Giftly Privacy Notice
Effective date: 25 May 2026
This Privacy Notice explains how Giftly processes personal data when you use the Service.
1. Controller
The data controller is Giftly, located in Istanbul, Türkiye.
Contact: privacy@thegiftly.app If required by applicable law, our EU representative, UAE representative, Data Protection Officer or local contact details will be added to this Notice.
2. Personal data we process
We may process the following categories of personal data:
Account and identity data
Name, surname, username, language preference, login details and authentication identifiers.
Contact data
Email address, phone number and messaging contact details.
Campaign data
Campaign title, description, occasion, recipient name, organizer name, invited participants, contribution target, contribution notes, status, closing date and campaign links.
Contribution information
Contributor name, contribution amount marked by the organizer, payment status marked by the organizer, message to the organizer or recipient and timestamps.
Giftly does not verify or process the underlying bank or payment transaction.
Technical data
IP address, device type, browser, operating system, session logs, security logs, approximate location derived from IP, identifiers and error reports generated by our hosting or infrastructure providers.
Usage data
Pages viewed, actions taken, campaign interactions, feature use and referral source.
Communication data
Support requests, feedback, emails, messages and survey responses.
Consent and preference data
Cookie choices, marketing preferences, language preferences and notification settings.
Legal and safety data
Records required to prevent fraud, enforce terms, comply with law, respond to authorities or resolve disputes.
We do not intentionally require special category personal data such as health data, biometric data, political opinions, religious beliefs or similar sensitive data. You must not submit such data unless strictly necessary and legally permitted.
3. Purposes and legal bases
We process personal data for the following purposes:
| Purpose | GDPR-style legal basis | KVKK / UAE PDPL aligned basis |
|---|---|---|
| Provide the Service, create and manage campaigns, authenticate users | Contract necessity | Establishment or performance of a contract |
| Display campaign pages and contribution information | Contract necessity, legitimate interests, consent where required | Contract performance, legitimate interest, explicit consent where required |
| Support, troubleshooting and service communications | Contract necessity, legitimate interests | Contract performance, legitimate interest |
| Security, fraud prevention and platform integrity | Legitimate interests, legal obligation | Legitimate interest, legal obligation |
| Analytics and product improvement | Legitimate interests for necessary analytics, consent for non-essential cookies where required | Legitimate interest where proportionate, explicit consent where required |
| Marketing communications | Consent or soft opt-in where permitted | Explicit consent where required, opt-out rights |
| Legal compliance, authority requests and dispute management | Legal obligation, legitimate interests | Legal obligation, establishment, exercise or protection of rights |
| Business transfers, restructuring or due diligence | Legitimate interests, legal obligation where applicable | Legitimate interest, legal obligation |
4. Service providers
We currently use the following main service providers to operate Giftly:
| Provider | Role | Processing purpose |
|---|---|---|
| Vercel | Hosting and deployment infrastructure | Hosting the application, serving pages, security, logs and performance |
| Supabase | Database and backend infrastructure | Storing and managing campaign, organizer, participant and related service data |
| Email and business communication provider | Sending, receiving and managing service, support and business emails | |
| Future affiliate or third party sellers | Third party commercial partners | Product or service redirection, affiliate tracking only if enabled and disclosed |
5. Cookies and similar technologies
We use strictly necessary cookies and local storage where needed for internal authentication, security, session continuity, language preference, gift voting, participant form continuity and basic service functionality. Giftly does not currently use analytics, marketing, advertising or third party tracking cookies. Details are provided in the Cookie Notice below.
6. Sharing of personal data
We may share personal data with:
- hosting, cloud infrastructure, database, security and monitoring providers;
- email, messaging, support and notification providers;
- third party sellers or affiliate partners only where relevant to a user action and disclosed;
- banks or payment service providers only if such integrations are introduced later;
- professional advisers such as lawyers, accountants, auditors and insurers;
- competent authorities, courts, regulators, law enforcement or public bodies where legally required or necessary;
- potential acquirers, investors or successors in case of merger, acquisition, restructuring, financing or sale of assets, subject to confidentiality and legal safeguards.
Organizers may see contributor information connected with their campaign. Contributors should only contribute to organizers they trust.
7. International transfers
We may process or store personal data in countries outside your country of residence. Where personal data is transferred internationally, we will use appropriate safeguards required by applicable law, such as adequacy decisions, standard contractual clauses, contractual safeguards, explicit consent where required or other legally recognized transfer mechanisms. For transfers from Türkiye, we will apply KVKK Article 9 transfer requirements, including adequacy, appropriate safeguards, standard contracts or explicit consent where legally required. For UAE personal data, we will apply UAE PDPL transfer requirements and safeguards where applicable.
8. Retention
We keep personal data only for as long as necessary for the purposes described in this Notice, including service delivery, legal compliance, accounting, security, dispute resolution and enforcement.
Indicative retention periods:
| Data category | Indicative retention period |
|---|---|
| Account data | Account lifetime and a reasonable period after deletion |
| Campaign data | Campaign lifetime and a reasonable archival period after closure |
| Contributor and participation data | Campaign lifetime and a reasonable period after campaign closure |
| Support communications | Up to 3 years |
| Security and technical logs | Typically 6–12 months unless needed longer for investigation |
| Legal, tax, accounting and dispute records | As required by applicable law |
| Cookie or local storage preference records | As long as necessary to remember the relevant preference or demonstrate compliance |
9. Your rights
Subject to legal conditions and limitations, you may have the right to:
- access your personal data;
- request correction of inaccurate or incomplete data;
- request deletion or erasure;
- restrict processing;
- object to processing based on legitimate interests;
- withdraw consent;
- request data portability;
- object to direct marketing;
- object to certain automated decisions, where applicable;
- request information about processing and transfers;
lodge a complaint with a competent data protection authority.
Under Turkish KVKK, you may also exercise the rights listed under Article 11 of Law No. 6698.
Under UAE PDPL, you may request access, correction, deletion, restriction, cessation of processing, portability and objection to automated processing where applicable. To exercise your rights, contact us at privacy@thegiftly.app. We may need to verify your identity before responding.
10. Children
The Service is not intended for children under 13.
If a higher age threshold applies in your jurisdiction, that threshold applies.
Users under 18 may use the Service only with appropriate parental or guardian consent and supervision.
11. Security
We use appropriate technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, loss, misuse or destruction.
No digital service is completely secure.
You are responsible for keeping your login credentials, campaign links and organizer links secure.
12. Data breach notification
If a personal data breach occurs and notification is required by applicable law, we will notify the competent authority and affected individuals within legally required timelines and provide the information required by law.
13. Automated decision making
We do not use personal data for decisions that produce legal or similarly significant effects solely by automated means unless expressly stated and permitted by law.
14. Changes to this Privacy Notice
We may update this Privacy Notice from time to time. The latest version will be published with an effective date. Material changes will be communicated where required by law.