GiftItGiftIt / Business

Privacy Policy

Last updated May 19, 2026 · Effective May 19, 2026

This Privacy Policy describes how GiftIt LLC (“GiftIt,” “we,” or “us”) collects, uses, shares, and protects personal information when you use the GiftIt website, mobile app, business portal, and related services (the “Services”). It also explains the rights you may have under U.S. state privacy laws including the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act (OCPA), and the comprehensive consumer-privacy laws of Iowa, Montana, Tennessee, Indiana, Kentucky, New Hampshire, New Jersey, Delaware, Maryland, Minnesota, Nebraska, and Rhode Island.

1. Information we collect

Information you provide

  • Account information. Name, email address, password (stored as a salted hash), phone number, and profile photo.
  • Payment information. Card details, billing address, and ACH details are collected and stored by our payment processor; we receive a tokenized reference and limited metadata (last four digits, card brand, expiration).
  • Recipient information. When you send a gift, the recipient’s name, email address, and any personal message you choose to include.
  • Business information. For GiftIt Business accounts: company name, address, tax identification, verification documents, employee rosters (name, email, optional department, optional birthday or anniversary), and campaign settings.
  • Support communications. Messages, attachments, and metadata you provide when you contact us.

Information collected automatically

  • Device and usage data. IP address, device identifiers, browser type, operating system, app version, language, time zone, referring URLs, pages and screens visited, and interaction events.
  • Approximate location. Derived from IP address. The mobile app does not collect precise GPS location unless you grant explicit permission.
  • Cookies and similar technologies. See our Cookie Policy for details.
  • Push tokens. If you enable push notifications, we receive a device token issued by Apple Push Notification service or Firebase Cloud Messaging.

Information from third parties

  • Payment processors share transaction status, fraud signals, and limited payment-method metadata.
  • Gift card providers (such as Runa) share order status, redemption codes, and remaining-balance updates.
  • Identity-verification and fraud-prevention vendors may share signals when you fund a wallet or create a business account.
  • Single sign-on providers (if you sign in with Apple or another SSO) share the basic profile information you authorize.

2. How we use information

We use personal information to:

  • provide, maintain, and improve the Services, including processing gift-card purchases, delivering gifts, managing your wallet, and operating business campaigns;
  • authenticate you, secure your account, and detect and prevent fraud, abuse, and other unlawful or unauthorized activity;
  • send transactional communications (purchase confirmations, delivery notifications, temp-password resets, security alerts);
  • respond to support requests;
  • send service updates and, where permitted by law and your preferences, marketing communications, which you may unsubscribe from at any time;
  • comply with legal obligations including tax, anti-money-laundering, and state unclaimed-property requirements; and
  • analyze how the Services are used and develop new features.

3. Legal bases (for users in jurisdictions where this applies)

Where applicable law requires a legal basis, we rely on the following: performance of our contract with you (to provide the Services), our legitimate interests (to operate, secure, and improve the Services and to prevent fraud), your consent (for marketing communications and optional permissions like push notifications and precise location), and compliance with legal obligations.

4. How we share information

We do not sell personal information for money. We share personal information with the following categories of recipients:

  • Service providers that perform functions on our behalf (cloud hosting, payment processing, gift-card fulfillment, email delivery via Resend, push delivery via Firebase, analytics, customer support, identity verification, fraud prevention). These providers are contractually limited to processing personal information on our instructions.
  • Recipients of gifts you send. The recipient’s email address is used to deliver the gift; if you include a personal message, the recipient will see it.
  • Business administrators. If you are an employee or member of a business account, administrators of that account may see your name, email, and gift-related activity within the program.
  • Legal and safety. When required by law, subpoena, or court order, or when we believe in good faith that disclosure is necessary to protect rights, safety, or property, or to investigate fraud or other unlawful activity.
  • Corporate transactions. If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to the protections of this Policy.
  • With your consent or at your direction.

“Sale” and “sharing” under state laws.Some state privacy laws define “sale” or “sharing” broadly to include certain types of data exchanges for cross-context behavioral advertising. We do not knowingly sell personal information for monetary consideration and we do not engage in cross-context behavioral advertising of personal information. If this changes, we will update this Policy and provide an opt-out.

5. Data retention

We retain personal information for as long as needed to provide the Services and for legitimate business purposes such as fraud prevention, dispute resolution, tax and accounting compliance, and enforcement of our agreements. Gift-card transaction records are retained for the period required by applicable financial and unclaimed-property law. When personal information is no longer needed, we delete or de-identify it.

6. Security

We use administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. Passwords are stored using bcrypt with industry-standard salt rounds; access tokens are short-lived and rotated; sensitive payment data is handled by our PCI-compliant payment processor and not stored on GiftIt’s servers. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

7. Children

The Services are not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided us personal information, contact us at privacy@trygiftit.com and we will take steps to delete it.

8. Your privacy rights

Depending on where you live, you may have some or all of the following rights:

  • Access / Know. Request a copy of the personal information we hold about you and information about how we have processed it.
  • Correct. Request that we correct inaccurate personal information.
  • Delete. Request that we delete personal information about you, subject to legal exceptions (for example, fraud-prevention records or completed transactions we are required to retain).
  • Portability. Receive a copy of certain personal information in a portable format.
  • Opt out of sale or sharing for cross-context behavioral advertising — we do not engage in these activities, but you may still submit an opt-out request.
  • Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in such profiling.
  • Limit the use of sensitive personal information. We use sensitive personal information only as necessary to provide the Services.
  • Non-discrimination. We will not discriminate against you for exercising any of these rights.
  • Appeal. If we deny your request, you may appeal by replying to our response.

To exercise these rights, email privacy@trygiftit.com or use the request form in your account settings. We will verify your identity before fulfilling a request, typically by confirming control of the email address on file or by asking for additional information. You may also designate an authorized agent to submit a request on your behalf, subject to verification.

California “Shine the Light”. California residents may request information about disclosure of personal information to third parties for direct-marketing purposes once per year by emailing privacy@trygiftit.com.

9. Cookies and tracking technologies

We use cookies, local storage, SDKs, and similar technologies to operate the Services, remember your preferences, analyze usage, and prevent fraud. See our Cookie Policy for the details and how to control them. We honor Global Privacy Control (GPC) signals as a valid opt-out request where required by law.

10. International users

GiftIt operates from the United States. If you access the Services from outside the United States, you understand that your personal information will be transferred to, stored, and processed in the United States, which may have data-protection rules different from those in your country of residence.

11. Changes to this Policy

We may update this Policy from time to time. If we make material changes we will give reasonable notice — by posting the updated Policy with a new “Last updated” date and, where appropriate, by email or in-product notice. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

12. Contact us

Questions, complaints, or requests? Email privacy@trygiftit.com.