Giftme - Giftme Jamaica - Privacy Notice
giftme

Privacy Notice

1. Introduction

At Gift Tech Limited (referred to as "Giftme", "we", "us", or "our"), we respect your privacy and are committed to securing your personal information.

This Privacy Notice explains how we collect, use, share, and protect your personal data when you interact with our websites, mobile applications, and related services (together, "our Services").

1.2 Who We Are

Giftme provides an online platform that allows users to purchase, send, redeem, and manage digital gift cards, smart/network gift cards, and promotional deals, as well as access related features such as loyalty, rewards, and communications.

For the purposes of the Jamaica Data Protection Act, 2020 (JDPA), we act as the Data Controller for the personal information we collect and process.

2. What Personal Data We Collect

We collect information that is reasonably necessary to provide and improve our Services, comply with legal obligations, and protect our users. This may include:

  • Personal Information
    Name, location, and date of birth.
  • Contact Information
    Email addresses, IP addresses, device identifiers, mobile numbers, postal addresses, device details, and browser types.
  • Financial Information
    Bank or credit/debit card details used in transactions with us (processed through secure payment gateways).
  • Statistical / Usage Information
    Behavioral and statistical data about individuals and businesses in relation to our Services and online platforms (e.g. page views, clicks, feature usage, transaction patterns).
  • Geo-location Information
    Location data used to send service messages and special offers based on your proximity to a retailer or participating merchant.
  • Cookies & Similar Technologies
    Information collected via cookies and similar technologies to remember preferences, improve performance, and understand usage. For more, see our Cookie Policy.

3. How We Collect Your Data

We collect personal data when you:

  • Register or create an account with Giftme
  • Purchase or redeem a gift card or smart/network card
  • Link a payment method or complete a payment through our Services
  • Subscribe to our mailing lists, notifications, or promotions
  • Participate in surveys, campaigns, or referral programs
  • Contact us for customer support or other enquiries
  • Browse our website or use our mobile apps (including via cookies and analytics tools)
  • Interact with our corporate or merchant portals

If you are a gift card recipient, some information may be provided to us by the purchaser.

4. Who We Collect Data About

We may collect and process personal data about:

  • Giftme account holders and app users
  • Gift card purchasers and gift card recipients
  • Corporate clients and their authorised representatives
  • Merchants and merchant staff who use our merchant tools
  • Website visitors and users of our mobile applications

The types of data collected for each group may vary but generally fall within the categories described in Section 2.

5. How We Use Your Personal Data

We use personal information only for its intended and lawful purposes, unless we have your permission or as otherwise permitted by law. Uses include:

  • Confirming your identity and managing your account
  • Enabling you to use our Online Platforms and Services
  • Processing payments and transactions
  • Issuing, redeeming, and managing gift cards and smart/network cards
  • Providing customer service and responding to enquiries or complaints
  • Requesting feedback and improving our products and Services
  • Monitoring platform usage and performing analytics
  • Preventing, detecting, and investigating fraudulent activities and security risks
  • Sending notifications about important changes to our Services, terms, or policies
  • Communicating about research, offers, or promotions (subject to your marketing preferences)

6. Legal Bases (Purposes and Lawful Bases)

We collect and use your personal data only where we have a lawful basis under the JDPA, including:

  • Consent - where you have given clear consent for us to process your data for a specific purpose (e.g. some marketing communications).
  • Contractual necessity - where processing is necessary to enter into or perform a contract with you (e.g. providing an eGift card or smart card, processing payments).
  • Legal obligation - where we must process data to comply with laws (e.g. anti-money laundering, tax, accounting, regulatory reporting).
  • Legitimate interests - where processing is necessary for our legitimate interests or those of a third party (e.g. fraud prevention, service improvement, security), and does not override your rights and freedoms.

Where consent is required, we will always seek your clear, informed consent. You may withdraw your consent at any time (see Section 11).

In all cases, we ensure that personal data collected is limited to what is necessary to deliver our Services and comply with applicable laws.

7. Retention Policy

We retain your personal data only for as long as necessary to:

  • Provide our Services and maintain your account
  • Comply with legal, regulatory, tax, and accounting obligations
  • Resolve disputes and enforce our agreements
  • Prevent fraud or abuse and maintain security

In general, we aim to retain personal data for a minimum of two (2) years from the date of the relevant transaction or the end of the customer relationship, unless a longer period is required by law or justified by our legitimate interests (for example, for fraud prevention or legal claims).

7.1 Detailed Retention Periods

In addition, we apply the following retention periods by data type:

Data Type Retention Period Reason
Account Information 2 years after account closure or inactivity Fraud prevention, security, and record-keeping.
Order / Transaction Records 7 years after each transaction Legal and regulatory obligations (e.g. tax, accounting, AML).
Payment Data Card details are not stored in full by Giftme; processed via secure PCI-DSS compliant gateways. Limited payment metadata may be anonymised or pseudonymised after 7 years. PCI-DSS compliance.
Marketing Data 2 years after last interaction Consent-based promotions and remarketing. If you opt out, we stop using your data for marketing and delete/flag marketing data as required.
Customer Support Tickets 2 years after resolution Service improvement, quality assurance, and dispute resolution.

We may retain some data longer where:

  • Required for legal disputes or investigations
  • Necessary for backup, archival, or security purposes (with restricted access)
  • Necessary to demonstrate that we have honoured your rights (e.g. record of a deletion request)

8. Sharing of Your Information

We may share limited personal data with trusted third parties for legitimate purposes, including:

  • Service Providers / Data Processors
    For example: cloud hosting, payment gateways, analytics, email and SMS delivery, messaging, support, feedback, customer communications.
  • Regulators, Supervisory Authorities, or Law Enforcement
    Where required by law or to comply with a valid legal process.
  • Merchants and Programme Partners
    Where necessary to redeem gift cards, process loyalty/reward benefits, or deliver specific offers or promotions you have chosen.
  • Marketing & Sponsorship Partners
    Only where you have opted in or otherwise provided consent, and subject to your marketing preferences.

We follow a Privacy by Design and Default approach:

  • Data sharing is limited to what is necessary for the stated purpose
  • Third-party integrations are assessed for privacy and security risks
  • Technical and organisational safeguards (such as encryption, access controls, and audit logs) are in place

We do not sell your personal data to third parties.

8.1 Subprocessors

To support our Services, we use certain subprocessors (third-party data processors) who may have access to limited personal data solely to perform services on our behalf (for example, messaging, analytics, hosting, and payment processing). They are contractually required not to use this data for any other purpose.

Our current list of subprocessors is available at: https://shopgiftme.com/privacy/sub-processors

We may update this list from time to time; significant changes will be reflected on that page.

9. International Data Transfers

Some of our systems and service providers operate outside Jamaica, including in the United States and the European Union. This means your personal data may be processed in countries that may have different data protection standards from Jamaica.

Where your personal data is transferred internationally, we:

  • Limit transfers to what is necessary to deliver our Services or meet legal obligations
  • Expect our providers to implement appropriate safeguards, follow their published privacy and security practices, and comply with the Jamaica Data Protection Act, 2020 to the extent applicable
  • Require that data is not retained, shared, used, or processed beyond what is necessary to provide the contracted services

Regardless of where your data is processed, we aim to ensure it is handled in line with this Privacy Notice and the JDPA.

10. How We Protect Your Data

We are committed to safeguarding your personal information and ensuring its confidentiality, integrity, and availability.

10.1 Storage and Retention

Your personal data may be stored in both electronic and physical formats:

  • Electronic records within our systems and databases and those of our trusted service providers
  • Paper records (where applicable), which may be digitised and stored in secure electronic systems

Data is retained only for as long as reasonably necessary for the purposes described in this Notice or as required by law (see Section 7).

10.2 Data Security Measures

We implement layered technical and organisational safeguards to protect your data from unauthorised access, loss, misuse, or disclosure, including:

  • Encryption of data at rest and in transit (where appropriate)
  • Access controls and role-based permissions
  • Multi-factor authentication for sensitive systems
  • Regular vulnerability assessments, audits, and monitoring
  • Staff training on data protection and cyber security
  • Incident response procedures and logging

While we take reasonable steps to protect your data, no system is completely secure. You should also take care when conducting transactions or sharing personal data online (for example, keeping your device secure, using strong passwords, and not sharing your PINs or one-time codes).

10.3 Third-Party Practices

Our website or apps may include links to external sites or services (such as merchant sites or social networks). We are not responsible for the privacy or security practices of third parties, including retailers and other entities we are permitted to disclose information to under this Notice or relevant laws. Their use of your data is governed by their own privacy and security policies; we encourage you to review those policies.

11. Your Rights under the JDPA

As a data subject under the Jamaica Data Protection Act, 2020, you have the following rights in relation to your personal data:

11.1 Right to Be Informed

You have the right to know whether we hold personal data about you, and if so, to receive a description of:

  • The personal data we hold
  • The purposes for which it is processed
  • The recipients or categories of recipients to whom it may be disclosed

This Privacy Notice is one of the ways we satisfy that obligation.

11.2 Right of Access and Portability

You may request access to the personal data we hold about you. Where technically feasible and lawful, you may also request that we provide your data in a structured, commonly used, machine-readable format, or transfer it directly to another data controller.

11.3 Right to Rectification

You may request that we correct any inaccuracies or complete any incomplete personal data we hold about you. In some cases, this may involve blocking, erasing, or destroying incorrect data.

11.4 Right to Object or Restrict Processing

You may object to or request restriction of processing in certain circumstances, for example where:

  • Processing may cause unwarranted damage or distress
  • You contest the accuracy of the data
  • Processing is no longer necessary for the purposes for which it was collected
  • You have objected to processing based on legitimate interests and a balancing test is ongoing
11.5 Rights Related to Automated Decision-Making and Profiling

You have the right to request that decisions which significantly affect you are not made solely on the basis of automated processing, including profiling, where such processing produces legal or similar significant effects.

11.6 Right to Withdraw Consent

Where we rely on your consent (for example, certain marketing or optional features), you may withdraw your consent at any time using the same method by which it was given (e.g. in-app settings or unsubscribe links) or by contacting our Data Protection Officer.

11.7 Right to Deletion / Erasure

You may request that we delete your personal data or your Giftme account, subject to certain legal and operational exceptions.

What Happens When You Delete Your Account or Personal Data?

If your account and/or personal data is deleted, this is permanent and cannot be restored. This means, for example, that:

  • If you want to continue to use your gift cards, you should print or securely store them before deleting your account
  • We may not be able to assist if you later require customer support (for example, if you lose a gift card or experience issues with a previously issued card)
How Long Does Deletion Take?

When a deletion request is received, we will delete (and instruct our third-party service providers to delete) your account and personal data unless we are required to retain certain information for regulatory or compliance purposes (see Section 7).

Some personal data may be retained by Giftme or our service providers after an account deletion request to:

  • Maintain a record that a deletion request was made and actioned
  • Comply with anti-money laundering, counter-terrorism financing, and other statutory obligations
  • Enforce or apply our terms and detect security incidents or fraudulent/illegal activities
  • Cooperate with law enforcement or regulators
  • Make other lawful uses of the information compatible with the original context in which it was provided

12. Reporting Concerns and Breach Notification

If you suspect that your personal data has been misused, lost, or accessed without authorisation, please contact us as soon as possible using the details in Section 16.

We take data breaches seriously and are committed to responding in accordance with the Jamaica Data Protection Act, 2020 and guidance from the Information Commissioner. Where required, we will notify the Commissioner within 72 hours of becoming aware of a qualifying incident and, where there is a likely high risk to your rights and freedoms, we will also notify you without undue delay.

Our notification will include, where applicable:

  • A description of the nature of the breach
  • The types of data affected
  • The likely consequences of the breach
  • The steps taken or proposed to mitigate any potential adverse effects
  • Contact details for our Data Protection Officer or designated representative

We investigate all incidents thoroughly and implement corrective actions to reduce the risk of recurrence.

13. Children's Information

We do not knowingly collect personal information from children under the age of 13. If we become aware that we have collected personal data from a child under 13 without valid consent or another lawful basis, we will delete that information promptly.

14. Cookies and Analytics

We use cookies and analytics tools to:

  • Enhance and personalise your user experience
  • Understand how our Services are used
  • Improve performance and features

You can manage cookie preferences through your browser or device settings. For full details on the cookies we use and how we use them, please refer to our Cookie Policy.

15. Changes to This Notice

We may modify, amend, or update this Privacy Notice from time to time to reflect:

  • Changes to our Services or business operations
  • Changes in law or regulatory guidance
  • Improvements in how we explain our data practices

When we make material changes, we will update the "Last Updated" date at the top of this Notice and, where appropriate, provide additional notice (for example, via email or in-app notifications). We encourage you to review this Notice periodically to stay informed about how we protect your personal information.

16. Contact Us

If you have any questions, concerns, or complaints about this Privacy Notice or how we handle your personal information, or if you wish to exercise your JDPA rights (including access, rectification, objection, or deletion), please contact us:

Gift Tech Limited (Giftme)
Email: [email protected]
Phone: 1 (876) 619 9880