Last updated: June 1, 2023
Welcome to Giftagram's privacy notice.
CONTROLLER OR PROCESSOR
We are Giftagram Inc. ("we", "us" and "our"), and we are registered in Canada and the United States. We are either the controller and responsible for your personal data or processor when a customer of ours sends you a gift (collectively referred to as “we”, “us” or “our” in this privacy notice).
For any queries about our Privacy Notice, feel free to get in touch – simply email firstname.lastname@example.org.
1. IMPORTANT INFORMATION AND WHO WE ARE
PURPOSE OF THIS PRIVACY NOTICE
This privacy notice is designed to provide you with details on how Giftagram collects and processes your personal data through the use of this website (which includes the domain https://www.giftagram.com/ and all associated subdomains), including any data you may provide when you engage with us, subscribe to our newsletter, buy a product or service, or participate in a competition.
This website is not meant for children and we do not knowingly gather data pertaining to children. By using the website, you confirm that you meet this requirement. If we find out that we have unintentionally collected personal data from a child, we will promptly delete that personal data from our systems.
It's crucial that you read this privacy notice along with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you. This privacy notice complements the other notices and is not intended to override them.
This website may feature links to third-party websites, plug-ins, and applications, including social media platforms like LinkedIn, Youtube, and Facebook. Clicking on those links or enabling those connections may let third parties gather or share data about you. We do not have control over these third-party websites and are not liable for their privacy policies. Upon leaving our website, we urge you to read the privacy notice of every website you visit.
2. THE DATA WE COLLECT ABOUT YOU
Personal data, or personal information, is any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store, and transfer various kinds of personal data about you which we have grouped together as follows:
Identity Data includes first name, last name, username or similar identifier, social media handle, job title, and company.
Contact Data includes billing address, delivery address, email address, and telephone numbers.
Transaction Data includes details of products and services you have purchased from us.
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
Profile Data includes downloads, purchases or requests made by you, your interests, preferences, feedback, and survey responses.
Usage Data includes information about how you use our website, products, and services.
Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
We also collect, use, and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offenses. We do not and will not sell any personal data to third parties.
IF YOU FAIL TO PROVIDE PERSONAL DATA
If we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
3. HOW IS YOUR PERSONAL DATA COLLECTED?
We use different methods to collect data from and about you including through:
Direct interactions. You may give us your [Identity, Contact, and Financial Data] by filling in forms or by corresponding with us by post, phone, email, or otherwise. This includes personal data you provide when you:
apply for or use our products or services;
subscribe to our service or publications;
request marketing or content to be sent to you;
attend one of our events or meet us at an event hosted by a third party;
correspond with our Sales or Customer Success teams;
enter a competition, promotion, or survey; or
give us feedback.
Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this personal data by using cookies and other similar technologies.
Third parties or publicly available sources. We may receive personal data about you from various third parties as set out below:
Technical Data from analytics providers such as Google and Hubspot based outside the US;
Identity and Contact Data from publicly available sources such as the Companies Register based inside the US.
4. HOW WE USE YOUR PERSONAL DATA
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
Where we need to perform the contract we are about to enter into or have entered into with you.
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
Where we need to comply with a legal or regulatory obligation. Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third-party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by Contacting us.
PURPOSES FOR WHICH WE USE YOUR PERSONAL DATA
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
5. DISCLOSURES OF YOUR PERSONAL DATA
We may have to share your personal data with the parties set out below:
Any member of our group, which means our subsidiaries, affiliates or a parent company from time to time, who support our processing of personal data under this notice.
Customers of ours who are sending gifts to you.
Companies that we work with or partner with to deliver our content, services or events to you, such as ticketing companies, payment service providers, events companies, delivery companies and catering companies.
Professional services and technology providers such as marketing agencies, advertising partners, website and landing page hosts, IT support services, and marketing and sales technology companies, such as CRM or Marketing Automation tools, who help us run our business.
Analytics and search engine providers that assist us in the improvement and optimisation of our Services (this will not identify you as an individual).
Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
Credit reference agencies, law enforcement and fraud prevention agencies, so we can help tackle fraud.
Companies approved by you, such as social media sites (if you choose to link your accounts to us).
We may retain or provide third parties with aggregated but anonymized information and analytics about our customers and recipients but, before we do so, we will make sure that it does not identify you.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
6. INTERNATIONAL TRANSFERS
Giftagram and its vendors may share your personal data. This could involve transferring your data outside the United States and Canada.
Some of our third-party partners operate beyond the United States and Canada, and hence, their handling of your personal data could involve moving data outside these countries.
Whenever we transfer your personal data out of the United States or Canada, we ensure it receives a similar level of protection by implementing at least one of the following safeguards:
We will only transfer your personal data to countries that the relevant authorities in the United States or Canada have recognized as providing an adequate level of protection for personal data.
We may use specific contracts approved by relevant data protection authorities in the United States or Canada, which offer personal data the same protection it has in these countries.
Please reach out to us if you desire more information about the specific method we use when transferring your personal data outside of the United States and Canada.
7. DATA SECURITY
At Giftagram, we have employed suitable security measures to protect your personal data from being inadvertently lost, used or accessed in an unauthorized manner, modified or disclosed. Access to your personal data is restricted to our employees, agents, contractors, and other relevant third parties who require the information for business purposes. They are permitted to process your personal data based on our directives and are obligated to maintain confidentiality.
Procedures are in place to address any suspected data breach incidents. Should a legal requirement arise, we will notify you and the pertinent regulatory authority about the breach.
Your information is stored securely on our servers. If you have been given or have chosen a password that allows you access to specific sections of our website, the responsibility of maintaining this password's confidentiality rests with you. We implore you not to share your password with anyone.
While we strive to safeguard your personal information using SSL encryption and other security measures, it must be noted that data transmission over the internet isn't entirely secure. Hence, any data transmission to the website is undertaken at your risk. However, upon receipt of your information, we use stringent procedures and security mechanisms to avert unauthorized access.
8. DATA RETENTION
FOR HOW LONG WILL YOUR PERSONAL DATA BE RETAINED?
We retain your personal data only as long as is necessary to serve the purposes for which it was collected, including to meet any legal, accounting, or reporting obligations, and in certain instances for a period of six years thereafter to identify and resolve any potential issues or legal proceedings.
To establish the suitable retention period for personal data, we take into account the quantity, nature, and sensitivity of the personal data, the potential risk arising from unauthorized use or disclosure of your personal data, the purposes for processing your personal data and if those purposes can be achieved by other means, and the legal requisites applicable.
In certain situations, you may request us to delete your data: please refer to the section on request erasure below for more information.
In some scenarios, we might anonymize your personal data (making it impossible to associate it with you) for research or statistical objectives. In such cases, we may indefinitely use this information without any further notice to you.
9. YOUR LEGAL RIGHTS
You possess rights regarding your personal data under data protection laws. If you wish to exercise any of these rights specified in the Glossary, kindly reach out to us at email@example.com.
You have the right to be informed, which means you're entitled to clear, transparent information about how your data is used and protected. You can also exercise the right of access, allowing you to receive a copy of your personal data that the website holds.
You possess the right to rectification, enabling you to have your personal data corrected if it's inaccurate or incomplete. You can invoke the right to erasure, or the right to be forgotten, to request deletion or removal of your personal data from the website's records under certain conditions.
The right to restrict processing allows you to limit the way the website uses your data. Coupled with this is the right to data portability, permitting you to request the transfer of your personal data directly from one 'controller' to another, if technically feasible.
In some circumstances, you can exercise the right to object, allowing you to challenge the processing of your personal data, such as for direct marketing. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
You, or a third party of your choosing, can ask for your personal data to be transferred. We will provide this data in an organized, universally recognized, and computer-friendly format. This right pertains only to automated data that you initially permitted us to use or that we utilized to fulfill an agreement with you.
You are free to revoke your consent at any point if we depend on consent to process your personal data. Remember, this won't impact the legitimacy of any processing that took place before your withdrawal. If you do choose to withdraw consent, we might not be able to deliver specific products or services. If this is the case, we will inform you when you withdraw your consent.
Bear in mind that these rights can vary depending on the jurisdiction. While these rights align with the General Data Protection Regulation (GDPR) in the European Union, different regions may enforce slightly different standards
WHAT WE MAY NEED FROM YOU
We may ask you for specific information to help us verify your identity and ensure your right to access your personal data (or to exercise any of your other rights). This security measure prevents the disclosure of personal data to any individual who isn't entitled to receive it. To expedite our response, we might also reach out to you for more information related to your request.
TIME LIMIT TO RESPOND
We aim to respond to all legitimate requests within one month. In case your request is particularly complicated or if you have made multiple requests, it might take us longer than a month. In such cases, we will keep you informed and updated.
10. CCPA NOTICE
For clarity, we do not sell your personal information, including sensitive personal information, as defined under California law. In accordance with the California Consumer Privacy Act (the ”CCPA”) in this CCPA notice, “sold” or “sale” refers to the disclosure of personal information for monetary or other valuable consideration but does not include, for instance, the transfer of personal information as an asset that is part of a merger, bankruptcy, or other disposition of all or any portion of our business.