Giftyy
Legal

Privacy Policy

1. Introduction

Giftyy (“we”, “us”, “our”) takes your privacy seriously. This Privacy Policy explains what information we collect, how we use it, with whom we share it, and the choices you have. It applies to our mobile application, our website at giftyy.store, and any related services we operate (together, the “Service”).

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

We may update this policy from time to time. The “Last updated” date at the bottom reflects the most recent version. Material changes will be highlighted in-app or via email where appropriate.

2. Information We Collect

Information you provide directly:

  • Account information: name, email address, phone number, password (stored as a salted hash).
  • Profile and preferences: profile photo, gift preferences, language, notification settings.
  • Recipient information: names, relationships, optional birthdays, and addresses of people you want to send gifts to. You may provide this directly, or your recipient may provide it themselves via a claim link.
  • Payment information: processed by our payment provider (Stripe). We do not store full card numbers on our servers.
  • User-generated content: video reactions, text messages, photos, and other media you upload to share with recipients.
  • Communications: messages you send to our support team and feedback you submit.

Information collected automatically:

  • Device information: device model, operating system, app version, language, and time zone.
  • Usage data: screens viewed, actions taken, performance metrics, and crash logs (via Sentry).
  • Push tokens: a unique identifier issued by Apple or Google to deliver push notifications to your device. Stored only while you are signed in.
  • Approximate location: derived from your shipping address. We do not collect precise GPS coordinates.

Information collected with your permission:

  • Contacts: phone numbers and email addresses from your device contacts, used only to match against existing Giftyy accounts. Requires explicit in-app consent. See § 6 for details.
  • Camera, microphone, photo library: only when you choose to record a video reaction, photograph a gift, or upload media.
  • Notifications: only when you grant permission to send push notifications.

3. How We Use Your Information

We use your information to:

  • Create and operate your account.
  • Process and deliver gift orders, including coordinating with vendors and shipping carriers.
  • Personalise gift recommendations using your stated preferences and recipient profiles.
  • Send transactional notifications (order updates, gift-claim links, reaction alerts) via push, email, or SMS.
  • Provide customer support and respond to your requests.
  • Detect, prevent, and address fraud, abuse, or technical issues.
  • Comply with legal obligations and enforce our Terms of Service.
  • Improve and develop the Service through aggregated, de-identified analytics.

We do not sell your personal information. We do not use your data for behavioural advertising or share it with advertising networks.

4. How We Share Your Information

We share your information only in the ways described below. All third parties listed below are bound by data-protection agreements that restrict use of your data to operating the Service on our behalf.

  • Stripe — payment processing. Receives card and billing details necessary to charge you.
  • Supabase — database and authentication hosting. Stores account, profile, and order data.
  • Amazon Web Services (AWS) — SMS delivery (AWS End User Messaging), file storage, and supporting infrastructure.
  • Resend — transactional email delivery.
  • Expo / Apple / Google — push notification delivery.
  • Sentry — crash and error reporting. Receives device and stack-trace metadata; user identifiers are stripped where possible.
  • Vendors and shipping carriers — receive the recipient's name, shipping address, and gift contents needed to fulfil the order. They do not receive the buyer's identity unless required for returns.
  • Recipients of your gifts — see the gift contents and (if you choose to reveal your identity) your name. Recipients never see your address or other identifiers.

We may also disclose information when required by law, to comply with valid legal process, to protect the rights, property, or safety of Giftyy or others, or in connection with a corporate transaction such as a merger or acquisition (in which case the acquiring entity will be bound by this policy or a successor with equivalent protections).

5. Text Message (SMS) Communications

Giftyy uses SMS messages to deliver gift notifications. We send SMS in one specific scenario: when a Giftyy user purchases a gift for a recipient whose shipping address is not on file, we text the recipient a private one-time link to enter their shipping address. The gift only ships after the recipient claims the link.

What we include in the SMS:

  • The recipient's first name.
  • An optional hint from the sender (e.g. “From your book club crew”).
  • A unique, single-use claim link on our domain (giftyy.store).

What we never include:

  • The sender's identity (preserved as a surprise until the recipient scans the Giftyy card).
  • The gift item itself.
  • Any sensitive personal information.

Reminder cadence. If the recipient does not claim the link, we send at most two reminders — one on day 3 and one on day 14. If the link remains unclaimed after 30 days, it expires automatically and the sender is refunded in full.

Opt-in. SMS is sent only because a Giftyy user explicitly chose to send the recipient a gift. The recipient's phone number is provided by that sender at the moment of purchase. SMS is triggered solely by this voluntary, paid action — never as bulk marketing.

Opt-out. Reply STOP to any Giftyy SMS to opt out. Our SMS provider handles STOP keywords automatically at the platform layer; once you opt out, you will receive no further SMS from Giftyy. Reply HELP for help.

Carrier rates. Standard message and data rates may apply, depending on your mobile plan. Giftyy does not charge you to receive SMS.

Delivery provider. We use Amazon Web Services (AWS) End User Messaging to deliver SMS. Your phone number is transmitted to AWS solely for the purpose of message delivery and is subject to AWS's privacy practices.

Frequency. Variable — depends on how many Giftyy users send you a gift. For most recipients, this is one to two messages per gift.

6. Contact List Access

The Giftyy mobile app can access your device's contacts list to help you find friends and family who are already using Giftyy. This is an optional feature — you must explicitly grant permission inside the app before any contact data is accessed.

What we send to our servers. When you opt in, we send your contacts' phone numbers and email addresses to Giftyy servers to match them against existing Giftyy accounts. We do not transmit contact names, photos, addresses, or any other contact metadata.

What we do with the matches. Phone numbers and emails are used only to identify which of your contacts are already on Giftyy. Matched contacts are returned to your device and displayed in the Find Friends screen. We do not display, share, or sell your contacts to anyone.

What we do not do:

  • We do not store your contacts on our servers.
  • We do not use your contacts for marketing or advertising.
  • We do not share your contacts with other Giftyy users.
  • We do not match your contacts against non-Giftyy databases.

Revoking access. You can revoke contacts access at any time from your device's app settings (iOS: Settings → Giftyy → Contacts; Android: Settings → Apps → Giftyy → Permissions). Revoking access stops all further contact uploads immediately.

Retention. Phone numbers and emails sent for matching are not stored after the match is computed. Each Find Friends sync sends fresh data from your device.

7. Data Security

We use industry-standard technical and organisational measures to protect your information, including encryption in transit (TLS 1.2+), encryption at rest for sensitive fields, hashed passwords, access controls, and routine security reviews.

No internet transmission or storage system is 100% secure. If you have reason to believe your account has been compromised, contact us at info@giftyy.store immediately.

8. Data Retention

We retain your information for as long as your account is active and for a reasonable period afterwards to meet legal, accounting, or reporting obligations. Specifically:

  • Account data: retained for the life of your account. Deleted within 30 days of account deletion, except where retention is required by law (e.g. tax records).
  • Order and payment records: retained for 7 years to meet financial and tax requirements.
  • Gift-claim links: expire 30 days after creation; underlying token is purged shortly after.
  • Push tokens: deleted when you sign out or uninstall the app.
  • Contacts data: not retained — see § 6.
  • Support correspondence: retained for 2 years after the case is resolved.

Aggregated and de-identified data, which cannot reasonably be tied back to you, may be retained indefinitely for analytics and product improvement.

9. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

  • Access: request a copy of the personal information we hold about you.
  • Correction: ask us to correct inaccurate or incomplete data.
  • Deletion: request that we delete your account and associated data. Some records may be retained where legally required.
  • Portability: receive a copy of your data in a machine-readable format.
  • Restriction or objection: ask us to limit or stop certain uses of your data.
  • Withdraw consent: revoke previously granted permissions (e.g. contacts, notifications) at any time through your device or app settings.

To exercise any of these rights, email us at info@giftyy.store. We will respond within 30 days. We will not discriminate against you for exercising your rights.

California residents: you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, used, shared, or sold. We do not sell your personal information.

10. Children's Privacy

The Service is not directed to children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

11. International Data Transfers

Giftyy operates from the United States. By using the Service, you understand that your information will be processed in the United States, where data-protection laws may differ from those in your country. Where required, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) to safeguard cross-border transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will post any changes on this page and update the “Last updated” date below. For material changes, we will also notify you in-app or via email before they take effect.

13. Contact Us

If you have questions about this Privacy Policy, want to revoke a consent, or wish to exercise any privacy rights described here, contact us at:

info@giftyy.store

Last updated: May 19, 2026