece sent through the Services, your information may have been provided by our customer, obtained from a third-party data provider, generated through address matching, or processed through another permitted source. You may contact us at team@postcards.ai to ask questions or request assistance regarding direct mail sent through the Services. Where appropriate, we may route requests to the relevant customer or honor applicable suppression or opt-out requests.

6. Data Retention

We retain personal information for as long as needed to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, prevent fraud, maintain security, support backups, conduct audits, and carry out legitimate business purposes. Retention periods vary depending on the type of information, purpose for which it is used, applicable legal requirements, customer instructions, and operational needs.

Customer Data may be retained in accordance with the Agreement, DPA, and Customer's configuration or instructions. Backup and archival copies may be retained for a limited period in accordance with ordinary-course backup, security, and disaster-recovery practices.

We may retain de-identified, anonymized, or aggregated information for longer periods and use it for analytics, research, product development, security, fraud prevention, and other lawful business purposes.

6A. Security

We use reasonable administrative, technical, and organizational safeguards designed to protect personal information from unauthorized access, disclosure, alteration, and destruction. These safeguards may include access controls, encryption, logging, monitoring, backup practices, vulnerability management, personnel training, and vendor review. No security measure is perfect, and we cannot guarantee absolute security. You are responsible for protecting credentials and using the Services securely.

6B. International Transfers

We are based in the United States, and personal information may be processed in the United States and other jurisdictions where we, our affiliates, service providers, or partners operate. These jurisdictions may have data protection laws different from those in your location. Where required, we use appropriate safeguards for international transfers.

7. Children's Personal Information

The Services are not directed to children under 18, and we do not knowingly collect personal information from children under 18. Customers may not submit personal information relating to individuals under 18 without our prior written approval. If we learn that we have collected personal information from a child in violation of applicable law, we will take appropriate steps to delete it.

8. Links to Third-Party Websites and Services

The Services and related tools may contain links to third-party websites, applications, platforms, integrations, or services. We are not responsible for the privacy practices, content, or security of third-party websites or services. Your interactions with third parties are governed by their terms and privacy policies.

9. Changes to This Privacy Notice

We may change this Privacy Notice from time to time at our sole discretion. We may notify you about material changes by sending a notice to the primary email address specified in your account, by posting a notice through the Services, or by placing a prominent notice on our website. When we change this Privacy Notice, we will revise the "Last Modified" date.

10. Contact Us

If you have questions about this Privacy Notice or our privacy practices, contact us at:

PostPilot, Inc. d/b/a Postcards.ai 169 Madison Ave, Suite 11452 New York, NY 10016 US Email: team@postcards.ai

11. Additional U.S. State Privacy Disclosures

These U.S. State Privacy Disclosures supplement the information in our Privacy Notice by providing additional information about our personal information processing practices relating to individual residents of certain U.S. states. Unless otherwise stated, terms defined in our Privacy Notice retain the same meaning in these disclosures.

Categories of Personal Information We Collect

Depending on your relationship with us and the Services used, we may collect the following categories of personal information:

  • identifiers, such as name, mailing address, email address, phone number, IP address, account identifiers, device identifiers, and online identifiers;
  • customer records information, such as billing contact information, transaction records, and payment-related information;
  • protected classification characteristics only where voluntarily provided or inferred and where permitted by law;
  • commercial information, such as purchase history, products ordered, services purchased, campaign history, and service usage;
  • internet or other electronic network activity information, such as browsing history, search history, interaction with websites, referral data, and device information;
  • geolocation information, such as approximate location derived from IP address or mailing address;
  • audio, electronic, visual, or similar information, such as support calls, uploaded images, creative files, and communications;
  • professional or employment-related information, such as company name, job title, and business contact details;
  • education information where provided and permitted;
  • inferences, such as audience segments, marketing preferences, modeled characteristics, demographic ranges, and interest information; and
  • sensitive personal information only where permitted and necessary, such as account credentials or information needed for security, compliance, or service delivery.

Categories of Personal Information Disclosed for Business Purposes

We may disclose each category of personal information listed above for business purposes to the categories of recipients described in this Privacy Notice, including service providers, Sub-processors, Third-Party Providers, affiliates, professional advisors, business partners, and parties involved in legal, security, or corporate transactions.

Categories of Personal Information Sold, Shared, or Used for Targeted Advertising

Depending on the Services used and applicable law, categories of personal information that may be sold, shared, or used for targeted advertising may include identifiers, commercial information, internet or network activity, approximate geolocation information, and inferences. We do not knowingly sell or share personal information of individuals under 16.

Sources of Personal Information

We collect personal information from you, our customers, Authorized Users, website visitors, service providers, Sub-processors, integration partners, Third-Party Providers, data providers, advertising and analytics partners, public sources, and automatic collection technologies.

Purposes for Collection, Use, and Disclosure

We collect, use, and disclose personal information for the business and commercial purposes described in Sections 1 through 4 of this Privacy Notice, including providing the Services, account administration, customer support, payment processing, direct mail production, audience creation, matching, append, attribution, retargeting, AI-assisted features, analytics, security, fraud prevention, compliance, marketing, and legal purposes.

Categories of Third Parties to Whom We Disclose Personal Information

We may disclose personal information to the categories of third parties described in Section 3, including service providers, Sub-processors, Third-Party Providers, affiliates, business partners, integration partners, professional advisors, law enforcement, regulators, transaction counterparties, and parties at your or Customer's direction.

Sale, Sharing, and Targeted Advertising

Some U.S. state privacy laws define "sale," "sharing," or "targeted advertising" broadly. We may sell or share personal information or process personal information for targeted advertising in connection with certain data, advertising, attribution, retargeting, matching, prospecting, or marketing services. Categories of personal information that may be sold, shared, or used for targeted advertising may include identifiers, commercial information, internet or network activity, geolocation information, and inferences.

You may contact us at team@postcards.ai to exercise applicable opt-out rights. We do not knowingly sell or share personal information of individuals under 16.

Sensitive Personal Information

We use sensitive personal information only for permitted purposes, including providing the Services, maintaining account security, fraud prevention, compliance, service improvement, and other purposes permitted by applicable law. We do not use sensitive personal information to infer characteristics where prohibited by law.

Your State Privacy Rights

Depending on your state of residence, you may have the right to:

  • confirm whether we process your personal information;
  • access personal information we process about you;
  • correct inaccurate personal information;
  • delete personal information;
  • obtain a portable copy of personal information;
  • opt out of sale, sharing, targeted advertising, or certain profiling;
  • limit certain uses or disclosures of sensitive personal information;
  • appeal our decision regarding a rights request; and
  • be free from unlawful discrimination for exercising privacy rights.

To exercise these rights, contact us at team@postcards.ai. We may verify your request by asking for information sufficient to confirm your identity. We will respond to verified requests as required by applicable law.

If you maintain an account with us, we may require you to submit the request through the account or verify control of the account. If you do not maintain an account, we may request information such as name, email address, mailing address, relationship to Postcards.ai or a customer, and other details reasonably needed to verify the request.

Authorized Agents

Where permitted by applicable law, you may authorize an agent to submit a privacy request on your behalf. We may require proof that you authorized the agent, verification of your identity, and confirmation that you gave the agent permission to submit the request. For California residents, an authorized agent may submit a request if the agent provides a power of attorney valid under California law or provides sufficient evidence that the agent has signed permission to act on your behalf and you verify your identity directly with us or directly confirm that you provided permission.

Appeals

If applicable law gives you a right to appeal a privacy request decision, you may appeal by contacting us at team@postcards.ai and describing the decision you are appealing. We will respond to appeals as required by applicable law.

Non-Discrimination

We will not unlawfully discriminate against you for exercising privacy rights. We may provide different prices, rates, levels, quality, or selections of goods or services where permitted by law, including where reasonably related to the value of the data or where part of a voluntary loyalty, rewards, premium features, discount, or similar program.

Notice of Financial Incentives

We may offer discounts, credits, rewards, trials, promotions, or similar programs that may be considered financial incentives under certain privacy laws. Participation is voluntary, and you may opt out as described in the applicable program terms. The value of the incentive is reasonably related to the value of the information provided or the cost of providing the program.

Data Broker and Direct Mail Disclosures

Where required by applicable law, Postcards.ai or its affiliates may register as a data broker or similar entity. The Services may involve personal information used for direct mail marketing, address matching, prospecting, attribution, retargeting, and related marketing services. Individuals may contact team@postcards.ai for questions about direct mail opt-outs or privacy rights.