Privacy Policy

1. Introduction

Welcome to Giftphoria ("we," "our," or "us"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our gift marketplace services, and when merchants use our Shopify Sales Channel application. Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the site or use our services.

For Shopify Merchants: This policy applies to both our consumer marketplace and our Shopify Sales Channel app. When you install our Sales Channel app, you authorize us to access certain data from your Shopify store to provide our services. We act as a data processor on your behalf for customer data and as a data controller for your merchant account data.

2. Information We Collect

Personal Information

We may collect personal information that you voluntarily provide to us when you:

• Create an account
• Make a purchase or list items for sale
• Contact customer support
• Subscribe to newsletters or marketing communications
• Participate in surveys or promotions

This information may include:

• Name and contact information (email address, phone number, mailing address)
• Payment information (billing address) - Note: We do not store credit card details or other sensitive payment information. All payment processing is handled by PCI DSS Level 1 compliant services (either Stripe or Shopify Billing, depending on the transaction type)
• Account credentials (username, password)
• Profile information and preferences
• Transaction history and communication records

Information Collected Through Shopify Sales Channel

When you install our Shopify Sales Channel app, we access and collect information through the Shopify API to provide our marketplace services. We request the following access scopes from your Shopify store:

Merchant Information:

• Shop name, email, and domain
• Store location and timezone
• Shopify plan type
• Store preferences and settings

Product Information:

• Product titles, descriptions, images, and prices (read and write access)
• Product variants, SKUs, and barcodes
• Product collections and tags
• Publication status on our sales channel

Inventory Information:

• Inventory levels and stock quantities (read and write access)
• Location information for fulfillment
• Inventory item IDs and tracking

Order Information:

• Order details (items, quantities, prices) (read and write access)
• Customer names and shipping addresses (from orders placed through our marketplace)
• Order status, fulfillment, and tracking information
• Order financial information and payment status

Customer Information (from orders placed through Giftphoria):

• Customer first name, last name, email, and phone number
• Shipping and billing addresses
• Order history related to your products

Important: We only access customer information for orders placed through the Giftphoria marketplace. We do not access information about customers who purchase directly from your Shopify store through other channels. We act as a data processor for this customer information on your behalf.

Automatically Collected Information

When you visit our website, we automatically collect certain information, including:

• IP address and device information
• Browser type and version
• Operating system
• Pages visited and time spent on pages
• Referring website addresses
• Cookies and similar tracking technologies

3. How We Use Your Information

For All Users

We use the information we collect to:

• Process transactions and manage your account
• Provide customer service and support
• Send transactional communications (order confirmations, shipping updates)
• Improve our website and services
• Personalize your shopping experience
• Send marketing communications (with your consent)
• Prevent fraud and ensure platform security
• Comply with legal obligations
• Facilitate communication between buyers and sellers

For Shopify Merchant Data

We use data accessed through our Shopify Sales Channel app specifically to:

• Display your products on the Giftphoria marketplace
• Synchronize product information, pricing, and inventory levels
• Create and manage orders placed through Giftphoria in your Shopify admin
• Process payments and calculate platform fees as agreed in your merchant agreement
• Update order fulfillment status and tracking information
• Provide reporting and analytics about your sales performance on our platform
• Send you notifications about orders, inventory changes, and account updates
• Facilitate customer support for orders placed through our marketplace
• Comply with GDPR and other data protection regulations through mandatory webhooks

For Customer Data from Shopify Orders

We process customer data from orders placed through Giftphoria solely to:

• Fulfill orders (shipping, delivery, and customer communication)
• Provide customer support for orders placed on our marketplace
• Handle returns, refunds, and order issues
• Comply with legal obligations and respond to data subject requests

We do not use customer data for marketing purposes, profiling, or any purpose beyond order fulfillment and legal compliance without explicit consent.

4. How We Share Your Information

We may share your information in the following circumstances:

With Other Users

• Basic seller information may be visible to buyers for completed transactions
• Communication through our platform may be facilitated between buyers and sellers

With Shopify

If you are a Shopify merchant using our Sales Channel app:

• We share order data with Shopify to create and manage orders in your Shopify admin
• We synchronize inventory levels and fulfillment information with Shopify
• We comply with Shopify's mandatory privacy webhooks for GDPR compliance

With Service Providers

We may share information with third-party service providers who assist us with:

• Payment processing: We use exclusively PCI DSS Level 1 certified payment processors. Marketplace transactions are processed through either Stripe or Shopify Billing. Shopify merchant app subscription charges are processed through Shopify Billing.Important: We do not store credit card numbers, CVV codes, or other sensitive payment information. All payment data is processed and stored exclusively by our PCI DSS Level 1 certified payment processors. We only receive and store transaction confirmation details (transaction IDs, payment status, billing address).
• Shipping and fulfillment (Giftphoria Delivery Logistics, our internal delivery service)
• Email communications (SendGrid by Twilio for transactional and marketing emails)
• Website hosting and data storage (Vercel for hosting, Supabase for database)
• Website analytics (Heap Analytics for usage analytics and performance monitoring)
• Security services and fraud prevention (monitoring and protection services to detect suspicious activity)

All service providers are contractually obligated to protect your data and use it only for the purposes we specify.

Legal Requirements

We may disclose your information if required by law or in response to:

• Court orders or legal processes
• Government requests
• Protection of our rights or property
• Investigation of fraud or security issues

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new entity.

5. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the internet or electronic storage is 100% secure.

Payment Card Security

We do not store, process, or have access to your complete credit card information. All payment card data is handled exclusively by one of our two PCI DSS Level 1 certified payment processors:

• Stripe: Processes marketplace transactions and merchant payouts. Maintains the highest level of PCI DSS compliance with advanced fraud detection and encryption.
• Shopify Billing: Processes marketplace transactions and all Shopify merchant app subscription charges through Shopify's secure payment infrastructure.

Depending on the transaction type, your payment will be processed by either Stripe or Shopify Billing. When you enter payment information, it is transmitted directly to the appropriate payment processor using industry-standard TLS encryption. We only receive confirmation of successful payment and basic transaction details (transaction ID, amount, billing address) necessary for order fulfillment and record-keeping.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Remember your preferences and login information
• Analyze website traffic and usage patterns
• Provide personalized content and advertisements
• Improve website functionality

You can control cookie preferences through your browser settings, though this may affect site functionality.

7. Your Rights and Choices

General Data Subject Rights

Depending on your location, you may have the following rights:

• Access to your personal information
• Correction of inaccurate information
• Deletion of your personal information
• Restriction of processing
• Data portability
• Objection to processing
• Withdrawal of consent

To exercise these rights, please contact us using the information provided below.

For Shopify Merchants - GDPR Compliance

We comply with GDPR and other data protection regulations through Shopify's mandatory privacy webhooks. When your customers exercise their data rights, Shopify will notify us through the following mechanisms:

• customers/data_request: When a customer requests their data, we will provide all personal data we hold about them within 30 days. This includes order information, shipping addresses, and communication records.
• customers/redact: When a customer requests deletion of their data, we will permanently delete or anonymize their personal information from our systems within 30 days, except where retention is required by law.
• shop/redact: When you uninstall our app or close your Shopify store, we will delete or anonymize all your store data within 48 hours, except for financial records required for tax compliance (retained for 7 years).

Merchant Responsibilities

As a Shopify merchant, you are the data controller for your customers' personal information. You are responsible for:

• Obtaining proper consent from your customers for data processing
• Maintaining your own privacy policy that covers sales through Giftphoria
• Responding to customer data requests in compliance with applicable laws
• Ensuring your use of customer data complies with GDPR, CCPA, and other regulations

We act as a data processor on your behalf and will assist you in responding to data subject requests.

Marketing Communications

You may opt out of marketing communications by:

• Clicking unsubscribe links in emails
• Updating your account preferences
• Contacting us directly at hello@giftphoria.co

8. Data Retention

We retain your personal information for as long as necessary to:

• Provide our services
• Comply with legal obligations
• Resolve disputes
• Enforce our agreements

Specific Retention Periods

• Shopify Merchant Data: Retained while your store is actively using our Sales Channel app, plus 48 hours after uninstallation (except for financial records as noted below)
• Order and Transaction Data: Retained for 7 years to comply with tax and financial regulations (IRS requirements for business records)
• Customer Data (from Shopify orders): Retained for 2 years after the last order to facilitate returns, refunds, and customer support, unless deletion is requested earlier through GDPR webhooks
• Marketing Data: Retained until you withdraw consent or request deletion
• Analytics and Log Data: Retained for 13 months for security, fraud prevention, and service improvement

When information is no longer needed, we will securely delete or anonymize it (removing all personally identifiable information so it can no longer be linked to you). Anonymized data may be retained indefinitely for analytics and business insights, as it can no longer identify you personally.

9. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

10. Children's Privacy

Our services are not intended for children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will delete it promptly.

11. Automated Decision-Making and Profiling

No Automated Legal Decisions

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you without human oversight. All significant decisions about your account, products, or transactions involve human review.

Limited Automated Processing

We use limited automated processing for the following purposes only:

• Fraud Detection: Automated systems flag potentially fraudulent orders for manual review
• Product Recommendations: Algorithms suggest products to customers based on browsing behavior and preferences
• Inventory Management: Automated synchronization of inventory levels between Shopify and Giftphoria
• Order Routing: Automated assignment of orders to appropriate merchants

These automated processes do not make final decisions without human involvement when they might significantly affect you.

Your Right to Object

If you wish to opt out of automated processing (such as personalized product recommendations), you may contact us at hello@giftphoria.co to request manual processing or to object to specific automated systems.

12. Consent and Marketing Preferences

Types of Consent

We may request your consent for the following purposes:

• Marketing Communications: Promotional emails, newsletters, and special offers (opt-in required)
• Cookies and Tracking: Non-essential cookies for analytics and personalization

Withdrawing Consent

You may withdraw consent at any time by:

• Clicking "unsubscribe" in marketing emails
• Adjusting cookie preferences in your browser settings
• Contacting hello@giftphoria.co

Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal. Some services may not function properly without certain consents.

For Shopify Merchants - Customer Consent

As a merchant using our Sales Channel, you are responsible for obtaining proper consent from your customers for:

• Processing their data for order fulfillment through Giftphoria
• Sharing their information with third-party processors (shipping carriers, payment processors)
• Marketing communications if you choose to contact them

We respect and apply customer consent decisions communicated through Shopify's systems. If a customer opts out of marketing or data sharing, we will honor those preferences.

13. International Data Transfers

Giftphoria is based in the United States. If you are located outside the United States, please note that your information may be transferred to, stored, and processed in the United States and other countries where our servers and service providers operate.

Data Storage Locations

• Database: Hosted on Supabase (AWS infrastructure) in the United States
• Application Hosting: Vercel (United States)
• Payment Processing: Either Stripe or Shopify Billing (both PCI DSS Level 1 compliant, operating globally)
• Email Services: SendGrid by Twilio (United States)
• Analytics: Heap Analytics (United States)

For European Economic Area (EEA) Users

If you are in the EEA, United Kingdom, or Switzerland, we rely on the following legal mechanisms for international data transfers:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our service providers to ensure adequate data protection
• Adequacy Decisions: Where available, we rely on the European Commission's adequacy decisions for certain jurisdictions
• Shopify Integration: When you use our Shopify app, data transfers are governed by Shopify's data processing agreements and transfer mechanisms

Your data is protected by appropriate safeguards that are essentially equivalent to those required by the GDPR, including encryption in transit and at rest, access controls, and contractual obligations with all processors.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. Your continued use of our services after such changes constitutes acceptance of the updated policy.

15. For Shopify Merchants - Additional Information

Your Relationship with Giftphoria

When you install our Shopify Sales Channel app, you enter into a data processing relationship with us:

• You are the Data Controller for your customers' personal information
• Giftphoria is the Data Processor processing customer data on your behalf to fulfill orders
• Giftphoria is the Data Controller for your merchant account information and business data

How to Manage Your Data

Accessing Your Merchant Dashboard:

• View which products are published to Giftphoria
• Monitor orders placed through our marketplace
• Update your store settings and preferences
• View your sales analytics and performance metrics

Submitting Data Requests:

• To request all data we hold about your store: Contact hello@giftphoria.co
• To request customer data deletion: Use Shopify's GDPR tools (we automatically receive the webhook)
• To delete your merchant account: Uninstall our app from Shopify (triggers automatic data deletion within 48 hours)

Data Processing Agreement

By installing our Shopify Sales Channel app, you agree to our Data Processing Agreement which includes:

• Our commitment to process data only according to your instructions
• Security measures including encryption, access controls, and regular audits
• Assistance with data subject requests from your customers
• Sub-processor disclosure (Stripe, Shopify Billing, Supabase, SendGrid, Giftphoria Delivery Logistics)
• Liability and indemnification terms

Security Measures for Merchant Data

We implement the following security measures to protect your data:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Access controls and authentication (OAuth 2.0 with Shopify)
• Regular security audits and penetration testing
• Automated backup systems with encryption
• HMAC signature verification for all webhook communications
• Limited staff access to production data (need-to-know basis)
• Security incident response procedures

Third-Party Access to Your Data

We share your data only with the following categories of sub-processors:

• Payment Processors (exclusively Stripe or Shopify Billing): All marketplace transactions are processed by either Stripe or Shopify Billing (both PCI DSS Level 1 certified).Important: These payment processors handle all payment card information. We do not store credit card numbers, CVV codes, or other sensitive payment data. We only receive transaction confirmation details.
• Shopify Billing: Additionally handles all Shopify merchant app subscription charges. All payment information is processed and stored by Shopify's secure infrastructure, not by Giftphoria.
• Supabase (PostgreSQL on AWS): Database hosting and storage (does not contain payment card information)
• Giftphoria Delivery Logistics: Our internal delivery service for order fulfillment and delivery tracking
• SendGrid by Twilio: Email service provider for transactional notifications to you and your customers
• Heap Analytics: Analytics platform for understanding usage patterns and improving our services

All sub-processors are bound by contract to protect your data and use it only for specified purposes. We conduct due diligence on all sub-processors before engagement.

What Happens When You Uninstall

When you uninstall our Shopify Sales Channel app:

• Within 48 hours: Your merchant account data, product listings, and store settings are deleted
• Retained for 7 years: Financial transaction records (required for tax compliance)
• Customer data: Anonymized or deleted according to GDPR requirements and customer data requests
• You retain: All data in your Shopify admin (orders, products, customers) - we only delete our copies

Questions About Your Merchant Data

For any questions specific to your Shopify merchant data, including data processing questions, security inquiries, or compliance documentation, please contact: hello@giftphoria.co

16. Contact Information

If you have questions or concerns about this Privacy Policy, our data practices, or wish to exercise your data protection rights, please contact us:

We will respond to all requests within 30 days (or as required by applicable law). For urgent privacy matters, please mark your communication as "Urgent."