Who we are
Giftl-AI (“Giftl-AI”, “we”, “us”, or “our”) is operated by:
We are the “controller” for personal data processed through the Giftl-AI iOS application and our website at giftl-ai.com (together, the “Service”).
Scope of this policy
This policy applies to personal data processed through:
- The Giftl-AI iOS application available on the Apple App Store;
- The Giftl-AI website at giftl-ai.com;
- Email and customer-support communications you send to us.
It does not apply to third-party websites, products, or services that we may link to (such as retailers reached through affiliate links). Those are governed by their own privacy policies, which we encourage you to read.
What data we collect
We collect only the data we need to run the Service. Different categories of data are described below.
3.1 Account data
When you create a Giftl-AI account, we collect:
- Email address — used to sign you in and to send essential service messages.
- Display name — shown inside the app.
- Password — stored only as a salted, hashed value; we cannot read it.
- Authentication identifiers from sign-in providers — if you sign in with Google or Apple, we receive the email address, name, and a stable user identifier from those providers. We never receive your provider password.
3.2 Profile and gifting data you enter
Inside the app you may create profiles for the people you give gifts to. This may include:
- The recipient's name, relationship to you, approximate age, and an avatar emoji or photo;
- Their hobbies, life phases, favourite cuisines, brands, or destinations;
- Upcoming occasions (birthdays, anniversaries, etc.) and dates;
- Wishlists, bookmarks, and gift ideas you save;
- Gift history — descriptions of gifts you have given, ratings, reviews, and (optionally) photos you attach.
3.3 Device permissions you grant
The app requests the following iOS permissions. You can decline any of them and the rest of the app will continue to work.
Photos attached to gift reviews are currently stored locally on your device only, in the app's private storage. They are not uploaded to our servers and are deleted when you delete the corresponding gift or uninstall the app.
3.4 Usage and device data
To operate the Service reliably, we collect limited technical data:
- App version, iOS version, device model (e.g. iPhone 14);
- Anonymous diagnostic information about crashes and errors;
- Approximate region inferred from your IP address (country level only — not precise location);
- Aggregated usage statistics (e.g. number of searches performed) used to improve recommendations.
We do not use Apple's App Tracking Transparency framework because we do not track you across other companies' apps or websites.
3.5 Communications
If you contact us by email or through an in-app form, we keep your message and our reply so we can follow up.
How we use your data
We use your personal data for the purposes below — and no others.
- To provide the Service — running your account, syncing your data across devices, surfacing your saved profiles, occasions, and wishlists.
- To generate gift recommendations — matching the preferences you record (or that you input for a one-off search) against our product catalogue.
- To send you reminders — push notifications for upcoming occasions, if you have enabled them.
- To support and improve the Service — fixing bugs, monitoring stability, refining how the app behaves based on aggregated usage signals.
- To send essential service emails — password resets, security notices, material changes to these policies.
- To respond to your requests — replying to support emails or exercising your data-protection rights (see §9).
- To comply with legal obligations — including tax, accounting, and lawful requests from authorities.
We do not sell your personal data. We do not share it with advertisers. We do not use it to train AI models.
Legal bases for processing (GDPR Art. 6)
If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases:
- Contract (Art. 6(1)(b)) — for everything strictly needed to give you the Service you signed up for (account, profiles, wishlists, sync, gift history, recommendations).
- Legitimate interests (Art. 6(1)(f)) — for security, abuse prevention, and limited aggregated analytics. Our legitimate interest is operating a safe and reliable product. You can object at any time (see §9).
- Consent (Art. 6(1)(a)) — for push notifications and any optional in-app feature you turn on. You can withdraw consent at any time without affecting the lawfulness of prior processing.
- Legal obligation (Art. 6(1)(c)) — for record-keeping required by tax, accounting, or other applicable law.
Third parties & processors
We use a small number of carefully chosen service providers to run the Service. Each of them is bound by a data-processing agreement and may only process your data on our instructions.
We will update this list when sub-processors change. We do not authorise these providers to use your data for their own purposes.
International transfers
Some of our service providers are located outside the European Economic Area (principally in the United States). Where data is transferred, we rely on:
- The EU–U.S. Data Privacy Framework, where the provider is certified; and / or
- The European Commission's Standard Contractual Clauses (Module 2: Controller to Processor);
- Supplementary technical and organisational measures, including encryption in transit and at rest.
You can request a copy of the safeguards in place by contacting us at privacy@giftl-ai.com.
Retention & deletion
We keep personal data only as long as we need it for the purposes set out in §4.
- Account & profile data — for as long as your account is active. You can delete your account from inside the app (Settings → Account → Delete account) or by emailing us at privacy@giftl-ai.com. We will fulfil the request within 30 days.
- Gift photos — these are stored locally on your device. Deleting the gift, deleting your account, or uninstalling the app removes them.
- Diagnostic data — kept for up to 90 days, then aggregated or deleted.
- Support emails — kept for up to 24 months after the last reply, unless we need to keep them longer for a legal claim.
- Tax and accounting records — kept for the periods required by German law (typically 6–10 years).
When you delete your account, we delete your personal data from our active systems. Backups may retain it for up to 35 additional days before being overwritten in the normal backup rotation.
Your rights
Under the GDPR you have the following rights. We honour these rights for all users worldwide where lawful.
- Access (Art. 15) — you can ask for a copy of the personal data we hold about you.
- Rectification (Art. 16) — you can correct inaccurate or incomplete data. Most fields are editable directly in the app.
- Erasure (Art. 17) — you can ask us to delete your data. You can also delete your account directly in the app.
- Restriction (Art. 18) — you can ask us to pause processing in certain circumstances.
- Data portability (Art. 20) — you can ask for a machine-readable copy of the data you provided to us.
- Objection (Art. 21) — you can object to processing based on our legitimate interests.
- Withdraw consent (Art. 7) — where we process data on the basis of consent, you can withdraw it at any time.
- Lodge a complaint — you can complain to your local data-protection authority (see §14).
To exercise any of these rights, email privacy@giftl-ai.com. We will respond within one month, as required by the GDPR. We may need to verify your identity before acting.
Security
We protect your personal data with appropriate technical and organisational measures:
- All connections to our servers use TLS 1.2 or higher;
- Data at rest is encrypted by our database provider;
- Passwords are stored as salted hashes (never in clear text);
- Access to production systems is limited to authorised personnel and protected by multi-factor authentication;
- We patch our dependencies regularly and review our code for security issues.
No system is perfectly secure. If you become aware of a vulnerability, please report it to security@giftl-ai.com.
Children
Giftl-AI is not directed to children. You must be at least 16 years old to use the Service (or 13 if you reside outside the European Economic Area and the United Kingdom). We do not knowingly collect personal data from children below the applicable age. If you believe a child has provided us with personal data, contact us at privacy@giftl-ai.com and we will delete it.
Tracking, advertising & analytics
We do not use any third-party advertising networks or cross-site tracking. We do not set advertising identifiers (IDFA / IDFV) for tracking purposes and therefore do not present an Apple App Tracking Transparency prompt.
We use limited first-party analytics inside the app (e.g. counting how often a feature is used in aggregate) to make product decisions. We do not sell or share this data.
Affiliate links carry only a publisher identifier so the retailer can credit a referral. They do not contain personal data about you.
Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify you inside the app or by email at least 14 days before the changes take effect. Continuing to use the Service after the new version takes effect means you accept the updated policy.
The current version and effective date are shown at the top of this page.
Contact & complaints
For privacy questions or to exercise your rights:
[STREET, POSTCODE CITY, GERMANY]
You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU Member State where you live, work, or where the alleged infringement occurred. In Germany, the relevant authority is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Nordrhein-Westfalen (www.ldi.nrw.de), though you may contact the authority of any EU Member State.