This Privacy Policy explains how GiftHorse (“GiftHorse”, “we”, “us”) collects and uses information when you visit https://gift-horse.online (the “Site”) or interact with us to purchase and redeem e-vouchers for gift experiences. By using our Site or contacting us (including via WhatsApp) you agree to this Policy and our Terms & Conditions. If you have questions, contact support@gift-horse.com or WhatsApp +971 55 653 1638. Information We Collect and Use
Categories of Personal Data
We may collect and process the following categories of personal data: Identification and contact data. Full name, email address, phone number and/or WhatsApp number. Booking and preference data. Information you voluntarily provide to personalise and fulfil an experience, including preferred contact time, occasion (e.g., birthday), recipient’s name, number of participants, desired dates and times, language preferences, special requests and any other free-text “Additional details” you choose to submit. Voucher and transaction metadata. Voucher ID/number, purchase timestamp, price/offer selected, currency, redemption status, booking confirmation references, and communication history related to the order or redemption. Payment data. We do not collect or store full payment card details. Payments are processed by Stripe. Stripe may collect payer name, email, billing address, partial card identifiers, device identifiers and anti-fraud signals as an independent controller under its own terms and privacy notices. We receive from Stripe limited transaction confirmations (e.g., payment status, amount, time) sufficient to issue e-vouchers and manage bookings. Technical and usage data. IP address, device and browser characteristics, operating system, referring/exit pages, timestamps, page response times and interaction data, and cookies strictly necessary for site operation and security. If analytics is enabled, we may also process aggregated usage data via analytics cookies subject to your consent (see Cookies section). Special-category data. We do not intentionally collect special-category data (e.g., health data) through the Site. If certain experiences require fitness/health confirmations (e.g., for safety reasons), such confirmations are ordinarily handled directly by the supplier/aggregator under their own terms; we ask that you do not include sensitive data in free-text fields.
Sources of Data
We collect data directly from you (web forms, email, WhatsApp or phone), automatically via the Site (technical/usage data), and from our service providers (e.g., payment status from Stripe). Where booking is coordinated through an aggregator, we may receive limited updates on slot availability and booking confirmations.
Purposes and Legal Bases
We process personal data only where we have a valid legal basis, typically one or more of the following: Contract (Art. 6(1)(b) GDPR). To assess and respond to enquiries; issue e-vouchers; verify voucher validity; coordinate and secure bookings with suppliers/aggregators; send operational messages (e.g., payment links, booking confirmations, reminders, material changes to the experience). Legitimate interests (Art. 6(1)(f) GDPR). To provide customer support via email/WhatsApp; ensure network and information security; prevent and investigate fraud and chargebacks; maintain accurate records; improve our service offering (on a proportionate, minimally intrusive basis). We balance these interests against your rights and reasonable expectations. Consent (Art. 6(1)(a) GDPR). For marketing communications (email/WhatsApp) where you opt-in; for non-essential analytics cookies; and where local law requires consent for specific forms of electronic communications. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Legal obligation (Art. 6(1)(c) GDPR). To comply with consumer-protection requirements, to respond to lawful requests from authorities and to retain records for the periods mandated by applicable law. We will not use personal data for purposes that are materially incompatible with the purposes above without notifying you and, where required, obtaining your consent.
WhatsApp Communications
If you choose to contact us via WhatsApp (or request that we contact you there), your messages and related metadata will be processed by WhatsApp/Meta as an independent controller under its own terms and privacy policy. We will use WhatsApp strictly to handle your enquiry, deliver payment links/e-vouchers and arrange bookings, unless you separately opt-in to receive marketing via WhatsApp.
Data Minimisation and Optional Fields
Fields not marked as mandatory are optional. Please avoid including information not necessary for enquiry handling or booking (particularly sensitive data). Where possible, we share with suppliers/aggregators only the minimum data required to secure or service a booking (typically name, contact details, voucher/booking references and selected options).
Cookies and Log Data
We use essential cookies to operate the Site, secure forms and manage sessions. We may also use analytics cookies to measure and improve performance with your prior consent via the cookie banner. Log data may include IP address, device/browser type, pages visited and timestamps; such data is used for security, diagnostics and service quality, and retained for limited periods consistent with those purposes. See the Cookies section for details on categories, providers and your choices. Sharing with Service Providers and Partners We engage third-party service providers and commercial partners to operate the Site and to deliver our services. We only share personal data that is necessary for the relevant purpose and require recipients to keep it confidential and secure. Processors (acting on our instructions):
Website & forms: Tilda (hosting/website builder) for Site delivery and form submissions.
Payments: Stripe for payment processing. We do not store full card details; Stripe processes payer data under its own terms.
Communications: WhatsApp and email service providers to send operational messages, e-vouchers and booking confirmations.
Storage/IT/analytics: cloud storage, ticketing and (if enabled) analytics tools used to support, secure and improve the Site.
Execution partners (independent controllers):
Experience suppliers and aggregators. To arrange and service a booking, we may share only what is necessary (typically name, contact details, voucher/booking references, selected options and preferred dates). These partners process your data under their own terms and privacy policies.
Legal and compliance We may disclose information where required by law or a competent authority, to establish or defend legal claims, to prevent fraud or abuse, or in connection with a corporate transaction (e.g., financing, merger, acquisition), subject to appropriate safeguards. Where personal data is transferred internationally, we implement appropriate safeguards (e.g., Standard Contractual Clauses) and limit access to a need-to-know basis. Further details are provided in the International Transfers section below. Security We implement technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include, as appropriate, access controls and least-privilege policies, encryption in transit, segregation of environments, logging and monitoring, staff confidentiality undertakings and vendor due-diligence (including data processing agreements with processors). Please note that no method of transmission over the Internet or electronic storage is entirely secure. While we work to protect your information, we cannot guarantee absolute security. If we become aware of a data incident affecting your personal data, we will notify you and/or regulators as required by applicable law. Links to Third-Party Sites Our Site may contain links to third-party websites, plug-ins or services. If you follow a link, the relevant third party may collect or share information about you and will process it under its own privacy policy, which may differ from ours. We do not control and are not responsible for the content, privacy practices or security of third-party sites. We encourage you to review the applicable privacy policy before providing any personal data there. International Transfers Your personal data may be transferred to and processed in countries outside your country of residence, including where our service providers or execution partners (e.g., website hosting, payments, communications, experience suppliers/aggregators) are located. Where such transfers are required, we implement appropriate safeguards and limit access on a strict need-to-know basis. These safeguards may include:
the European Commission’s Standard Contractual Clauses (SCCs),
assessments of the destination country’s legal environment,
technical and organisational measures (encryption in transit, access controls, minimisation), and
contractual obligations on recipients to protect the data and to notify us of any material changes.
Data Retention We keep personal data only for as long as necessary for the purposes set out in this Policy, and thereafter as required or permitted by law. In particular:
Enquiries, vouchers & bookings: up to 24 months after voucher redemption or expiry (to handle customer care, rebookings, chargebacks and disputes).
Transaction/financial records (incl. Stripe confirmations and invoices): retained for the period required by law, typically 5–7 years.
Customer support & operational communications (email/WhatsApp): retained in line with the enquiry/booking lifecycle and our general retention window above.
Security/diagnostics logs: typically up to 12 months, unless extended for incident investigation.
Marketing data: retained until you withdraw consent or opt out, after which we will suppress your contact details from further marketing.
Disputes, legal requests, fraud prevention: where reasonably necessary, we may retain relevant records until the matter is resolved and for the applicable statutory limitation period.
When retention expires, we will delete or irreversibly anonymise the data. If deletion is not immediately feasible (e.g., backups), we will securely isolate the data and remove it from active use until deletion is possible. Children’s Data Our Services are not directed to children under 16 (or the minimum age required by local law, if different). We do not knowingly collect personal data from children. If you are a parent or legal guardian and believe that a child has provided personal data to us, please contact us and we will take appropriate steps to delete such data without undue delay. Changes to this Privacy Policy We may update this Privacy Policy from time to time. The “Last updated” date at the top indicates the latest revision. Where changes are material (for example, new purposes, new categories of recipients, or practices that meaningfully affect you), we will take appropriate steps to notify you, such as posting a notice on the Site and, where required by law, seeking your renewed consent (e.g., for marketing or non-essential cookies). Your continued use of the Services after the effective date constitutes acceptance of the updated Policy. Contact Us
If you have any questions or suggestions about our Privacy Policy, do not hesitate to contact us via support@gift-horse.com or WhatsApp +971 55 653 1638.