Privacy Policy

01OVERVIEW

1. Introduction

This Privacy Policy ("Policy") describes how Giftm Technology Private Limited ("Giftm", "we", "us", "our") collects, uses, shares, and protects personal data of users of the Giftm platform (www.giftm.in), the Giftm Marketplace (www.giftm.ai), and associated mobile applications (iOS and Android).

This Policy is issued in compliance with the Information Technology Act, 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDPA).

Your Consent Rights Where processing is based on consent under the DPDPA, Giftm will obtain such consent through a clear and affirmative action. You may withdraw consent at any time. Withdrawal will not affect the lawfulness of processing prior to withdrawal.

By accessing or using the Platform, you acknowledge that you have read and understood this Policy and consent to the data practices described herein.

02IDENTITY

2. Data Controller

Giftm Technology Private Limited

Data Controller under the Digital Personal Data Protection Act, 2023

BrandGiftm

Grievance Officer (DPDPA)Vijay Gaikwad

Websiteswww.giftm.in · www.giftm.ai

Contact Emailgrievance@giftm.ai

Registered Address39/4 40/1B, Flat No. 801, Floor 8, Wing B, Kavya Residency-B, Kasarvadavali Village Boriwade, G.B. Road, Opp. Municipal Garden, Thane (W) – 400615, Maharashtra, India

03DATA COLLECTION

3. Personal Data We Collect

3.1 Data You Provide Directly

Identity data: Full name, date of birth, gender
Contact data: Email address, mobile number, delivery address
Account data: Username, password (hashed), profile preferences
Payment data: Billing address, payment instrument type (card details processed by gateway partners only — Giftm does not store card numbers)
Business data (B2B Clients): Company name, GSTIN, PAN, authorised signatory details, beneficial ownership information
Employee data (R&R programmes): Employee ID, department, designation, PAN (for tax reporting)
KYB documents: Certificate of incorporation, identity proof, address proof
Shipping data (Print Orders): Delivery address, contact number, recipient name, pin code / postal code

3.2 Data Collected Automatically

Device & technical data: IP address, device ID, browser type, operating system
Usage data: Pages visited, links clicked, time spent, search queries
Transaction data: Purchase history, redemption history, reward point balances
Location data: Approximate location from IP address only (not GPS unless explicitly permitted at device level)
Cookie data: As described in the Cookie Policy
Inferred & derived data: Preferences, interests, and segmentation profiles inferred from usage patterns and purchase history, used to personalise your Platform experience

Sensitive Personal Information (SPI) Where collected, SPI includes financial information (processed by gateway partners only) and health-related data only where explicitly submitted for wellness programme participation. Giftm will seek explicit consent before collecting any SPI and will process SPI only for the stated purpose.

04PROCESSING

4. Purpose & Legal Basis for Processing

Purpose	Data Used	Legal Basis
Account creation & authentication	Identity, contact, account data	Contract
Order processing & fulfilment	Identity, contact, payment, transaction data	Contract
Loyalty & reward programme administration	Identity, transaction, employee data	Contract Legitimate Interest
KYB verification (B2B Clients)	Business data, KYB documents	Legal Obligation
Fraud detection & prevention	Device, usage, transaction data	Legitimate Interest
Customer support & grievance resolution	Identity, contact, transaction data	Legal Obligation Contract
Marketing communications	Contact, preference data	Consent (DPDPA)
Analytics & platform improvement	Usage, device data (anonymised)	Legitimate Interest
Tax compliance & invoicing	Identity, payment, GST/PAN data	Legal Obligation
Security monitoring & audit	Access logs, device data	Legitimate Interest

05DATA SHARING

5. Sharing of Personal Data

We do not sell or rent your personal data. Giftm never sells or rents your personal data to any third party for their own marketing or commercial use.

We may share data only in the following circumstances:

Program Sponsors (banks, corporates): Aggregate programme data and individual redemption records as required by the programme
Brand / Merchant Partners (Marketplace): Transaction data required to fulfil voucher delivery
Payment gateway partners: Payment instrument data strictly for transaction processing (PCI-DSS compliant)
Technology sub-processors: Cloud hosting, analytics, CRM, email/SMS providers — all bound by data processing agreements
KYB / Identity verification providers: For B2B Client verification only
Law enforcement & regulators: Where required by court order, RBI direction, SEBI, FIU-IND, or other applicable authority
Business transfers: In the event of a merger, acquisition, or restructuring — you will be notified of any change in data controller
Aggregated & anonymised data: De-identified statistical data may be shared with B2B Clients, research partners, or investors. Such data will not identify you individually
Analytics & advertising partners: Usage and device data may be shared with Google Analytics, Firebase, and AppsFlyer in anonymised or pseudonymised form
Courier & logistics partners: Delivery address, contact details, and order details shared with Delhivery, Blue Dart, FedEx, DHL solely for fulfilment of physical Print Orders

06DATA TRANSFERS

6. International Data Transfers

Giftm processes and stores personal data primarily within India. Certain third-party sub-processors (cloud infrastructure, analytics platforms) may be located outside India (e.g. in the United States or European Union).

Where data is transferred outside India, Giftm ensures appropriate contractual safeguards consistent with DPDPA requirements and applicable Indian law. Such transfers are limited to what is strictly necessary for service delivery and governed by data processing agreements requiring equivalent data protection standards.

For queries about specific international transfers, contact grievance@giftm.ai.

07SECURITY

7. Data Security

Giftm implements appropriate technical and organisational security measures consistent with ISO 27001 standards and DPDPA requirements, including:

AES-256 encryption at rest and TLS/SSL encryption in transit
Access controls and role-based permissions
Two-factor authentication for administrative access
Regular Vulnerability Assessment & Penetration Testing (VAPT)
Non-disclosure agreements with all vendors and sub-processors
Documented incident response procedures

Data Breach Response Protocol In the event of a personal data breach, Giftm will: (a) notify affected users via registered email or SMS within a reasonable period; (b) notify the Data Protection Board of India as required under DPDPA; (c) for payment data breaches, notify RBI and relevant payment networks within 6 hours of detection as per RBI Cybersecurity Guidelines for Payment System Operators.

To report a suspected security incident, write immediately to security@giftm.ai.

08RETENTION

8. Data Retention

Data Category	Retention Period
Account & identity data	Duration of account + 3 years post-closure
Transaction & financial data	8 years (Companies Act / Income Tax Act)
KYB documents	10 years from termination of business relationship
Employee R&R data	8 years (Companies Act)
Audit logs & access logs	2 years
Marketing consent records	Until consent withdrawn + 3 years
Customer support records	3 years from resolution

09RIGHTS

9. Your Rights

Under the Digital Personal Data Protection Act, 2023 and applicable Indian law, you have the following rights:

Right to Access

Request a copy of the personal data we hold about you

Right to Correction

Request correction of inaccurate or incomplete personal data

Right to Erasure

Request deletion of personal data, subject to legal retention obligations

Right to Portability

Obtain your personal data in a structured, machine-readable format

Right to Withdraw Consent

Withdraw consent for marketing or any consent-based processing at any time

Right to Object

Object to processing based on legitimate interests

Right of Nomination (DPDPA)

Nominate an individual to exercise your data rights on your behalf in the event of your death or incapacity — a unique right under India's DPDPA 2023

To exercise any of these rights, contact our Grievance Officer at grievance@giftm.ai. We will respond within 30 days of receiving your request. If dissatisfied, you may escalate to the Data Protection Board of India or any relevant regulatory authority.

9ARIGHTS

9A. Profiling & Automated Decision-Making

Giftm may use automated processing including profiling to personalise your Platform experience, customise reward recommendations, and detect fraud. Profiling is based on your transaction history, usage patterns, and programme participation data.

Human Review of Automated Decisions Where automated processing produces legal or similarly significant effects on you, you have the right to: (a) request human review of the automated decision; (b) express your point of view; and (c) contest the decision. To exercise these rights, contact grievance@giftm.ai.

Giftm does not use profiling for credit scoring, insurance underwriting, or any high-stakes decision-making beyond personalisation and fraud prevention.

9BRIGHTS

9B. Do Not Track & Global Privacy Control

Some browsers and devices transmit Do Not Track (DNT) signals or Global Privacy Control (GPC) signals. Giftm honours GPC signals to the extent required by applicable law. Where a valid GPC or DNT signal is detected, Giftm will limit non-essential data collection and opt you out of marketing communications.

Note that essential cookies and security processing are not affected by DNT/GPC signals as they are required for Platform functionality.

10PROTECTION

10. Children's Privacy

The Giftm Platform is not directed at children under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided personal data to us, please contact grievance@giftm.ai and we will delete such data promptly.

Minors may use Gift Cards or redeem rewards only under parental or guardian supervision. Please refer to Section 32 of the Terms & Conditions for the full Age Policy.

11EXTERNAL

11. Links to Third-Party Sites

The Platform may contain links to third-party websites or brand portals. Giftm is not responsible for the privacy practices or content of such third-party sites. We encourage you to review the privacy policies of any third-party site you visit.

Giftm's Privacy Policy applies solely to data collected through our Platform.

11AGLOBAL

11A. Rights of International Users

Giftm's Marketplace (giftm.ai) is accessible globally. If you access the Platform from outside India, the following additional rights may apply:

US

California, USA

CCPA / CPRA

You have the right to know what personal data is collected, sold, or shared; the right to opt out of "sale" or "sharing"; the right to deletion; and the right to non-discrimination. Giftm does not sell personal data. Write to grievance@giftm.ai to exercise CCPA rights.

EU

EEA / United Kingdom

GDPR / UK GDPR

To the extent GDPR or UK GDPR applies, you have the right of access, rectification, erasure, restriction, portability, and to object to processing. You also have the right to lodge a complaint with your local supervisory authority.

UAE

United Arab Emirates

Federal Decree Law No. 45 of 2021

If accessing from the UAE, the UAE Personal Data Protection Law may apply. Contact grievance@giftm.ai to exercise applicable rights under UAE law.

INT

Other Jurisdictions

Best efforts basis

Giftm will endeavour to honour privacy rights requests from users in other jurisdictions to the extent reasonably practicable and as required by applicable local law.

Governing Jurisdiction Regardless of your location, the governing law for this Policy remains the laws of India and the courts in Mumbai shall have jurisdiction, unless a mandatory applicable local law provides otherwise.

12UPDATES

12. Changes to This Policy

Giftm may update this Privacy Policy from time to time. Changes will be posted at www.giftm.in/privacy with an updated effective date. Material changes will be notified to registered users via email or platform notification.

Continued use of the Platform after changes are posted constitutes acceptance of the updated Policy.

This Policy was last updated on: 1st June 2026.

13CONTACT

13. Grievance Officer & Contact

For all privacy-related queries, requests to exercise your data rights, or complaints, please contact:

Vijay Gaikwad

Grievance Officer & Data Protection Contact · Giftm Technology Private Limited

Emailgrievance@giftm.ai

Response TimeWithin 30 days of receipt

Address39/4 40/1B, Flat No. 801, Floor 8, Wing B, Kavya Residency-B, Kasarvadavali Village Boriwade, G.B. Road, Opp. Municipal Garden, Thane (W) – 400615, Maharashtra, India

If not satisfied with our response, you may escalate your complaint to the Data Protection Board of India (once constituted and notified under the DPDPA) or any relevant regulatory or supervisory authority.