Privacy Policy

Privacy built for trust.

Last updated: June 2026

About this policy

This privacy policy describes how DoorLetter collects, uses, and protects personal data when you use our website and services. We process personal data in accordance with the General Data Protection Regulation (GDPR) and applicable privacy laws.

Who we are

DoorLetter is operated by Jiri Bindels, based in the Netherlands. DoorLetter acts as the data controller under GDPR for the personal data described in this policy.

For privacy matters, please reach us via our contact form.

Information we collect

  • Account data: Your email address when you create an account.
  • Property & delivery data: The recipient address (homeowner) and login codes issued to homeowners.
  • Note content: The message text you compose and send.
  • Payment data: Payments are handled by a third-party payment processor. We only receive payment confirmation, not card details.
  • Usage & analytics data: Pages visited and features used, anonymized via Google Analytics (only with your consent).

Legal basis for processing (GDPR Art. 6)

  • Art. 6(1)(b) — Performance of contract: Delivering notes and managing your account.
  • Art. 6(1)(f) — Legitimate interests: Service improvement, fraud prevention, and analytics.
  • Art. 6(1)(a) — Consent: Analytics cookies (withdrawal of consent does not affect past processing).
  • Art. 6(1)(c) — Legal obligation: Retaining financial records in compliance with legal retention obligations.

Cookies

We use essential cookies (Supabase session) and, with your consent, Google Analytics. For full details about the cookies we use, please see our Cookie Policy.

How we use your information

  • Delivering your note to the intended homeowner.
  • Managing your account and authentication.
  • Processing payments securely.
  • Sending notifications about note status and replies.
  • Improving and developing the DoorLetter service.
  • Complying with applicable laws and regulations.

Third-party processors

To operate DoorLetter, we use carefully selected third-party service providers. They process personal data only on our behalf and under data processing agreements. We work with the following categories of processors:

  • Vercel — website hosting (US/EU)
  • Supabase — database, authentication and account management (EU)
  • Stripe — payment processing (US/EU)
  • Pingen (Switzerland) & PostNL — letter printing and delivery in the Netherlands
  • Lob (US) — letter printing and delivery in the United States
  • Resend — transactional email delivery
  • Anthropic (US) — AI for moderating and helping draft notes (see "Automated processing & AI")
  • Google Analytics — website analytics (only with your consent)
  • Google Maps / Places — address entry and validation

Automated processing & AI

When you compose or send a note, the text (and the target address when you use the AI writing assistant) is processed by Anthropic (Claude) to moderate inappropriate content and, at your request, to generate a draft. This processing is automated but has no legal effect on you — a rejected note simply isn't sent. Your data is not used to train third-party AI models.

Homeowners & cold outreach

If you receive a DoorLetter without having an account, we process your address to deliver a sender's letter to you. Address data comes from the sender or from public records (such as the Dutch BAG register). The legal basis is our (and the sender's) legitimate interest in reaching homeowners (GDPR Art. 6(1)(f)).

You have the right to object at any time (GDPR Art. 21). Opt out of all further mail at doorletter.com/unsubscribe or email privacy@doorletter.com. We'll add your address to our suppression list and you won't receive further letters.

International data transfers

Some of our processors are located outside the European Economic Area (EEA), including the United States and Switzerland. Where data is transferred outside the EEA, we ensure appropriate safeguards such as EU Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework (DPF), or a European Commission adequacy decision.

Data retention

  • Account data: until you submit a deletion request.
  • Note content: until account deletion or after 3 years of inactivity.
  • Financial records: 7 years (Dutch fiscal law / NL BWB).
  • Analytics data: 14 months (GA default setting).

Your rights under GDPR

  • Right to access (Art. 15): You can request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): You can request correction of inaccurate or incomplete data.
  • Right to erasure / "right to be forgotten" (Art. 17): You can request deletion of your personal data.
  • Right to data portability (Art. 20): You can receive your data in a structured, machine-readable format.
  • Right to restriction of processing (Art. 18): You can ask us to restrict the processing of your data.
  • Right to object (Art. 21): You can object to processing based on legitimate interests.
  • Right to withdraw consent: You can withdraw consent for analytics cookies at any time. This does not affect past processing.
  • Right to lodge a complaint: You can lodge a complaint with the Autoriteit Persoonsgegevens (Dutch data protection authority).

Submit your request via our contact form. We respond within 30 days.

California residents — CCPA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to know: You can know what personal data we collect about you.
  • Right to delete: You can request deletion of your personal data.
  • Right to opt-out of sale: We do not sell personal data.
  • Right to non-discrimination: You will not be discriminated against for exercising your CCPA rights.

For CCPA requests, please use our contact form.

Children's privacy

DoorLetter is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we discover that we have collected personal data from a minor, we will delete it as soon as possible.

Changes to this policy

We may update this privacy policy from time to time. We will post changes on this page with an updated date. For material changes, we will notify you by email.

Contact

If you have questions about this privacy policy or the processing of your personal data, please contact us via our contact form.