Last amended 2021-10-08
In this privacy notice we, GiftoCard.com (“GIFTOCARD”), explain how we handle your personal data when you visit GiftoCard website (www.giftocard.com) and use our services. All personal data are processed in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable local EU Member State and/or other national data protection law.
Our platform incorporates privacy controls which provide you with controls on deciding how we will process your personal data. By using privacy controls, you can specify whether you would like to receive direct marketing communications.
In this notice you will find the answers to the following questions:
- how we use your data;
- when we provide your data to others;
- how long we store your data;
- what is our marketing policy;
- what rights related to personal data you possess;
- other issues that you should take into account.
In case of any inquiries or if you would like to exercise any of your rights provided in this notice, you may submit such inquiries and requests by means provided in Contacts section.
You may contact us regarding all privacy-related issues by email: firstname.lastname@example.org.
General data protection principles and confidentiality
GIFTOCARD shall process all personal data adhering to the general data processing principles:
- lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness, and transparency);
- collect and process personal data only for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation);
- ensure that personal data is adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed (data minimization);
- ensure that personal data is accurate and, where necessary, kept up to date (accuracy);
- ensure that personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation);
- process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (integrity and confidentiality).
All and any information processed by GIFTOCARD is treated as strictly confidential. All information is stored securely and is accessed by qualified and authorized personnel only.
- How we use your personal data?
This section provides the following information:
- categories of personal data, that we process;
- in case the personal data that we did not obtain directly from you, the source and specific categories of that data;
- the purposes for which we may process your personal data; and
- the legal bases of the processing.
So, what personal data do we collect and why?
- We process your account data (“account data”). The account data may include your name and email address, phone number, and other data that you provide while registering as well as your purchase history. We obtain such data directly from you. We process account data for the purposes of operating our Platform, providing our services, ensuring the security of our Platform and services, and communicating with you. The legal basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract as well as our legitimate interest, namely monitoring and improving our Platform and services.
- We process information relating to the provision of services by us to you on our Platform (“transaction data”). The transaction data may include your contact details, bank account details, and transaction details. The transaction data is processed to assist in you supplying or purchasing goods and provide services and keep proper records of those transactions. The legal basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract and our legitimate interests, namely the proper administration of our Platform and business.
- We process information related to anti-money laundering prevention measures (“AML data”). AML data may additionally include address or residence, ID documentation, including your photo, documents regarding your source of wealth, utility bill, and others. In some cases, we are required by the law to request such information to carry out “know your client” obligations, and it is our legitimate interest to ensure, that only trusted merchants are allowed to sell their products on the Platform.
- We have a dedicated fraud detection process in place to detect and prevent any fraudulent transactions (“fraud detection data”). To ensure timely risk and fraud detection, effective prevention of fraudulent transactions and to improve our fraud detection process we collect and process various account data, transaction data and usage data which allows us to determine whether user’s actions demonstrate suspicious behavior (e. g. whether the user is a bot, has attempted to defraud us in the past and similar indications related to fraudulent behavior). Our internal system may generate additional information such as unique identifiers in addition to collected transaction, account, usage or other data.
- We may process information that you provide to us for the purpose of subscribing to our email messages and newsletters (“messaging data”). The messaging data is processed to send you the relevant messages and newsletters. The legal basis for this processing is your consent. Also, if we have already sold goods or provided services for you on our Platform and you do not object, we may also process messaging data on the basis of our legitimate interest, namely seeking to maintain and improve customer relations
- We may process information relating to any communication that you send to us (“correspondence data”). The correspondence data may include the communication content and metadata associated with the communication. In case of communication through our Platform, the Platform will generate the metadata associated with communications made using the Platform contact forms. The correspondence data is processed for the purposes of communicating with you and record-keeping. The legal basis for this processing is our legitimate interests, namely the proper administration of our Platform and business, ensuring uniform and high-quality consultation practice, and investigating disputes between you and our employees.
- We may process any of your personal data identified in this notice where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.
- We may process any of your personal data identified in this notice where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice. The legal basis for this processing is our legitimate interests, namely the proper protection of our business against risks.
- In addition to the specific purposes for which we may process your personal data set out in this Section, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
- When we provide your data to others?
- We may disclose your personal data to your contracting party (Vendor, Selling User or Buying User, depending on the case) insofar as reasonably necessary for the performance of contract between you and these third-parties or to comply with legal obligations.
- We may disclose your personal data to any member of our group of companies (including our subsidiaries, our ultimate holding company and all its subsidiaries) insofar as reasonably necessary for the purposes set out in this notice. Such may include internal administration purposes as well as provision/sharing of IT services or data centres in the group.
- We may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
- We may disclose your personal data to our anti-fraud, risks, and compliance providers insofar as reasonably necessary for the purposes of protecting your personal data and fulfilling our legal obligations.
- We may disclose your personal data to our payment service providers. We will share transaction data with our payment services providers only to the extent necessary for the purposes of processing your payments, transferring funds and dealing with complaints and queries relating to such payments and transfers.
- We may disclose your personal data to our shipping service providers. We will share relevant delivery data (e.g. recipient’s name, contact information and delivery address) only to the extent necessary for the purposes of delivering purchased products and dealing with complaints and queries relating to such deliveries. For more information, you can access the service providers’ privacy policies or terms and conditions. For example, if your shipment is delivered by Mondial Relay, then their General Terms and Conditions apply to the processing of your personal data.
- We may disclose your personal data to other service providers insofar as it is reasonably necessary to provide specific services (including, providers of servers and maintenance, email service providers, newsletter sending service providers, consumer review websites and other service providers). We take all the necessary measures to ensure that such subcontractors would implement proper organisational and technical measures to ensure security and privacy of your personal data.
- In addition to the specific disclosures of personal data set out in this Section, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person..
- Some service providers indicated in this Section may be established outside the European Union, and European Economic Area (EEA). However, we always try to ensure that all of your data is processed within EEA. Please note that personal data may be less protected in non-EEA countries than in EEA countries. We closely monitor the evolving case we law and guidelines of the Court of Justice of the European Union and data protection supervisory authorities on transfers outside the EEA, and carefully assess the conditions under which your data is transferred and may be further processed and stored after transfer to the above entities. To ensure the appropriate level of data security and to guarantee the lawful transfer of data, we conclude Standard Contractual Clauses approved by the European Commission or ensure other grounds and conditions established by legal acts. We will take all the necessary measures to ensure that your privacy will remain properly secured and protected. To find out more information regarding appropriate safeguards you may contact us via email: email@example.com.
- How long we store your data?
- Your personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. In any case it shall be kept for no longer than:
- account data will be retained for no longer than 5 (five) years following your last update on the account;
- transaction data will be retained for no longer than 10 (ten) years following the end of provision of services
- AML data will be retained as long as it is necessary to comply with the related legal requirements;
- fraud detection data will be retained as long as account data, or longer if the User Account has been deemed as likely to commit fraud;
- messaging data will be retained for as long as your Account is active unless you withdraw your consent earlier;
- correspondence data will be retained for no longer than 6 (six) months following the end of such communication.
- In some cases, it is not possible for us to specify in advance the periods for which your personal data will be retained. I. e. usage data will be retained for as much as will be necessary for the relevant processing purposes.
- Notwithstanding the other provisions of this Section, we may retain your personal data.for a longer period of time than indicated, in cases where:
- it is necessary for our legitimate business interests, such as fraud detection and prevention and enhancing safety. If GIFTOCARD suspends your User Account for safety and fraud prevention reasons, we may retain certain information from that User Account to prevent that User from opening a new User Account in the future;
- it is necessary to comply with our legal obligations. GIFTOCARD may keep some of your information for tax, legal reporting and auditing obligations;
- it is necessary to resolve legal disputes;
- it is necessary to enforce our agreements and/or pursue or protect our legitimate interests;
- as we protect Platform from accidental or malicious loss and destruction, residual copies of your personal information may not be removed from our backup systems for a limited period of time.
- Your personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. In any case it shall be kept for no longer than:
- Marketing messages
- In case you consent, we will send you marketing messages via email and/or leave a notification in an Account to inform you on what we are up to.
- Also, if we already have provided services to you and you do not object we will inform you about our other products that might interest you including other information related to such.
- You may opt-out of receiving marketing messages at any time.
- You may do so by:
- choosing the relevant link in any of our marketing messages;
- contacting us via means provided in the Contacts section.
- Upon you having fulfilled any of the provided actions we will update your profile to ensure that you will not receive our marketing messages in the future.
- Please be informed that as our business activities consists of a network of closely related services, it may take a few days until all the systems are updated, thus you may continue to receive marketing messages while we are still processing your request.
- The opt-out of the marketing messages will not stop you from receiving messages directly related to the provision of services, updates to our terms and policies or other important messages related to the functioning of the Platform.
- Your rights
- In this Section, we have summarised the rights that you have under data protection laws. Some of the rights are complex thus we only provide the main aspects of such rights. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
- Your other principal rights under data protection law are the following:
- the right to access data;
- the right to rectification (note that you may exercise most of this right by logging to your account;
- the right to erasure of your personal data;
- the right to restrict processing of your personal data;
- the right to object to processing of your personal data;
- the right to data portability;
- the right to complain to a supervisory authority; and
- the right to withdraw consent.
- The right to access data. You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.
- The right to rectification. You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.
- In some circumstances you have the right to the erasure of your personal data. Those circumstances include when: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) you withdraw consent to consent-based processing and there are no other legal basis to process data; (iii) you object to the processing under certain rules of applicable data protection laws; (iv) the processing is for direct marketing purposes; or (v) the personal data have been unlawfully processed. However, there are exclusions of the right to erasure. Such exclusions include when processing is necessary: (i) for exercising the right of freedom of expression and information; (ii) for compliance with our legal obligation; or (iii) for the establishment, exercise or defence of legal claims.
- In some circumstances you have the right to restrict the processing of your personal data. Those circumstances are when: (i) you contest the accuracy of the personal data; (ii) processing is unlawful but you oppose erasure; (iii) we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and (iv) you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data, however we will only further process such data in any other way: (i) with your consent; (ii) for the establishment, exercise or defence of legal claims; (iii) for the protection of the rights of another person; or (iv) for reasons of important public interest.
- You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
- You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your personal data for this purpose.
- You have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes on grounds relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
- The right to data portability. To the extent that the legal basis for our processing of your personal data is:
- consent; or
- performance of a contract or steps to be taken at your request prior to entering into a contract, necessary to enter into such,
- If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
- To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
- In addition to specific measure provided in this Section or the websitePlatform you may also exercise any of the rights indicated herein by contacting us via Contacts. or via firstname.lastname@example.org.
- About cookies
We use the cookies on our Platform, to customize the functioning of our Platform as much as possible, and can contribute to ease of use when navigating our Platform.
What is a cookie?
- A cookie is a small text file placed onto your device that enables our Platform features and functionalities. For example, cookies enable us to identify your device, secure your access to the Platform. They enable the Platform to store the data, such as:
- Login data (IP address of the logging-in device, login time, location from which the login is attempted);
- Type of browser;
- Demographic data (age group, gender);
- Data about the fact how you browse the Platform (which sections you visit, what products are you interested in).
- Cookies that we use
- Necessary Cookies – these cookies are necessary for a website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work;
- Analytical Cookies – these cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site. They help us know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our site;
- Preference cookies – these cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred region.
- Marketing cookies – these cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
- Cookies used by our service providers
- Complete list and description of cookies used on www.GIFTOCARD.com may be found by clicking Cookie Preferences link in the footer of the page.
- How can you control cookies?
- Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via information provided in the relevant browser.support websites, for example Chrome; Firefox; Internet Explorer; Safari; Edge. To learn more about how to manage cookies, visit: http://www.allaboutcookies.org/manage-cookies/ or http://www.youronlinechoices.com/.
- Blocking all cookies will have a negative impact upon the usability of many websites.
- If you block cookies, you will not be able to use all the features on our Platform.
- You can adjust your cookie preferences by clicking Cookie Preferences link in the footer of the page.
- Third party websites
On the Platform you may find links to and from partner sites, information sources and related party websites. Please take note that such third-party website that you will visit by clicking on links have their own privacy policies and we take no responsibility regarding such privacy policies. We recommend familiarising with privacy policies of such websites before providing any personal data to such.
- Children personal data
- Our Platform and services are targeted at persons over the age of 16 or another age under respective country’s law which allow you to assume responsibility for obligations emerging from contractual relations and have a full capacity to take legal actions.
- If we have reason to believe that we hold personal data of a person under that age in our databases without having consent from the parent rights holder, we will delete that personal data.
- Updating your data
Please let us know if the personal information that we hold about you needs to be corrected or updated.
- Changes to the notice
Any changes to this notice will be published on the Platform and, in case of material changes, we may inform you about such via email