Privacy Policy

Version: 1.0Last updated: 01 October 2025

We take your privacy seriously. This notice explains who we are, what personal data we collect, how we use it, who we share it with, how long we keep it, and the rights you have.

This policy does not apply to third-party websites or apps that link to us. Those have their own privacy notices.

1. Who we are (Controller)

Giftivest Ltd (trading as "Euda") is the controller of your personal data.

  • Registered in England & Wales: 16197030
  • Registered office: 128 City Road, London, EC1V 2NX, UK
  • ICO Registration No: ZC007662

Data Protection Lead (DPL): privacy@gifteuda.com

General contact: info@gifteuda.com

The Platform includes:

  • our websites (e.g., www.gifteuda.com) that link to this policy; and
  • our mobile app Euda, and any other app that links to this policy.

Children: Our Platform is intended for individuals aged 18+ (or the age of majority in your jurisdiction). We do not knowingly collect data from children.

2. The personal data we collect

  • Identity Data – first name, last name, date of birth, gender.
  • Contact Data – billing/delivery address, email address, phone numbers.
  • Financial Data – tax IDs (where required), payment method tokens (we do not store full card numbers), bank details where needed for refunds.
  • Transaction Data – orders, basket contents, prices paid, delivery status.
  • Technical Data – IP address, device identifiers, OS/browser details, time zone, app version, crash logs (see Crashlytics), and cookie identifiers.
  • Profile Data – account details, preferences, saved items, survey responses.
  • Usage Data – how you browse, click, scroll, and use features on our sites/apps.
  • Recipient Data – gift recipient name, address, email/phone (provided by the purchaser).
  • Marketing & Communications Data – your marketing preferences and consents.
  • Aggregated Data – statistical/insights data that does not identify you.

3. How we collect your data

  • Directly from you – when you create an account, place an order, contact support, or complete forms/surveys.
  • Automatically – via cookies/SDKs and similar tech when you use our sites/apps (see Cookies/SDKs below).
  • From third parties – payment providers, anti-fraud services, delivery partners, analytics platforms, and (for app telemetry) Google Firebase (Analytics & Crashlytics).

4. Why we use your data (purposes & legal bases)

Purpose Data categories Legal basis
Register and manage your accountIdentity, Contact, ProfileContract
Process and deliver orders; customer serviceIdentity, Contact, Transaction, RecipientContract; Legal obligation (tax); Legitimate interests (service quality)
Payments and fraud prevention (incl. AML where applicable)Identity, Contact, Financial, Transaction, TechnicalLegal obligation; Legitimate interests (protecting our business)
Service operations, security, and debugging (incl. Crashlytics)Technical, UsageLegitimate interests (operate, secure, fix issues)
Site/app analytics and performance (incl. Firebase Analytics)Technical, UsageConsent (for non-essential cookies/SDKs); Legitimate interests where strictly necessary
Marketing communicationsIdentity, Contact, Profile, Usage, MarketingConsent or soft opt-in under PECR for similar products; you can opt out anytime
Surveys, competitions, and feedbackIdentity, Contact, Profile, UsageContract; Legitimate interests (improve our services)
Legal claims, compliance, record-keepingAll relevantLegal obligation; Legitimate interests

Direct marketing (UK/EEA): we send email/SMS marketing with your consent, or under the soft opt-in where you bought (or negotiated to buy) similar products and were given a clear opt-out then and in every message. You can opt out via links in messages or by contacting us.

Automated decision-making: we do not carry out decisions producing legal or similarly significant effects based solely on automated processing.

5. Who we share your data with

We share data only as needed to provide our services:

  • Shopify (store platform/hosting, some payments/integrations)
  • Payment processors (e.g., Shopify Payments, PayPal, Apple Pay, Google Pay) – independent controllers for payment data
  • Analytics & marketing – Google/Firebase (Analytics & Crashlytics), Google Ads, Meta, Klaviyo
  • Logistics – Royal Mail, DPD and other couriers
  • IT/security & anti-fraud providers
  • Professional advisers (legal, accounting)
  • Corporate transactions – if we sell/merge/reorganise our business

We require processors to protect your data and act only on our instructions. We do not sell your personal data.

6. International transfers

Some providers are outside the UK/EEA (e.g., Shopify – Canada/US/Ireland; Google/Firebase, Klaviyo, Meta – US). Where your data is transferred internationally, we use appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) and/or EU Standard Contractual Clauses (SCCs), plus supplementary measures as needed. You can contact us for a copy of relevant safeguards (redacted where necessary).

7. Cookies and SDKs

We use cookies and similar technologies for essential functionality, analytics, advertising, and to remember your preferences. In our apps we use SDKs including Firebase Analytics (usage/engagement) and Firebase Crashlytics (crash reports with device/app diagnostics).

Non-essential web cookies/SDKs are used with your consent.

Manage preferences via our Cookies Policy and consent banner.

8. Data security

We use appropriate technical and organisational measures (encryption in transit, access controls, secure configuration, monitoring, and regular reviews). No system is 100% secure; please keep your account credentials confidential and use unique, strong passwords.

If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO and affected individuals where required by law.

9. How long we keep your data

We keep data only as long as necessary for the purposes set out above, then delete or anonymise it. Typical periods:

Category Typical retention
Orders, invoices, tax/KYC/AML records7 years from the end of the financial year
Account data (inactive accounts)24 months after last activity, unless legal need
Customer support tickets3 years after closure
Marketing preferences & consent logsWhile subscribed + 2 years (evidence of consent/opt-out)
Recipient Data90 days after successful delivery/issue resolution, unless required longer for disputes/warranty
Crash logs (Crashlytics)Typically 90 days (provider defaults may apply)
Analytics dataAs per cookie/SDK settings and consent; typically 14–26 months

Backups are retained for limited periods then overwritten.

10. Your rights

UK / EU (UK GDPR / GDPR)

You can:

  • access a copy of your personal data;
  • ask us to correct inaccurate data;
  • request deletion in certain circumstances;
  • object to processing based on legitimate interests (and always to direct marketing);
  • restrict processing in certain cases;
  • receive your data in a portable format;
  • withdraw consent at any time (where consent is the basis).

We will respond within one month (extendable by up to two further months for complex requests). We may request proof of identity.

California (CCPA/CPRA)

Residents have rights to know, access, correct, delete, opt-out of sale/sharing (including for cross-context behavioural advertising), and to limit use of sensitive data. We do not sell personal information. Where applicable, we will provide a "Do Not Sell or Share My Personal Information" link.

Canada / Australia / South Africa

Local rights include access and correction, with timelines per law (typically 30 days). You may raise complaints with your national privacy regulator.

To exercise rights, contact privacy@gifteuda.com.

11. Recipient Data (gifting)

When you purchase a gift, you may provide Recipient Data (name, address, email/phone).

  • Source: provided by the purchaser.
  • Purpose: to fulfil and deliver the gift (including delivery notifications).
  • Marketing: we do not send marketing to recipients unless they sign up directly.
  • Retention: normally 90 days post-delivery (or longer if needed for disputes/warranty).

Recipients can exercise the same rights by contacting privacy@gifteuda.com.

12. Complaints

You can complain to the Information Commissioner's Office (ICO) at www.ico.org.uk. We'd appreciate the chance to resolve concerns first—please contact privacy@gifteuda.com.

13. Changes to this policy

We review this policy regularly and will post updates here with a new "Last updated" date. If changes are significant, we will notify you by email or in-app notice where appropriate.

14. How to contact us

Email: privacy@gifteuda.com (privacy) • info@gifteuda.com (support)

Post: Giftivest Ltd, 128 City Road, London, EC1V 2NX, UK

Notes on Firebase services we use

Firebase Analytics collects app usage and engagement data (e.g., screens viewed, session duration, device information). We configure data retention and respect OS-level ad settings where applicable.

Firebase Crashlytics collects crash reports and diagnostics (e.g., device model, OS version, app version, stack traces). This helps us identify and fix stability issues quickly.

Where required, Analytics/advertising features are enabled only with your consent via our cookie/SDK preferences.