Generational Letters — Preserving Stories. Connecting Families.

Privacy Policy

Last updated: March 2025

Generational Letters (“we,” “us,” “our”) is committed to protecting your privacy and the security of your personal data, especially your voice recordings and the letters we create from them. This policy explains how we collect, use, store, and protect your information, with a deep focus on data security and our “Digital Heirloom” approach.

1. Information We Collect

We collect information you provide (account details, recipient names and addresses, payment information via Stripe) and automatically (usage data, device information). Our most sensitive processing involves your voice and the content derived from it.

2. Voice Data — Storage and Use (No Training of External AI Models)

When you record a story, we store your audio and use it to:

  • Transcribe your words into text.
  • Edit and format that text into a letter (using our own or licensed AI tools solely for this purpose).
  • Store the recording and letter in your family “Digital Vault” so you and your designated recipients can access them for as long as your account and this policy allow.

We do not use your voice recordings or transcripts to train external, third-party AI models. Your voice data is used only to provide the Service (transcription, letter generation, and vault storage). We do not sell your voice data. We do not share it with advertisers or with AI companies for model training. Any subcontractors that process your audio (e.g., transcription or AI-editing providers) are bound by contracts that prohibit using your data for training their own or others’ models.

3. Data Longevity — The Digital Vault

We treat your stored recordings and letters as a “Digital Vault”—a permanent archive for as long as you are an active customer with a package in good standing.

Legacy Drive Guarantee: Every package tier includes the full Digital Vault (original audio and letters together) and, when eligible, fulfillment of a physical encrypted archive drive (“Legacy Drive”) to a designated Legacy Contact, as described in our Terms and your in-product instructions. We host and maintain cloud copies under our redundancy and security practices until fulfillment or the retention periods below apply.

  • Active customers: While your package is active, we retain your vault content and make it available to you (and, where you have configured it, to designated recipients) according to your plan and settings.
  • After cancellation or lapse: We will retain your vault data for a defined period after your package ends (e.g., 30–90 days), during which you may export or download your content. After that period, we may delete or anonymize vault data in accordance with our data retention schedule, unless we are required to retain it longer by law.

We implement technical and organizational measures to protect the security and integrity of the Digital Vault, including encryption in transit and at rest where applicable.

4. How We Use Your Information

We use your information to operate the Service (account management, transcription, letter creation, printing, mailing, vault access), to process payments, to communicate with you, to improve our product (in aggregated, non-identifying ways where possible), and to comply with legal obligations.

5. Data Security

We take data security seriously. We use industry-standard measures such as encryption (TLS in transit, encryption at rest where applicable), access controls, and secure hosting (e.g., Vercel, Supabase). Payment data is handled by Stripe and is subject to Stripe’s security practices; we do not store full card numbers. We restrict access to personal data to authorized personnel and service providers who need it to perform their duties.

6. Your Rights — GDPR and CCPA (Global English-Speaking Markets)

We comply with applicable privacy laws, including the General Data Protection Regulation (GDPR) for individuals in the European Economic Area and the UK, and the California Consumer Privacy Act (CCPA) as amended (e.g., CPRA) for California residents. Our Service is offered in global English-speaking markets, and we extend these rights where applicable.

Depending on your location, you may have the right to:

  • Access the personal data we hold about you.
  • Correct or update inaccurate data.
  • Request deletion of your personal data (subject to legal and operational retention requirements).
  • Object to or restrict certain processing.
  • Data portability (e.g., receive a copy of your data in a machine-readable format).
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with a supervisory authority (GDPR).

For CCPA/CPRA: We do not sell your personal information. We do not share it for “cross-context behavioral advertising” in a way that qualifies as a “sale” or “share” under CCPA. You may have the right to know, delete, correct, and limit use of sensitive personal information, and to non-discrimination for exercising these rights.

To exercise any of these rights, contact us using the details at the end of this policy. We will respond within the timeframes required by applicable law.

7. Data Sharing and Subcontractors

We share data only as necessary with service providers (e.g., hosting, transcription, payment processing, mailing) under contracts that require them to protect your data and use it only for the purposes we specify. We may disclose data when required by law or to protect our rights and safety.

8. Children

The Service is not directed at children under 16 (or higher age where applicable). We do not knowingly collect personal data from children. If you believe we have collected such data, please contact us so we can delete it.

9. International Transfers

Your data may be processed in the United States or other countries where our service providers operate. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses under GDPR) for international transfers.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or a prominent notice in the Service. Your continued use after the effective date constitutes acceptance. We encourage you to review this policy periodically.

11. Contact Us

For privacy-related requests, including to exercise your GDPR or CCPA rights, contact us at the email or mailing address provided on our website.

← Back to home