01 Summary, before the legal text
GiftCryp is built around minimal data. We need an email address to deliver a gift card code, a phone number for a mobile top-up, and a payment address to send refunds when needed. We do not run third-party analytics, behavioural-tracking pixels, advertising remarketing tags, or session recorders. We do not sell, rent, share or trade your email or phone number. The full legal text below describes exactly what we collect, why, how long we keep it, and what rights you have.
02 Who we are
This Privacy Policy is published by the operator of GiftCryp.com ("we", "the Service"). For questions covered by data-protection law (GDPR, UK GDPR, CCPA), the data controller is reachable at /contact.
03 What we collect
Order data
- Email address: required for code delivery and post-order support.
- Phone number (mobile top-up only): the destination MSISDN, stored in normalized E.164 form.
- Order line: brand, variant, denomination, currency, total in cryptocurrency.
- Locale and display currency preference: stored as cookies (
gic_locale,gic_ccy) for one year so we don't have to ask again.
Payment metadata
- Deposit address (one-time, generated for the order).
- Cryptocurrency settlement details: chain, transaction hash, amount, confirmations.
- Rate-engine invoice ID: the third-party rate engine's reference for our reconciliation.
We do not see, store or have access to your wallet's private keys, seed phrase, exchange API keys or any custodial wallet credentials.
Operational logs
Standard web-server request logs (IP address, user-agent, request path, response code, timestamp). Pruned on a 90-day rolling window unless flagged for security investigation.
What we do not collect
- Real name, postal address, billing address.
- Government-issued ID, KYC documents.
- Payment-card details (we don't accept cards).
- Bank account information.
- Browsing history outside our domain.
- Cross-site identifiers (no third-party analytics, advertising or behavioural pixels).
04 Why we collect it
- Code delivery: email address and phone number are the delivery rails. Without them we cannot fulfil the order.
- Refund and re-issue: order-line and payment-metadata are needed to re-issue a faulty code or refund to the original deposit address inside the 14-day window.
- Fraud and abuse prevention: a small number of repeat-fraud signals are scored and may trigger manual review.
- Accounting and tax compliance: order totals and payment receipts are kept for the period required by applicable law (typically 6 to 10 years).
07 Data retention
- Server access logs: 90 days.
- Order records (email, brand, amount): 7 years for tax compliance, then deleted.
- Mobile top-up records (phone number): 24 months, then phone numbers are hashed and the linkage to the email is severed.
- Failed order data (no payment received): 30 days.
- Cookies: 1 year from last set, refreshed on each visit.
08 Your rights
Depending on your jurisdiction (GDPR for EU/UK residents, CCPA for California residents, similar regimes elsewhere) you have the right to:
- Access the data we hold about you. Email /contact from the email address you used at checkout. We respond within 30 days.
- Rectify inaccurate data (e.g. an email typo on a delivery).
- Erase your order history. Note: tax-compliance retention may apply for a portion of the data.
- Object to processing in cases where it is not legally required for contract fulfilment.
- Lodge a complaint with your local data-protection authority.
09 Security
The site is served over HTTPS only, with HSTS preloaded. Database credentials and payment-provider API keys are stored outside the web root with restrictive file permissions. Deposit address generation is fully server-side; there is no client-side wallet exposure. We do not custody any cryptocurrency for buyers — every deposit is settled and routed to operating wallets within minutes of confirmation.
10 Children
The Service is not directed at and not intended for children under the age of 16. We do not knowingly collect data from anyone under 16. If you believe a child has placed an order, email us and we will purge the order data.
11 International transfers
Order data may be processed by sub-processors (email delivery, cryptocurrency rate engines, brand voucher APIs) located in jurisdictions outside the buyer's. Where the buyer is in the EU/UK, transfers to non-adequacy jurisdictions are covered by Standard Contractual Clauses or equivalent safeguards.
12 Changes to this policy
Updates are posted to /privacy with a new "Last updated" date. Material changes will be flagged via email to active users. The current version always lives at this URL.
13 Contact and complaints
Questions, access requests, deletion requests, complaints: /contact. We answer in twelve languages.
Last updated · July 7, 2026
← Terms of service