Skip to content
Privacy policy

Minimal data. No trackers.

GiftCryp privacy policy: minimal data, email-only checkout, no third-party trackers, retention and access rights for crypto gift card buyers.

Last updated ·

The plain-English version

What this actually means.

We need your email to deliver a code, your phone number for a mobile top-up, and your deposit address for refunds when needed. We do not run analytics, behavioural tracking, advertising remarketing, or session recorders. We do not sell, rent, share or trade your email or phone number. The full legal text below describes exactly what we collect, why, how long we keep it, and what rights you have.

  • Email address (delivery)
  • Phone (mobile top-up only)
  • Crypto deposit metadata
  • 2 first-party UX cookies
  • No real name, address, ID
  • No bank or card details
  • No 3rd-party analytics
  • No tracking pixels

01 Summary, before the legal text

GiftCryp is built around minimal data. We need an email address to deliver a gift card code, a phone number for a mobile top-up, and a payment address to send refunds when needed. We do not run third-party analytics, behavioural-tracking pixels, advertising remarketing tags, or session recorders. We do not sell, rent, share or trade your email or phone number. The full legal text below describes exactly what we collect, why, how long we keep it, and what rights you have.

02 Who we are

This Privacy Policy is published by the operator of GiftCryp.com ("we", "the Service"). For questions covered by data-protection law (GDPR, UK GDPR, CCPA), the data controller is reachable at /contact.

03 What we collect

Order data

  • Email address: required for code delivery and post-order support.
  • Phone number (mobile top-up only): the destination MSISDN, stored in normalized E.164 form.
  • Order line: brand, variant, denomination, currency, total in cryptocurrency.
  • Locale and display currency preference: stored as cookies (gic_locale, gic_ccy) for one year so we don't have to ask again.

Payment metadata

  • Deposit address (one-time, generated for the order).
  • Cryptocurrency settlement details: chain, transaction hash, amount, confirmations.
  • Rate-engine invoice ID: the third-party rate engine's reference for our reconciliation.

We do not see, store or have access to your wallet's private keys, seed phrase, exchange API keys or any custodial wallet credentials.

Operational logs

Standard web-server request logs (IP address, user-agent, request path, response code, timestamp). Pruned on a 90-day rolling window unless flagged for security investigation.

What we do not collect

  • Real name, postal address, billing address.
  • Government-issued ID, KYC documents.
  • Payment-card details (we don't accept cards).
  • Bank account information.
  • Browsing history outside our domain.
  • Cross-site identifiers (no third-party analytics, advertising or behavioural pixels).

04 Why we collect it

  • Code delivery: email address and phone number are the delivery rails. Without them we cannot fulfil the order.
  • Refund and re-issue: order-line and payment-metadata are needed to re-issue a faulty code or refund to the original deposit address inside the 14-day window.
  • Fraud and abuse prevention: a small number of repeat-fraud signals are scored and may trigger manual review.
  • Accounting and tax compliance: order totals and payment receipts are kept for the period required by applicable law (typically 6 to 10 years).

05 Cookies

We set two first-party cookies, both for UX, neither for tracking:

  • gic_locale: stores the language you picked. 1-year expiry. SameSite=Lax.
  • gic_ccy: stores the display currency you picked (USD, EUR, GBP, BTC, ETH). 1-year expiry. SameSite=Lax.

We do not set third-party cookies. We do not load Google Analytics, Facebook Pixel, Hotjar, Intercom, or any equivalent script. The only third-party requests outgoing from this site are: font files from fonts.bunny.net, country flag images from flagcdn.com, and the QR-code image generator at api.qrserver.com on the pay page.

06 Data sharing

We share order data only with the parties strictly required to fulfil the order:

  • Brand voucher APIs: we send the variant, the denomination and a receipt reference. We do not send the buyer's email, phone number or any personal data.
  • Mobile top-up carriers: the destination phone number, country, operator and amount.
  • Cryptocurrency rate engines: the cryptocurrency, the amount, the deposit address. They do not receive the buyer's email or phone number.
  • Email delivery provider: the buyer's email address, the order number, the claim code. Contractually bound not to use the data for any other purpose.
  • Law enforcement: only when compelled by a valid legal order from a competent jurisdiction. We log every such request and notify the buyer where lawfully permitted.

We never sell, rent or share data for advertising, profiling, lead generation or any commercial purpose other than the ones above.

07 Data retention

  • Server access logs: 90 days.
  • Order records (email, brand, amount): 7 years for tax compliance, then deleted.
  • Mobile top-up records (phone number): 24 months, then phone numbers are hashed and the linkage to the email is severed.
  • Failed order data (no payment received): 30 days.
  • Cookies: 1 year from last set, refreshed on each visit.

08 Your rights

Depending on your jurisdiction (GDPR for EU/UK residents, CCPA for California residents, similar regimes elsewhere) you have the right to:

  • Access the data we hold about you. Email /contact from the email address you used at checkout. We respond within 30 days.
  • Rectify inaccurate data (e.g. an email typo on a delivery).
  • Erase your order history. Note: tax-compliance retention may apply for a portion of the data.
  • Object to processing in cases where it is not legally required for contract fulfilment.
  • Lodge a complaint with your local data-protection authority.

09 Security

The site is served over HTTPS only, with HSTS preloaded. Database credentials and payment-provider API keys are stored outside the web root with restrictive file permissions. Deposit address generation is fully server-side; there is no client-side wallet exposure. We do not custody any cryptocurrency for buyers — every deposit is settled and routed to operating wallets within minutes of confirmation.

10 Children

The Service is not directed at and not intended for children under the age of 16. We do not knowingly collect data from anyone under 16. If you believe a child has placed an order, email us and we will purge the order data.

11 International transfers

Order data may be processed by sub-processors (email delivery, cryptocurrency rate engines, brand voucher APIs) located in jurisdictions outside the buyer's. Where the buyer is in the EU/UK, transfers to non-adequacy jurisdictions are covered by Standard Contractual Clauses or equivalent safeguards.

12 Changes to this policy

Updates are posted to /privacy with a new "Last updated" date. Material changes will be flagged via email to active users. The current version always lives at this URL.

13 Contact and complaints

Questions, access requests, deletion requests, complaints: /contact. We answer in twelve languages.

Last updated · July 7, 2026

← Terms of service
Exercise your rights

Need to access, correct or erase your data?

Email from the address you used at checkout. We respond within 30 days, in twelve languages.

Email