← Back to The Giftist

Privacy Policy

Last updated: February 14, 2026

1. Introduction

Giftist Inc. ("Company," "we," "us," or "our"), a company incorporated in the State of California, United States, operates The Giftist platform at giftist.ai ("Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your privacy and complying with applicable data protection laws, including the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the European Union General Data Protection Regulation (GDPR) where applicable.

2. Information We Collect

2.1 Information You Provide

  • Account information: Name, email address, phone number (when you sign up via Google or WhatsApp)
  • Profile preferences: Birthday, gender, age range, interests, gift budget, relationship/household status
  • Wishlist data: Product URLs, item names, prices, images, and categories you add to your lists
  • Event data: Event names, types, dates, descriptions, and associated items
  • Messages: Chat conversations with our AI concierge (via web and WhatsApp)
  • Payment information: Processed securely by Stripe; we do not store full credit card numbers

2.2 Information Collected Automatically

  • Usage data: Pages visited, features used, interactions with the AI concierge, timestamps
  • Device information: Browser type, operating system, device identifiers
  • Log data: IP address, access times, referring URLs

2.3 Information from Third Parties

  • Google: Name and email address when you sign in with Google
  • WhatsApp/Twilio: Phone number and message content when you interact via WhatsApp
  • Product URLs: Metadata scraped from URLs you submit (product names, prices, images, descriptions)

3. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Create and manage your account
  • Generate personalized AI-powered gift recommendations
  • Build and maintain your taste profile for better suggestions
  • Process gift contributions and payments
  • Send transactional messages (account verification, event reminders)
  • Send promotional messages (with your consent; you may opt out at any time)
  • Detect, prevent, and address fraud and security issues
  • Comply with legal obligations

3.1 Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA) and UK, we process personal data based on:

  • Contract performance: To provide the Service you requested (account management, wishlists, events)
  • Legitimate interests: To improve the Service, prevent fraud, and provide relevant recommendations
  • Consent: For marketing communications and optional profile preferences
  • Legal obligation: To comply with applicable laws and regulations

4. AI and Automated Processing

The Service uses artificial intelligence to analyze your preferences and provide personalized recommendations. This involves:

  • Processing your wishlist items, stated preferences, and chat interactions to build a taste profile
  • Sending relevant context to third-party AI providers (Anthropic/Claude) to generate recommendations
  • Automated categorization and tagging of items you add

No automated decisions with legal or similarly significant effects are made about you. You may request human review of any AI-generated recommendation by contacting us.

5. How We Share Your Information

We do not sell your personal information. We may share your data with:

  • Other users: When you share a wishlist or event publicly, the associated items and your display name are visible to anyone with the link
  • Service providers: Third parties that help us operate the Service:
    • Stripe (payment processing)
    • Twilio (WhatsApp messaging)
    • Anthropic (AI recommendations)
    • Google (authentication)
    • Cloudflare (hosting and security)
  • Legal requirements: When required by law, subpoena, or court order
  • Business transfers: In connection with a merger, acquisition, or sale of assets

6. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. For transfers from the EEA/UK to the US, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data processing agreements with our service providers
  • The EU-US Data Privacy Framework, where applicable

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data: Retained until you delete your account
  • Chat history: Retained for up to 24 months to provide continuity in AI interactions
  • Transaction records: Retained for 7 years as required by financial regulations
  • Usage logs: Retained for 12 months for analytics and security purposes

After account deletion, we will delete or anonymize your data within 30 days, except where retention is required by law.

8. Your Rights

8.1 All Users

  • Access your personal data
  • Update or correct inaccurate data
  • Delete your account and associated data
  • Opt out of marketing communications

8.2 California Residents (CCPA/CPRA)

You have the right to:

  • Know what personal information we collect, use, and disclose
  • Request deletion of your personal information
  • Opt out of the sale or sharing of personal information (we do not sell your data)
  • Non-discrimination for exercising your privacy rights
  • Correct inaccurate personal information
  • Limit the use of sensitive personal information

8.3 EEA/UK Residents (GDPR)

You have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Request restricted processing of your data
  • Portability: Receive your data in a structured, machine-readable format
  • Object: Object to processing based on legitimate interests
  • Withdraw consent: Withdraw consent at any time where processing is based on consent
  • Lodge a complaint: File a complaint with your local data protection authority

To exercise any of these rights, contact us at privacy@giftist.ai. We will respond within 30 days (or 45 days for CCPA requests, with notice).

9. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Access controls limiting who can view personal data
  • Regular security assessments
  • Secure authentication via OAuth 2.0 and OTP verification

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

10. Cookies and Tracking

The Service uses essential cookies for authentication and session management. We do not use third-party advertising cookies or cross-site tracking. You can control cookie settings through your browser preferences.

11. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@giftist.ai.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect. The "Last updated" date at the top will reflect the most recent revision.

13. GDPR Compliance Roadmap

We are actively implementing the following GDPR compliance features, planned for our next phase:

  • Cookie consent banner: Granular consent management for EEA/UK visitors
  • Data export (portability): Self-service download of all your personal data in JSON format
  • Account deletion: Self-service account and data deletion from the settings page
  • Consent management: Granular controls for marketing communications, AI processing, and data sharing
  • Data Processing Agreements: Formal DPAs with all sub-processors
  • Privacy dashboard: A single page to view and manage all your privacy preferences

Until these features are live, you may exercise any of these rights by emailing privacy@giftist.ai.

14. Contact Us

For privacy-related questions, requests, or complaints:

Giftist Inc.
California, United States
Email: privacy@giftist.ai

For GDPR inquiries, you may also contact our data protection point of contact at the same email address.

Terms of ServiceHome