Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how Giftm Technology Private Limited ("Giftm", "we", "us", "our") collects, uses, shares, and protects personal data of users of the Giftm platform (www.giftm.in), the Giftm Marketplace (www.giftm.ai), and associated mobile applications (iOS and Android).

This Policy is issued in compliance with the Information Technology Act, 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 ("DPDPA"). Where processing is based on consent under the DPDPA, Giftm will obtain such consent through a clear and affirmative action. You may withdraw consent at any time; withdrawal will not affect the lawfulness of processing prior to withdrawal.

By accessing or using the Platform, you acknowledge that you have read and understood this Policy and consent to the data practices described herein.

2. Data Controller

3. Personal Data We Collect

3.1 Data You Provide

• Identity data: Full name, date of birth, gender
• Contact data: Email address, mobile number, delivery address
• Account data: Username, password (hashed), profile preferences
• Payment data: Billing address, payment instrument type (card details processed by gateway partners only)
• Business data (B2B Clients): Company name, GSTIN, PAN, authorised signatory details, beneficial ownership information
• Employee data (R&R programmes): Employee ID, department, designation, PAN (for tax reporting)
• KYB documents: Certificate of incorporation, identity proof, address proof
• Shipping data (Print Orders): Delivery address, contact number, recipient name, pin code / postal code for physical gift card delivery

3.2 Data Collected Automatically

• Device and technical data: IP address, device ID, browser type, operating system
• Usage data: Pages visited, links clicked, time spent, search queries on Platform
• Transaction data: Purchase history, redemption history, reward point balances
• Location data: Approximate location from IP address (not GPS unless explicitly permitted by you at device level)
• Cookie data: As described in the Cookie Policy
• Inferred and derived data: Preferences, interests, and segmentation profiles inferred from your usage patterns, purchase history, and platform interactions, used to personalise the Platform experience.
• Sensitive Personal Information (SPI): Where collected, includes financial information (payment instrument details processed by gateway partners only), and health-related data only where explicitly submitted for wellness programme participation. Giftm will seek explicit consent before collecting any SPI and will process SPI only for the stated purpose.

4. Purpose & Legal Basis for Processing

5. Sharing of Personal Data

Giftm does not sell or rent your personal data to third parties. We may share data with:

• Program Sponsors (banks, corporates): Aggregate programme data and individual redemption records as required by the programme.
• Brand/Merchant Partners (Marketplace): Transaction data required to fulfil voucher delivery.
• Payment gateway partners: Payment instrument data strictly for transaction processing (PCI-DSS compliant).
• Technology sub-processors: Cloud hosting, analytics, CRM, email/SMS service providers — bound by data processing agreements.
• KYB / Identity verification providers: For B2B Client verification.
• Law enforcement & regulators: Where required by court order, RBI direction, SEBI, or other applicable authority.
• Business transfers: In the event of a merger, acquisition, or restructuring — you will be notified of any change in data controller.
• Aggregated and anonymised data: Giftm may share aggregate, de-identified, and anonymised statistical data (e.g. total redemption volumes by category, demographic breakdowns of platform usage) with B2B Clients, research partners, or investors. Such data will not identify you individually and is not subject to the sharing restrictions in this Policy.
• Analytics and advertising partners: Usage and device data may be shared with analytics partners (Google Analytics, Firebase, AppsFlyer) and advertising platforms in anonymised or pseudonymised form. You can opt out of analytics tracking as described in the Cookie Policy.
• Courier & logistics partners: Delivery address, contact details, and order details shared with authorised courier partners (Delhivery, Blue Dart, FedEx, DHL) solely for fulfilment of physical Print Orders.

6. International Data Transfers

Giftm processes and stores personal data primarily within India. Certain third-party sub-processors (cloud infrastructure, analytics platforms) may be located outside India (e.g. in the United States or European Union). Where data is transferred outside India, Giftm ensures appropriate contractual safeguards are in place consistent with DPDPA requirements and applicable Indian law.

Such transfers are limited to what is strictly necessary for service delivery and are governed by data processing agreements requiring equivalent data protection standards. For queries about specific international transfers, contact grievance@giftm.ai.

7. Data Security

Giftm implements appropriate technical and organisational security measures consistent with ISO 27001 standards and DPDPA requirements, including: AES-256 encryption at rest and TLS/SSL encryption in transit; access controls and role-based permissions; two-factor authentication for administrative access; regular vulnerability assessments (VAPT); non-disclosure agreements with all vendors and sub-processors; and documented incident response procedures.

In the event of a personal data breach that is likely to affect your rights or interests, Giftm will: (a) notify affected users via registered email or SMS within a reasonable period; (b) notify the Data Protection Board of India as required under DPDPA within prescribed timelines; (c) for breaches involving payment data, notify RBI and relevant payment networks within 6 hours of detection as per RBI Cybersecurity Guidelines for Payment System Operators. Giftm will provide details of the nature of breach, data categories affected, likely consequences, and remedial measures taken. To report a suspected security incident, write immediately to security@giftm.ai or call our security hotline at ops@giftm.ai.

8. Data Retention

9. Your Rights

Under the Digital Personal Data Protection Act, 2023 and applicable Indian law, you have the following rights:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Correction: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of personal data, subject to legal retention obligations.
• Right to Portability: Obtain your personal data in a structured, machine-readable format.
• Right to Withdraw Consent: Withdraw consent for marketing or any consent-based processing at any time.
• Right to Object: Object to processing based on legitimate interests.
• Right of Nomination (DPDPA): Nominate an individual to exercise your data rights on your behalf in the event of your death or incapacity.

To exercise any of these rights, contact our Grievance Officer at grievance@giftm.ai. We will respond within 30 days of receiving your request. If dissatisfied, you may escalate to the Data Protection Board of India or any relevant regulatory authority.

9A. Profiling & Automated Decision-Making

Giftm may use automated processing including profiling to personalise your Platform experience, customise reward recommendations, and detect fraud. Profiling is based on your transaction history, usage patterns, and programme participation data. Where automated processing produces legal or similarly significant effects on you, you have the right to: (a) request human review of the automated decision; (b) express your point of view; and (c) contest the decision. To exercise these rights, contact grievance@giftm.ai.

Giftm does not use profiling for credit scoring, insurance underwriting, or any high-stakes decision-making beyond personalisation and fraud prevention.

9B. Do Not Track & Global Privacy Control

Some browsers and devices transmit Do Not Track (DNT) signals or Global Privacy Control (GPC) signals. Giftm honours GPC signals to the extent required by applicable law. Where a valid GPC or DNT signal is detected, Giftm will limit non-essential data collection and opt you out of marketing communications. Note that essential cookies and security processing are not affected by DNT/GPC signals as they are required for Platform functionality.

10. Children's Privacy

The Giftm Platform is not directed at children under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided personal data to us, please contact grievance@giftm.ai and we will delete such data promptly. Minors may use gift cards or redeem rewards only under parental or guardian supervision.

11. Links to Third-Party Sites

The Platform may contain links to third-party websites or brand portals. Giftm is not responsible for the privacy practices or content of such third-party sites. We encourage you to review the privacy policies of any third-party site you visit. Giftm's Privacy Policy applies solely to data collected through our Platform.

11A. Rights of International Users

Giftm's Marketplace (giftm.ai) is accessible globally. If you access the Platform from outside India, the following additional rights may apply:

• California (USA) residents: Under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), you have the right to know what personal data is collected, sold, or shared; the right to opt out of the "sale" or "sharing" of personal data; the right to deletion; and the right to non-discrimination for exercising privacy rights. Giftm does not sell personal data. To exercise CCPA rights, write to grievance@giftm.ai.
• European Economic Area / UK residents: To the extent GDPR or UK GDPR applies, you have the right of access, rectification, erasure, restriction, portability, and to object to processing. You also have the right to lodge a complaint with your local supervisory authority.
• UAE residents: If accessing from the UAE, the UAE Personal Data Protection Law (Federal Decree Law No. 45 of 2021) may apply. Contact grievance@giftm.ai to exercise applicable rights.
• Other jurisdictions: Giftm will endeavour to honour privacy rights requests from users in other jurisdictions to the extent reasonably practicable and as required by applicable local law.

Regardless of your location, the governing law for this Policy remains the laws of India and the courts in Mumbai shall have jurisdiction, unless a mandatory applicable local law provides otherwise.

12. Changes to This Policy

Giftm may update this Privacy Policy from time to time. Changes will be posted at www.giftm.in/privacy-policy with an updated effective date. Material changes will be notified to registered users via email or platform notification. Continued use of the Platform after changes are posted constitutes acceptance of the updated Policy.

This Policy was last updated on: 1st June 2025.

13. Grievance Officer & Contact