Pigeon Mail

Privacy Policy

Last updated: 18 May 2025

Pigeon Mail ("we", "us", "our") operates the Pigeon Mail service. This policy explains what personal data we collect, why we collect it, how we store it, and your rights.

1. Data we collect

When you create an account we collect:

  • Email address — used for authentication, account notifications, and support.
  • Postal address (recipients only) — used solely to forward letters to you. Stored encrypted at rest.
  • Username (recipients only) — a public-facing identifier you choose. Does not reveal your identity or address.

When you top up on credits we also process payment information. Payment card details are handled entirely by our payment processor, Stripe. We never see, store, or have access to your full card number.

2. How we use your data

  • To operate the service: forwarding letters, processing credits, and managing your account.
  • To communicate with you about your account or letters.
  • To enforce our Terms of Service, including blocking and reporting.

We do not sell, rent, or share your personal data with third parties for marketing purposes. We do not use your data for advertising.

3. Address privacy

This is the core of our service. Recipient postal addresses are never disclosed to senders. Sender return addresses on envelopes are covered with a forwarding sticker before we post the letter onward. We do not open or read your letters — we only verify the code written on the envelope.

4. Data storage and security

Your data is stored on servers provided by Supabase (hosted within the EU/UK). Postal addresses are encrypted at rest. Access to address data is restricted to Pigeon Mail operators and is only used for the purpose of forwarding letters.

5. Data retention

We retain your account data for as long as your account is active. Letter records (codes, statuses, timestamps) are retained for 12 months after the letter is forwarded or refunded, then automatically deleted. If you delete your account, your personal data — including your postal address — is permanently removed within 30 days.

6. Your rights

Under UK data protection law, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion of your data.
  • Request a copy of your data in a portable format.
  • Object to or restrict processing of your data.

To exercise any of these rights, email us at our contact form.

7. Cookies

We use only essential cookies required for authentication and session management. We do not use tracking cookies, analytics cookies, or any third-party advertising cookies.

8. Changes to this policy

We may update this policy from time to time. If we make significant changes, we will notify you by email. The date at the top of this page shows when it was last updated.

9. Contact

If you have questions about this privacy policy or how we handle your data, contact us at our contact form.