Giftl·AI
Legal

Privacy Policy

This policy explains what personal data Giftl-AI collects, why we collect it, how we use and protect it, and the rights you have over it under the EU General Data Protection Regulation (GDPR) and other applicable laws.

Effective date: [DATE — e.g. 1 July 2026] Last updated: [DATE] Version: 1.0
§ 01

Who we are

Giftl-AI (“Giftl-AI”, “we”, “us”, or “our”) is operated by:

Controller
[LEGAL ENTITY NAME — e.g. Ahmad Elharthi (sole trader) or Giftl-AI UG (haftungsbeschränkt)]
Address
[STREET, POSTCODE CITY, GERMANY]
Registration
[Handelsregister number / VAT ID / “not applicable — sole trader”]
Data Protection Officer
We have not appointed a Data Protection Officer because our processing does not meet the thresholds in Art. 37 GDPR. For data protection matters, contact us at the email address above.

We are the “controller” for personal data processed through the Giftl-AI iOS application and our website at giftl-ai.com (together, the “Service”).

§ 02

Scope of this policy

This policy applies to personal data processed through:

  • The Giftl-AI iOS application available on the Apple App Store;
  • The Giftl-AI website at giftl-ai.com;
  • Email and customer-support communications you send to us.

It does not apply to third-party websites, products, or services that we may link to (such as retailers reached through affiliate links). Those are governed by their own privacy policies, which we encourage you to read.

§ 03

What data we collect

We collect only the data we need to run the Service. Different categories of data are described below.

3.1 Account data

When you create a Giftl-AI account, we collect:

  • Email address — used to sign you in and to send essential service messages.
  • Display name — shown inside the app.
  • Password — stored only as a salted, hashed value; we cannot read it.
  • Authentication identifiers from sign-in providers — if you sign in with Google or Apple, we receive the email address, name, and a stable user identifier from those providers. We never receive your provider password.

3.2 Profile and gifting data you enter

Inside the app you may create profiles for the people you give gifts to. This may include:

  • The recipient's name, relationship to you, approximate age, and an avatar emoji or photo;
  • Their hobbies, life phases, favourite cuisines, brands, or destinations;
  • Upcoming occasions (birthdays, anniversaries, etc.) and dates;
  • Wishlists, bookmarks, and gift ideas you save;
  • Gift history — descriptions of gifts you have given, ratings, reviews, and (optionally) photos you attach.
Your responsibility. Profile data refers to other people. You confirm that you have a legitimate reason to record this information (typically a personal or family relationship) and that the people involved would reasonably expect you to do so. You should not enter sensitive information (e.g. health or religious data) about others without their awareness.

3.3 Device permissions you grant

The app requests the following iOS permissions. You can decline any of them and the rest of the app will continue to work.

Calendar
Read-only access, used on your device only to detect birthdays and anniversaries you already have stored. Calendar contents are not transmitted to our servers.
Photo library
Used when you choose a profile picture or attach photos to a gift review. Only photos you select are accessed.
Camera
Used when you take a photo of a gift to attach to a review. We never use the camera in the background.
Notifications
Used to remind you about upcoming occasions. You can turn these off in iOS Settings at any time.

Photos attached to gift reviews are currently stored locally on your device only, in the app's private storage. They are not uploaded to our servers and are deleted when you delete the corresponding gift or uninstall the app.

3.4 Usage and device data

To operate the Service reliably, we collect limited technical data:

  • App version, iOS version, device model (e.g. iPhone 14);
  • Anonymous diagnostic information about crashes and errors;
  • Approximate region inferred from your IP address (country level only — not precise location);
  • Aggregated usage statistics (e.g. number of searches performed) used to improve recommendations.

We do not use Apple's App Tracking Transparency framework because we do not track you across other companies' apps or websites.

3.5 Communications

If you contact us by email or through an in-app form, we keep your message and our reply so we can follow up.

§ 04

How we use your data

We use your personal data for the purposes below — and no others.

  • To provide the Service — running your account, syncing your data across devices, surfacing your saved profiles, occasions, and wishlists.
  • To generate gift recommendations — matching the preferences you record (or that you input for a one-off search) against our product catalogue.
  • To send you reminders — push notifications for upcoming occasions, if you have enabled them.
  • To support and improve the Service — fixing bugs, monitoring stability, refining how the app behaves based on aggregated usage signals.
  • To send essential service emails — password resets, security notices, material changes to these policies.
  • To respond to your requests — replying to support emails or exercising your data-protection rights (see §9).
  • To comply with legal obligations — including tax, accounting, and lawful requests from authorities.

We do not sell your personal data. We do not share it with advertisers. We do not use it to train AI models.

§ 06

Third parties & processors

We use a small number of carefully chosen service providers to run the Service. Each of them is bound by a data-processing agreement and may only process your data on our instructions.

Google (Firebase)
Authentication (Sign in with Google), push-notification delivery, and crash diagnostics. Provided by Google Ireland Limited and Google LLC.
Supabase
Hosted PostgreSQL database used to store your profiles, occasions, wishlists, bookmarks, and gift history so that they sync across your devices. Provided by Supabase, Inc.
Apple
App Store distribution, Sign in with Apple, and Apple Push Notification service. Provided by Apple Distribution International Limited.
Affiliate networks
When you tap an outbound link to a retailer (e.g. Amazon, Awin partners), the retailer may receive a referrer code so we can be credited if you make a purchase. We do not pass your personal data to the retailer.
Email provider
[NAME — e.g. Resend] for transactional emails such as password resets and security notices.

We will update this list when sub-processors change. We do not authorise these providers to use your data for their own purposes.

§ 07

International transfers

Some of our service providers are located outside the European Economic Area (principally in the United States). Where data is transferred, we rely on:

  • The EU–U.S. Data Privacy Framework, where the provider is certified; and / or
  • The European Commission's Standard Contractual Clauses (Module 2: Controller to Processor);
  • Supplementary technical and organisational measures, including encryption in transit and at rest.

You can request a copy of the safeguards in place by contacting us at privacy@giftl-ai.com.

§ 08

Retention & deletion

We keep personal data only as long as we need it for the purposes set out in §4.

  • Account & profile data — for as long as your account is active. You can delete your account from inside the app (Settings → Account → Delete account) or by emailing us at privacy@giftl-ai.com. We will fulfil the request within 30 days.
  • Gift photos — these are stored locally on your device. Deleting the gift, deleting your account, or uninstalling the app removes them.
  • Diagnostic data — kept for up to 90 days, then aggregated or deleted.
  • Support emails — kept for up to 24 months after the last reply, unless we need to keep them longer for a legal claim.
  • Tax and accounting records — kept for the periods required by German law (typically 6–10 years).

When you delete your account, we delete your personal data from our active systems. Backups may retain it for up to 35 additional days before being overwritten in the normal backup rotation.

§ 09

Your rights

Under the GDPR you have the following rights. We honour these rights for all users worldwide where lawful.

  • Access (Art. 15) — you can ask for a copy of the personal data we hold about you.
  • Rectification (Art. 16) — you can correct inaccurate or incomplete data. Most fields are editable directly in the app.
  • Erasure (Art. 17) — you can ask us to delete your data. You can also delete your account directly in the app.
  • Restriction (Art. 18) — you can ask us to pause processing in certain circumstances.
  • Data portability (Art. 20) — you can ask for a machine-readable copy of the data you provided to us.
  • Objection (Art. 21) — you can object to processing based on our legitimate interests.
  • Withdraw consent (Art. 7) — where we process data on the basis of consent, you can withdraw it at any time.
  • Lodge a complaint — you can complain to your local data-protection authority (see §14).

To exercise any of these rights, email privacy@giftl-ai.com. We will respond within one month, as required by the GDPR. We may need to verify your identity before acting.

§ 10

Security

We protect your personal data with appropriate technical and organisational measures:

  • All connections to our servers use TLS 1.2 or higher;
  • Data at rest is encrypted by our database provider;
  • Passwords are stored as salted hashes (never in clear text);
  • Access to production systems is limited to authorised personnel and protected by multi-factor authentication;
  • We patch our dependencies regularly and review our code for security issues.

No system is perfectly secure. If you become aware of a vulnerability, please report it to security@giftl-ai.com.

§ 11

Children

Giftl-AI is not directed to children. You must be at least 16 years old to use the Service (or 13 if you reside outside the European Economic Area and the United Kingdom). We do not knowingly collect personal data from children below the applicable age. If you believe a child has provided us with personal data, contact us at privacy@giftl-ai.com and we will delete it.

§ 12

Tracking, advertising & analytics

We do not use any third-party advertising networks or cross-site tracking. We do not set advertising identifiers (IDFA / IDFV) for tracking purposes and therefore do not present an Apple App Tracking Transparency prompt.

We use limited first-party analytics inside the app (e.g. counting how often a feature is used in aggregate) to make product decisions. We do not sell or share this data.

Affiliate links carry only a publisher identifier so the retailer can credit a referral. They do not contain personal data about you.

§ 13

Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you inside the app or by email at least 14 days before the changes take effect. Continuing to use the Service after the new version takes effect means you accept the updated policy.

The current version and effective date are shown at the top of this page.

§ 14

Contact & complaints

For privacy questions or to exercise your rights:

By post
[LEGAL ENTITY NAME]
[STREET, POSTCODE CITY, GERMANY]

You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU Member State where you live, work, or where the alleged infringement occurred. In Germany, the relevant authority is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Nordrhein-Westfalen (www.ldi.nrw.de), though you may contact the authority of any EU Member State.