Privacy Policy
Your privacy is our priority
Last updated: December 2024 • GDPR & UK DPRA Compliant
Privacy at a Glance
Your Data is Secure
End-to-end encryption, secure servers, regular audits
You're in Control
Access, edit, or delete your data anytime
No Tracking
We don't sell data or use invasive tracking
1. Who We Are
TheList.Gifts ("we", "our", or "us") is the data controller for your personal information. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
Contact Information:
Data Protection Officer: privacy@thelist.gifts
Company: TheList.Gifts
Location: United Kingdom
2. Information We Collect
Account Information
- •Email address - Required for account creation and communication
- •Password - Encrypted and stored securely using bcrypt
- •Name - Optional, for personalization
- •Consent preferences - Marketing and data processing consent
Gift List Data
- •List details - Names, descriptions, occasion types, dates
- •Gift items - Names, descriptions, prices, URLs, notes
- •Sharing settings - Who can view your lists
- •Reservation data - Anonymous tracking of reserved/purchased items
Technical Information
- •IP address - For security and fraud prevention
- •Browser information - For compatibility and optimization
- •Usage analytics - Anonymous view counts and feature usage
- •Session data - To keep you logged in securely
3. Legal Basis for Processing
Under GDPR, we process your personal data based on the following legal grounds:
Contract Performance
Processing necessary to provide our gift list service
Consent
Marketing communications (you can withdraw anytime)
Legitimate Interest
Security, fraud prevention, and service improvement
Legal Obligation
Compliance with applicable laws and regulations
4. How We Use Your Information
We use your personal data for the following purposes:
Service Provision
Create and manage your account, gift lists, and sharing features
Communication
Send transactional emails, password resets, and service updates
Security & Fraud Prevention
Protect your account and prevent unauthorized access
Service Improvement
Analyze usage patterns to enhance features and user experience
Marketing (With Consent)
Send newsletters and feature updates only if you opt-in
5. Your Rights Under GDPR
As a data subject, you have the following rights regarding your personal data:
Right to Access
Request a copy of all personal data we hold about you
Right to Rectification
Correct any inaccurate or incomplete personal data
Right to Erasure
Request deletion of your personal data ("right to be forgotten")
Right to Data Portability
Receive your data in a machine-readable format
Right to Restrict Processing
Limit how we use your personal data
Right to Object
Object to processing based on legitimate interests
Right to Withdraw Consent
Opt out of marketing communications at any time
Right to Lodge a Complaint
File a complaint with your data protection authority
How to Exercise Your Rights
To exercise any of these rights, please contact us at privacy@thelist.gifts or use the privacy controls in your account settings. We will respond to your request within 30 days.
Manage Privacy Settings6. Data Security
We implement industry-standard security measures to protect your personal data from unauthorized access, disclosure, alteration, or destruction:
Encryption
All data transmitted over HTTPS with TLS 1.3 encryption
Password Protection
Passwords hashed using bcrypt with salt
Regular Audits
Quarterly security audits and vulnerability assessments
Automated Backups
Daily encrypted backups with 30-day retention
Access Controls
Role-based access and multi-factor authentication
Monitoring
24/7 security monitoring and intrusion detection
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this privacy policy, unless a longer retention period is required by law.
Active Accounts
Data retained while your account is active and for 90 days after last login
Deleted Accounts
Personal data deleted or anonymized within 30 days of account deletion
Legal Requirements
Some data may be retained longer if required by law (e.g., financial records for 7 years)
Backup Data
Backup copies deleted within 30 days of account deletion
8. Third-Party Services
We use carefully selected third-party services to provide and improve our service. These providers may process your data on our behalf:
Amazon Web Services (AWS)
Purpose: Email delivery (SES) and SMS messaging (SNS)
Data Shared: Email addresses, phone numbers, message content
Privacy Policy: aws.amazon.com/privacy
Google OAuth
Purpose: Optional Google sign-in authentication
Data Shared: Email address, name, profile picture (with your consent)
Privacy Policy: policies.google.com/privacy
Mailchimp
Purpose: Marketing emails (only with your explicit consent)
Data Shared: Email address, name, subscription preferences
Privacy Policy: intuit.com/privacy/statement
Amazon Associates
Purpose: Affiliate tracking for Amazon product links
Data Shared: Anonymous click data, purchase information
Privacy Policy: amazon.com/privacy
We ensure all third-party processors comply with GDPR and have appropriate data protection agreements in place.
9. Children's Privacy
Our service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13 years of age.
If You Are a Parent or Guardian
If you believe your child has provided us with personal information, please contact us immediately at privacy@thelist.gifts. We will take steps to delete such information from our systems within 72 hours of verification.
We recommend that parents and guardians monitor their children's internet usage and help enforce this policy by instructing their children never to provide personal information without permission.
10. International Data Transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) and the United Kingdom. When we transfer data internationally, we ensure appropriate safeguards are in place:
- •Standard Contractual Clauses approved by the European Commission
- •Adequacy decisions for countries with equivalent data protection laws
- •Binding Corporate Rules for multinational service providers
11. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
How We Notify You
- •Material Changes: We will email you at least 30 days before changes take effect
- •Minor Changes: We will update the "Last updated" date at the top of this page
- •Your Consent: Continued use of our service after changes constitutes acceptance
We encourage you to review this privacy policy periodically to stay informed about how we protect your data.
Third-Party Services
Our service uses the following third-party services:
- Amazon Web Services (AWS): For email (SES) and SMS (SNS) delivery
- Google OAuth: For optional Google sign-in
- Mailchimp: For marketing emails (only with your consent)
These services have their own privacy policies and we encourage you to review them.
Children's Privacy
Our service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, please contact us immediately.
Changes to This Policy
We may update this privacy policy from time to time. We will notify you of any significant changes by email or through a notice on our website. Your continued use of the service after such changes constitutes acceptance of the updated policy.
Contact Us
If you have questions about this privacy policy, want to exercise your rights, or have concerns about how we handle your data, please don't hesitate to contact us:
We aim to respond to all privacy-related inquiries within 30 days as required by GDPR.