Privacy Policy - Giftshop

Overview

Giftshop ("we", "us", "our") operates as a Shopify application that enables merchants to send physical gifts to their customers. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data. This policy applies to two groups of people: merchants who install and use the Giftshop app, and gift recipients who receive and claim gifts through our platform.

Data We Collect

From Merchants (via Shopify)

Shop domain and store name
Contact email address
Customer names and email addresses (read access via Shopify API)
Order history and purchase data (read access via Shopify API)
Product catalog information (titles, prices, images, variants)
Brand logo (if uploaded by the merchant)

From Gift Recipients (during claim)

Full name
Email address
Phone number
Shipping address (street, city, state/province, postal code, country)
Product variant selections (e.g. size, colour)
Shipping method preference
Consent preference (whether you opt in to Giftshop data retention)

How We Use Your Data

We use the data we collect for the following purposes:

Gift fulfilment — creating and completing orders in Shopify when a recipient claims a gift
Gift notifications — sending branded emails to recipients on behalf of the merchant
Recipient identification — pre-filling claim forms for returning recipients to streamline the experience
Merchant analytics — providing merchants with insights on gift claim rates, customer engagement, and gifting performance
Automation — triggering automated gifts based on customer behaviour (e.g. new customer welcome gifts, win-back campaigns)
Brand customisation — displaying the merchant's logo in emails and claim pages
Platform improvement — understanding usage patterns to improve the Giftshop product

Legal Basis for Processing

We process data under two separate legal bases:

Merchant Data

We process merchant and their customer data under the terms of the Shopify API License and Terms of Use. Merchants authorise Giftshop to access their store data when they install the app and grant API permissions.

Recipient Data (Giftshop Consent)

When a gift recipient claims a gift, they are presented with an optional consent checkbox. If a recipient opts in, Giftshop retains their information (name, email, shipping address) to pre-fill future claim forms and improve the gifting experience. This consent is separate from the merchant's authorisation — it is a direct relationship between Giftshop and the recipient. Recipients who do not opt in will have their data used only for the immediate gift fulfilment and not retained by Giftshop beyond what is necessary to complete the transaction.

Data Retention

We retain data according to the following policies:

Merchant session data — deleted immediately when the app is uninstalled
Gift records and customer data — retained while the merchant's app is active; deleted or anonymised within 48 hours of app uninstallation (per Shopify's mandatory shop redaction process)
Consented recipient data — if a recipient opted in to Giftshop data retention, their profile is anonymised (not deleted) when the originating merchant uninstalls, preserving the recipient's cross-merchant gift history
Non-consented recipient data — fully deleted when the originating merchant uninstalls or when a GDPR deletion request is received

Third-Party Services

We use the following third-party services to operate Giftshop. We do not sell or share your data with any other parties.

Shopify

Our platform. All merchant and customer data is accessed through Shopify's authenticated API. Shopify's own privacy policy governs how they handle your data.

Amazon Web Services (AWS)

We use AWS for hosting (App Runner), database (RDS PostgreSQL), and file storage (S3 for brand logos). All data is encrypted in transit and at rest. Infrastructure is located in the US East region.

SendGrid (Twilio)

We use SendGrid to deliver gift notification emails on behalf of merchants. SendGrid processes recipient email addresses solely for email delivery.

Your Rights

You have the following rights regarding your data:

For Merchants

You can uninstall the Giftshop app at any time through your Shopify admin. Upon uninstallation, all your store data, customer data, gift records, and settings will be deleted or anonymised within 48 hours per Shopify's GDPR requirements.

For Gift Recipients

You can request access to or deletion of your data at any time by contacting us at privacy@giftshop.co. If you opted in to Giftshop data retention during a gift claim, you can withdraw that consent at any time. We will respond to all data requests within 30 days. You can also exercise your rights through the store that sent you the gift — Shopify provides mechanisms for customers to request their data or its deletion, and those requests are forwarded to us automatically.

Right to access — request a copy of the data we hold about you
Right to rectification — request correction of inaccurate data
Right to erasure — request deletion of your data
Right to withdraw consent — withdraw your Giftshop data retention consent at any time
Right to data portability — request your data in a machine-readable format

GDPR Compliance

Giftshop fully implements Shopify's mandatory GDPR webhooks:

Customer Data Request — when a customer requests their data, we compile and return all gift records and profile information associated with their email address
Customer Redaction — when a customer requests deletion, we anonymise or delete their data based on their consent status
Shop Redaction — when a merchant uninstalls and the 48-hour grace period expires, we delete all shop-related data, sessions, and settings

Security

We take the security of your data seriously. All data is encrypted in transit using TLS/SSL and at rest using AES-256 encryption. Access to production systems is restricted and authenticated. We follow the principle of least privilege for API access — Giftshop only requests the Shopify API scopes it needs to function.

Cookies

The Giftshop merchant app runs embedded within Shopify's admin panel and uses Shopify's session token authentication — it does not set any third-party cookies. The consumer-facing gift claim pages do not use cookies or tracking scripts.

Children's Privacy

Giftshop is not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify merchants through the Giftshop app and update the "Last updated" date below. Continued use of the service after changes constitutes acceptance of the revised policy.

Contact Us

If you have any questions about this Privacy Policy or want to exercise your data rights, contact us at:

Email: privacy@giftshop.co
General support: support@giftshop.co