Home / Privacy Policy

Privacy Policy

How we collect, store, use, and protect personal data across the GiftM platform.

Last updated: April 2026 · GiftM Technologies Pvt Ltd

1. Who we are

GiftM Technologies Pvt Ltd ("GiftM", "we", "us") operates the gift card, rewards, and loyalty infrastructure described at this website. We are the data controller for the personal data we collect directly (e.g. when you sign up for an account) and a data processor for personal data our customers submit through our APIs.

2. What we collect

Depending on how you interact with us, we may collect:

  • Account data - name, email, phone, company, role.
  • Recipient data submitted by our customers - typically name, email, phone of the gift-card or reward recipient.
  • Transaction metadata - card amount, currency, timestamps, IP address, user agent.
  • API usage data - request counts, error rates, latency.
  • Cookies & analytics - basic session cookies to keep you signed in; privacy-preserving usage analytics.

3. How we use it

  • To deliver the Service - issue and redeem gift cards, run loyalty programs, generate invoices.
  • To meet legal and regulatory obligations - RBI PPI guidelines, tax and audit retention, fraud prevention.
  • To improve the platform - aggregate, anonymised analytics on feature usage and performance.
  • To communicate with you - product updates, security alerts, billing notifications.

4. Legal basis (GDPR / DPDP)

We rely on the following grounds:

  • Contract - to provide the services you have signed up for.
  • Legitimate interest - to keep the platform secure and improve features.
  • Legal obligation - tax, audit, and anti-money-laundering retention.
  • Consent - for marketing email and optional analytics, withdrawable at any time.

5. Sharing & transfers

We do not sell personal data. We share it only with:

  • Brand partners issuing the gift cards on the catalogue you have subscribed to (only the minimum needed to fulfil issuance).
  • Sub-processors for cloud hosting, email delivery, SMS gateways, and OTP verification - bound by data-protection agreements.
  • Authorities where required by law or court order.

Cross-border transfers from the EU/UK use Standard Contractual Clauses where applicable.

6. Retention

We retain personal data for as long as your account is active. After erasure or termination, financial fields (order references, balances, invoice numbers) are retained for the statutory tax and audit window (typically 7 years in India). PII columns are tombstoned (anonymised) at that point.

7. Your rights

Depending on your jurisdiction, you have the right to:

  • Access a copy of your personal data ("right to access").
  • Request anonymisation or deletion ("right to erasure" / "right to be forgotten").
  • Correct inaccurate data.
  • Object to certain processing or withdraw consent for marketing.
  • Lodge a complaint with the relevant supervisory authority.

Logged-in customers can export and erase their own data in one click via the Privacy section of their account dashboard. Otherwise, email privacy@giftm.com and we will respond within 30 days.

8. Security

  • AES-256 encryption at rest for card codes, PINs, and recipient identifiers; HMAC lookups for fast queries.
  • TLS 1.2+ in transit on all API and dashboard endpoints.
  • Hash-chained audit log for every card-lifecycle event.
  • Tier-based rate limiting and signed webhooks to prevent replay.
  • Regular vulnerability scans and an internal disclosure programme - reach security@giftm.com.

9. Children

The Platform is not directed at children under 16. If you believe a child's data has been submitted, contact us and we will erase it.

10. Changes

We will notify you of material changes via email and on the dashboard at least 30 days before they take effect.

11. Contact

Privacy queries: privacy@giftm.com · DPO: dpo@giftm.com · General: hello@giftm.com