Privacy Policy

1. Information We Collect

Account Information

When you create an account, we collect your phone number and/or Apple ID information (name and email). This information is used solely for authentication, account management, and gift delivery.

Transaction Information

When you purchase a gift card, we collect:

• Payment information (processed securely by Stripe — we never see or store your full card number)
• Recipient details (name and phone number)
• Gift card preferences (business selection, amount, personal message)

Recipient Information

When a recipient claims a gift card, we verify their identity via SMS to protect both sender and recipient. No email address is required from the recipient.

Device Information

We collect a device identifier to manage your sessions and provide per-device security verification. We do not collect location data, contacts, photos, or other device data beyond what is necessary for the Service.

Automatically Collected Information

• IP address (for API security and fraud prevention)
• Browser type and device information (for compatibility)
• Usage patterns (to improve the Service)

2. How We Use Your Information

• Provide the Service: Create and manage your account, process purchases, issue virtual cards, and deliver gifts to recipients
• Verify Identity: Send one-time SMS verification codes to protect sender and recipient security
• Process Payments: Payments are processed securely by Stripe
• Deliver Gifts: Send gift notifications to recipients via SMS
• Provide Support: Respond to your inquiries and resolve issues
• Prevent Fraud: Detect and prevent fraudulent or unauthorized transactions
• Improve the Service: Analyze usage patterns to enhance functionality and user experience

3. Information Sharing

We do NOT sell, rent, or trade your personal information. We share data only with the following service providers who are essential to delivering the Service:

• Stripe — Payments are processed securely by Stripe
• Twilio — for SMS delivery of gift cards and verification codes
• Our card issuing partner — for virtual Visa gift card issuance; card usage is also subject to the card-issuing partner's terms of service
• AI Service Providers — for analyzing business websites to generate personalized gift card designs (only business URLs are shared, not personal data)
• Hosting Provider — Replit for application hosting and database services

These third parties are contractually bound to protect your data and use it only for the specific services they provide to us.

We may also disclose information if required by law, regulation, legal process, or government request.

4. Data Security

We take the security of your data seriously and implement industry-standard measures including:

• Encrypted connections — All data transmitted via TLS/HTTPS
• Payment processing — Credit card data is handled entirely by Stripe
• Isolated card vault — Virtual card credentials (card number, CVV, expiry) are stored in a separate, PCI-compliant vault service and rendered via secure iframe. Card data never touches our main application
• HMAC-signed URLs — Access to card data requires cryptographically signed URLs with automatic expiration
• SMS verification — One-time passcodes required before card credentials are revealed
• Secure session management — Per-device sessions with automatic expiration

No method of electronic transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

5. Data Retention

• Active Accounts: Data is retained while your account is active and the Service is in use
• Transaction Records: Retained as required for financial reporting, legal compliance, and dispute resolution
• Inactive Accounts: May be deleted, along with associated data, after 1 year of inactivity
• Deleted Accounts: Personal data is removed within 30 days of an account deletion request, except where retention is required by law
• Recipient Data: Retained only as necessary for transaction record keeping and dispute resolution

6. Your Rights

You have the right to:

• Access — View the personal data we hold about you
• Correction — Request correction of inaccurate or incomplete data
• Deletion — Request deletion of your account and associated data (subject to legal retention requirements)
• Portability — Request a copy of your data in a portable format
• Opt Out — Opt out of promotional communications at any time

To exercise any of these rights, contact us through our support chat or at help@lastminute.gift. We will respond within 30 days.

7. Cookies and Tracking

• Session Cookies: Required for authentication and functionality
• Device ID: Stored locally for session management (not a tracking cookie)
• No Third-Party Ads: We do not use advertising cookies or tracking pixels
• No Sale of Data: We do not sell or share data with advertisers

8. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a person under 18, we will delete that information promptly.

9. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated through the app. Continued use of the Service after changes constitutes acceptance of the revised policy.

11. Contact

For privacy-related questions, data requests, or concerns, contact us through our support chat or at help@lastminute.gift.