Giftfluence — UK GDPR Policy

Introduction

This policy outlines the approach of Giftfluence ("the Company") to comply with the General Data Protection Regulation (GDPR) as applicable in the United Kingdom.

Data Protection Officer

The Company has appointed a Data Protection Officer who is responsible for overseeing data protection activities and ensuring compliance with GDPR. The DPO can be contacted at the address provided in the Contact section below.

Data we collect

The Company may collect and process the following types of personal data:

Full name — Collected to identify the recipient for order fulfilment and communication.
Shipping address — Collected to deliver gifted products and manage logistics.
Email address — Collected to coordinate campaign communication, share updates, and confirm participation.
Allergies (if product specific) — Collected to ensure product suitability and avoid sending items that may cause harm.

Lawful basis for processing

The Company will only process personal data when there is a lawful basis for doing so, which may include:

Consent of the data subject
Contractual necessity
Legal obligations
Vital interests
Legitimate interests pursued by the Company

Your rights

Data subjects have the following rights under GDPR:

Right to be informed
Right of access
Right to rectification
Right to erasure (the right to be forgotten)
Right to restrict processing
Right to data portability
Right to object — allows individuals to object to the processing of their personal data for specific purposes. This means they can request that their data no longer be processed for those purposes.
Rights related to automated decision-making and profiling

Children's data

We do not knowingly collect or process personal data relating to children. Our website and services are not intended for individuals under the age of 18. If we learn that we have accidentally collected personal data from a child, we will delete it promptly.

Data security

The Company is committed to ensuring the security of personal data. This includes implementing appropriate technical and organisational measures to protect against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Data breach notification

In the event of a data breach, the Company will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

Data retention

Personal data will be retained only for as long as necessary for the purposes it was collected. The Company has established specific retention periods for different types of data.

International data transfers

Where international transfers occur, they are carried out using approved safeguards such as the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs).

Third-party processors

When using third-party processors to process personal data, the Company will ensure they provide sufficient guarantees regarding the security and protection of the data.

Training & awareness

The Company will provide training to staff and contractors regarding GDPR compliance and data protection best practices.

Review & updates

This policy will be reviewed and, if necessary, updated annually or in response to changes in applicable data protection laws.

Contact

For any questions or concerns regarding this policy or the Company's data protection practices, please contact:

// Data Protection Contact

Jessica Harrod

Managing Director · Giftfluence

JessicaHarrod@SociallyMe.Org

Regulator

ico.org.uk