Giftagram Shopify App — Privacy Policy

Last updated: May 1, 2026

​

INTRODUCTION

 

This Privacy Policy is intended to provide transparency about how Giftagram Inc. ("Giftagram") gathers, processes, and uses data in connection with the Giftagram Shopify sales channel application (the "App") and orders sourced through the Shopify sales channel.
 

This Privacy Policy applies to data Giftagram processes on behalf of Shopify merchants who install the App and to data Giftagram collects directly from gift senders and gift recipients in connection with Shopify-channel orders. It does not encompass services or activity on the Giftagram retail website at www.giftagram.com or the GiftCenter B2B platform, which are governed by the Giftagram Web Privacy Policy and the Giftagram Product Privacy Policy respectively.
 

We regard the right to privacy seriously. If you have questions about this policy, please contact privacy@giftagram.com. For App and merchant-data questions, contact partners@giftagram.com.

​

​​

OUR ROLE

​

Giftagram acts in two distinct roles depending on the data, as set out in the Giftagram Shopify App Terms of Service:

​

• Giftagram acts as a data controller for (i) personal data Giftagram collects directly from gift senders ("purchasers") and gift recipients in connection with Shopify-channel orders, including sender contact information, payment data, recipient contact information, gift personalizations, and engagement data tied to gift links and emails; and (ii) data relating to Shopify merchants — including store profile and contact information — that Giftagram accesses through the Shopify API and uses to operate the App and the Giftagram marketplace.
   

• Giftagram acts as a data processor for the subset of personal data Giftagram transmits to a Shopify merchant on the merchant's behalf — primarily, the gift recipient's shipping address, gift message, and order metadata synchronized to the merchant's Shopify store for fulfillment. The Shopify merchant is the data controller for that data once received.

​

Giftagram does not access a Shopify merchant's existing customer records. The customer record that appears in a merchant's Shopify store as a result of a Giftagram-created order uses a Giftagram-generated placeholder email — not the gift sender's actual contact information.

 

​

INFORMATION WE COLLECT THROUGH THE APP

​

From Shopify Merchants (Giftagram acts as controller for merchant data; processor for transmissions back to merchant store)

​

When a merchant installs and operates the App, Giftagram receives:

 

• Store profile information — store name, owner email, store address, plan, currency, and other store profile details made available via the Shopify API. Giftagram is the data controller for this information and uses it to operate the App and the Giftagram marketplace.
   

• Product catalog data — titles, descriptions, images, variant details, inventory levels, and publishing status, accessed under the scopes the merchant has authorized for products the merchant has published to the Giftagram sales channel.
   

• Integration credentials — Shopify API access tokens, OAuth credentials, webhook secrets, and (where applicable) Stripe Connect credentials associated with the installation.
   

• Operational and audit logs — application and API logs related to the merchant's Shopify-channel activity.

 

Giftagram does not access a merchant's existing Shopify customer records. The customer record that appears in a merchant's Shopify store as a result of a Giftagram-created order uses a Giftagram-generated placeholder email — not the gift sender's actual contact information. The data Giftagram transmits to a merchant's Shopify store on the merchant's behalf (recipient shipping address, gift message, order metadata, line items) is processed by Giftagram as a data processor, with the merchant as the controller of the received copy.

 

Merchants seeking more information about the data Giftagram processes on their behalf, including notice and consent obligations toward their own end customers, should contact partners@giftagram.com to request a Data Processing Agreement (DPA), which forms part of the Shopify App Terms of Service upon execution.

​

​

From Gift Senders and Gift Recipients (Giftagram acts as controller)

 

When a sender places a Shopify-channel order through a Giftagram surface, and when a recipient interacts with a Giftagram-delivered gift link or email, Giftagram collects:

​

• Information you provide to us — sender name, email address, telephone number, and billing address; recipient name, email address, telephone number, shipping address, and gift message; and order details associated with the gift. Payment card data is processed by Stripe and is not stored by Giftagram, except for payment method metadata (card type and last four digits only).
   

• Information we collect automatically — engagement signals such as whether a gift email was opened, whether a gift link was clicked, and whether a digital gift was claimed; and technical data such as IP address, browser type and version, device and operating system information, and time zone, collected when you interact with a Giftagram-hosted page or email.

​

We do not collect special categories of personal data (such as race, ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health, genetic, or biometric data) and we do not collect information about criminal convictions or offenses. We do not and will not sell personal data to third parties.

 

​

HOW WE USE THE DATA WE COLLECT

​

We use the information we collect to provide the App and the Shopify-channel gifting service, including:

​

• Operating, maintaining, and enhancing the App and the gifting service;
   

• Processing and fulfilling Shopify-channel orders and delivering gifts to recipients;
   

• Synchronizing order data back to merchant Shopify stores;
   

• Sending transactional emails (gift link emails, order confirmations, delivery updates, thank-you messages);
   

• Securing the App, defending against fraud and payment disputes, and maintaining operational and audit logs;
   

• Generating aggregated reports, insights, and statistics for our services and platform improvement; and
   

• Complying with legal, tax, accounting, and regulatory obligations.

​

The use of information gathered through the App is confined to the objective of offering the App and the Shopify-channel services, and to the related purposes described above.

​

​

SHARING INFORMATION WITH THIRD PARTIES

 

We do not share personal data with third parties without your consent except as described in this Privacy Policy or as governed by a contract between Giftagram and a Shopify merchant in connection with the App.

​

To the Shopify Merchant

​

Giftagram synchronizes order data to the merchant's Shopify store via the Shopify API for fulfillment, tracking, and inventory management. The synchronized order contains line items, the gift recipient's shipping address, gift message, order tags, and a Giftagram-generated placeholder email — but not the gift sender's actual personal contact information. From the moment that data lands in the merchant's store, the merchant is the data controller for that copy of the data, and the merchant's own privacy practices apply.

​

To Subprocessors for the Delivery of the Services

​

We share data with the following subprocessors for the purposes of delivering the App and the gifting service:

​

​

• Amazon Web Services — primary cloud hosting; data is stored in the United States (us-east-1 region).
   

• Stripe — payment processing (United States, multi-region).
   

• Mandrill (a Mailchimp transactional email product) — transactional email delivery, including gift link emails, order confirmations, and thank-you messages (United States).
   

• AfterShip — shipment tracking and delivery status notifications for orders fulfilled by Shopify partners (United States and other regions).
   

• Bugsnag (a SmartBear product) — backend error monitoring and exception reporting; error contexts may incidentally include user identifiers, request payloads, and other personal data captured at the time of an exception (United States).
   

• Shopify — order data synchronized to merchant Shopify stores is processed by Shopify on its global infrastructure, which may include the United States, Canada, the European Union, and the United Kingdom.

These subprocessors are only permitted to use personal data as required to provide services to Giftagram and in accordance with applicable data protection laws. A current list of subprocessors and a Data Processing Agreement are available on request to partners@giftagram.com.

​

In Compliance With Laws

​

We may share personal data with a third party where: (i) we have a duty to disclose the data to comply with legal obligations, including applicable law, regulation, legal process, or governmental request; (ii) it is necessary to protect the security and integrity of the App; (iii) it is needed to enforce our policies and agreements; or (iv) where directed by you.

​

​

Business Transfers

 

We may disclose data to a third party in connection with the negotiation of any merger, financing, or acquisition of all or a portion of our business or assets.

​

​

Aggregated and Anonymized Data

​

We may share aggregated or anonymized information with third parties; this information will not directly identify you.

​

​

HOW WE STORE THE INFORMATION

 

Giftagram stores personal data accessed under this Privacy Policy on Amazon Web Services (AWS) infrastructure located in the United States (us-east-1 region). Personal data may also be processed by subprocessors located in the United States, Canada, and other regions, as listed above.

​

Where personal data of individuals located in the European Economic Area, the United Kingdom, or Switzerland is transferred to the United States or to other third countries, Giftagram relies on appropriate safeguards under applicable law, including (as applicable) the European Commission Standard Contractual Clauses, the United Kingdom International Data Transfer Addendum, and the Swiss FDPIC clauses.

​

Personal data is protected by industry-standard security measures, including encryption in transit (TLS 1.2 or higher), encryption at rest (AWS Key Management Service), restricted access on a need-to-know basis with multi-factor authentication, HMAC-SHA256 webhook signature verification, centralized logging, regular vulnerability assessments, and a documented incident response process. Giftagram notifies affected merchants of a data breach within 72 hours of becoming aware of the breach, where required by applicable law.​

​

​​

HOW LONG WE RETAIN DATA

 

Retention periods for each category of personal data accessed under this Privacy Policy are defined in the Giftagram Shopify-Scoped Data Retention Policy at https://www.giftagram.com/dropship-app-data-retention. 

​

In summary:

​

• Store profile, product catalog data, and integration credentials — deleted or anonymized within 30 days of a shop/redact webhook (~48 hours after merchant uninstall); access tokens are revoked immediately on uninstall.
   

• Recipient personal data — retained for up to 365 days following the date the order reaches a terminal status (delivered, cancelled, or invalidated), after which it is irreversibly anonymized.
   

• Sender personal data — retained for the duration of the sender's account; anonymized following 48 months of account inactivity.
   

• Operational and audit logs — up to 425 days; financial and accounting records up to 7 years; database backups 35 days.
  ​

Anonymized and aggregated data may be retained indefinitely for analytics and platform improvement.

​

​

YOUR RIGHTS

 

Where applicable law grants you rights with respect to your personal data, Giftagram honours those rights, including the right to access, correct, delete, restrict processing of, port, and object to processing of your personal data, and the right to withdraw consent where processing is based on consent

​

• Where Giftagram is acting as a data processor on behalf of a Shopify merchant, individuals must direct their rights requests to the merchant, who is the data controller. Giftagram will support the merchant in fulfilling those requests within a reasonable timeframe.

​

• Where Giftagram is acting as a data controller (for example, for gift senders and gift recipients in connection with Shopify-channel orders), rights requests may be submitted to partners@giftagram.com for App-related data, or to privacy@giftagram.com for general privacy questions. We aim to respond within 30 days of identity verification, with extensions where necessary under applicable law.​

​

​

Shopify GDPR Webhook Flows

​

Giftagram processes the following Shopify GDPR webhooks within 30 days of receipt:

​

• customers/data_request — a per-customer data export request triggered by a merchant. Giftagram delivers an export in structured JSON or CSV format, excluding internal security and operational records.

​

• customers/redact — a per-customer deletion request triggered by a merchant. Giftagram deletes or anonymizes the customer's personal data tied to the requesting store, subject to the retention obligations described in the Data Retention Policy. Customer account records are deleted only where the customer has no remaining orders with other Giftagram partners; otherwise, account records are preserved for those other partner relationships and only the order-level data tied to the requesting store is anonymized.

​

• shop/redact — triggered approximately 48 hours after a merchant uninstalls the App. Giftagram deletes store contact information and integration credentials, anonymizes catalog and order data, and hides affected products from the Giftagram catalog.

​

​

California Residents

​

Giftagram does not sell personal information, including sensitive personal information, as defined under California law. California residents have the rights to know, delete, correct, and to non-discrimination for exercising those rights, in addition to the rights described above.

​

​​

CHANGES TO THIS PRIVACY POLICY

 

Giftagram may modify this Privacy Policy from time to time and will update the "Last updated" date accordingly. In some instances, we may provide additional notice, such as an email notification to merchants. All Shopify merchants will be directly notified of any significant changes to this policy.

​

If you disagree with any changes made to the policy and do not wish for your information to continue to be subject to the updated Privacy Policy, do not continue to use the App or interact with Giftagram-delivered gift links and emails. Continued use of the Shopify-channel services constitutes consent to the changes.

​