Privacy Policy

Last updated: November 13, 2025

1. Introduction

Welcome to the GiftWeGo privacy policy.

This document describes how Ondřej Smutný, Business ID: 75343533, Registered address: Družstevní 511, 294 41 Dobrovice, Czech Republic (hereinafter "we", "us" or "GiftWeGo") processes your personal data when using our web application available at giftwego.com.

1.1 Our commitment to privacy

• We respect your privacy and take the protection of your personal data seriously
• We comply with GDPR (EU) 2016/679 and Czech Act No. 110/2019 Coll. on the processing of personal data
• We only process data necessary to provide our services
• We never sell your data to third parties for marketing purposes

1.2 Contact for data protection inquiries

Data Controller: Ondřej Smutný Business ID: 75343533 Registered address: Družstevní 511, 294 41 Dobrovice, Czech Republic Email: info@giftwego.com

Data Protection Officer (DPO): Not designated (not mandatory for self-employed individuals)

2. What personal data we process

2.1 Data we collect directly from you

2.1.1 Registration and user account

When registering with email and password:

• Email (required) - account identifier, login, communication
• Name (required) - display name in the application
• Password (required) - stored as bcrypt hash, never stored in readable form

When registering via Google/Facebook OAuth:

• Email (from OAuth provider)
• Name (from OAuth provider)
• Profile picture (from OAuth provider, optional)
• Google/Facebook ID (for account association)

Optional profile data:

• First name and surname
• Phone number
• Date of birth
• Preferences (language, currency, time zone, date format)
• Notification settings (email notifications, push notifications)

2.1.2 Payment and billing information

Data for credit purchases:

• Name (for invoice)
• Email (for invoice and confirmation)
• Stripe Customer ID (reference to your account in Stripe system)

Payment card data:

• IMPORTANT: We NEVER store or process credit card numbers
• Cards are processed exclusively by Stripe (PCI DSS certified)
• We only store: card type (Visa, Mastercard), last 4 digits, expiration date

Billing address (optional, for businesses):

• Company name
• Business ID, VAT ID
• Billing address (street, city, postal code, country)

Credit history:

• Date and time of transactions
• Credit amount (addition/subtraction)
• Transaction type (purchase, bonus, consumption, refund)
• Stripe Payment ID (for accounting and refunds)
• Transaction description

2.1.3 Recipient profiles

Personal data of gift recipients you enter:

• Recipient's name
• Age or date of birth
• Gender
• Relationship to you (partner, parent, friend, colleague, etc.)

Interests and preferences:

• Interests (sports, arts, travel, technology, etc.)
• Personality traits
• Preferred brands
• Type of residence and location (city type, specific place, country)

Restrictions:

• Health restrictions (allergies, dietary restrictions - vegan, vegetarian, gluten-free, etc.)
• Gift restrictions (alcohol, electronics, clothing, etc.)

Gift history:

• Gift name
• Price
• Date of giving
• Occasion
• Success rating (1-5 stars)
• Notes

Blacklist:

• List of prohibited products/categories
• Reason for exclusion (optional)
• Date added

Free-form notes:

• Any notes you write about the recipient

2.1.4 AI recommendations and history

When using AI Advisor we store:

• Session ID (grouping recommendations from one session)
• Snapshot of recipient information (name)
• Occasion (birthday, Christmas, etc.)
• Budget and urgency
• AI recommendations (name, description, reasoning, price, category)
• Date and time of generation
• Credits consumed

Feedback and ratings:

• Rating of individual recommendations (thumbs up/down)
• Session rating (1-5 stars)
• Text feedback (optional)
• Time needed for rating (for analytics)

2.1.4 Chrome Extension Data

When using the GiftWeGo Chrome Extension:

Product information from e-commerce sites:

• Product names, prices, descriptions, images, URLs
• Only collected when you actively use the extension on product pages
• Sources: Amazon, Alza.cz, Mall.cz, and other e-commerce sites
• Purpose: AI analysis for gift suitability evaluation

Extension authentication:

• Access token for your GiftWeGo account
• Stored locally in your browser using Chrome Storage API
• Purpose: Seamless integration with your GiftWeGo account

User preferences and settings:

• Language selection (English, Czech, German, French)
• Extension settings (checker enabled/disabled status)
• Floating button positions per domain
• Stored locally in your browser
• Purpose: Personalization and functionality

Product check history:

• URLs of products you've analyzed with AI
• Check timestamps and results
• Associated with your GiftWeGo account
• Purpose: Provide analysis history and improve recommendations

Chrome Extension permissions explanation:

• storage: To save your login, preferences, and settings locally
• activeTab: To read product information from pages you're viewing
• giftwego.com: To communicate with our API for AI analysis

Data sharing:

• Product data is processed by our AI provider (Anthropic Claude) under strict confidentiality
• We never sell your data to third parties
• No data is used for advertising purposes

Data deletion:

• Local data: Automatically deleted upon extension uninstall
• Server data: Follows the retention policy of the main GiftWeGo application (see section 4)
• Request deletion via info@giftwego.com

2.2 Data we collect automatically

2.2.1 Technical data

When visiting the website and using the application:

• IP address (anonymized for analytics)
• User Agent (browser type, operating system, device type)
• Referrer (where you came from)
• Session ID (for session tracking)
• Timestamp (date and time of visit)

2.2.2 Cookies and tracking

Essential cookies (without consent):

• Session cookie (login, authentication)
• Security tokens (CSRF protection)
• Preferences (language, theme)

Analytics cookies (with consent):

• Google Analytics 4 - website traffic analysis
• Microsoft Clarity - session recording, heatmaps, user behavior analysis
• Website behavior tracking for UX improvement
• Anonymized data for service optimization

IMPORTANT: From October 31, 2025, Microsoft Clarity requires explicit consent for users from EEA, UK, and Switzerland. Before consent is granted, Clarity operates in "no-consent" mode (without cookies and session tracking).

2.2.3 Affiliate tracking

For partner commissions we track:

• Clicks on affiliate links
• Partner (Google, Heureka, Alza, etc.)
• Product/category
• Recommendation ID (association with recommendation)
• User ID (for statistics)
• Timestamp

IMPORTANT: Affiliate partners DO NOT RECEIVE your personal data (name, email). Tracking is anonymous.

2.3 Data provided to us by third parties

2.3.1 OAuth providers (Google, Facebook)

If you register via Google/Facebook:

• Email
• Name
• Profile picture (if you allow)
• OAuth Provider ID

What we DO NOT RECEIVE:

• Your Google/Facebook account password
• Contact list
• Email content
• Activity history

2.3.2 Stripe (payment processor)

Stripe provides us:

• Customer ID (reference to your account)
• Payment Method ID (reference to stored card)
• Payment Intent status (successful/unsuccessful payment)
• Webhook events (payment events)

Stripe DOES NOT PROVIDE us:

• Credit card numbers (only last 4 digits)
• CVV codes
• PIN codes

3. Why we process your data (legal bases)

3.1 Performance of contract (Art. 6(1)(b) GDPR)

We need to provide the service:

• Email, name, password - for account creation and management
• Recipient profiles - core of AI Advisor service
• AI recommendation history - providing personalized service
• Credits and payments - execution of purchase contract

Without this data we cannot provide the service.

3.2 Legitimate interest (Art. 6(1)(f) GDPR)

To improve the service and its sustainability:

• Affiliate tracking - service monetization for sustainability
• Analytics - improving AI recommendations and user experience
• Fraud detection - protection against service abuse and fraud
• Technical logs - solving technical problems and bugs

We balance our legitimate interest with your rights. You can object (see section 7).

3.3 Consent (Art. 6(1)(a) GDPR)

We require your explicit consent for:

• Marketing emails (newsletters, tips, offers)
  • Opt-in, default setting: NO
  • You can withdraw anytime (link in email or Settings)
• Push notifications (event reminders, tips)
  • Must be enabled in browser settings
  • You can disable anytime
• Analytics cookies (Google Analytics)
  • We will show cookie banner on first visit
  • You can decline

Withdrawal of consent:

• Does not affect lawfulness of processing before withdrawal
• You can withdraw anytime in Account Settings

3.4 Legal obligation (Art. 6(1)(c) GDPR)

We must retain by law:

• Billing data and payment history - accounting act (5 years)
• Tax documents - tax regulations (10 years for some documents)

We cannot delete this data even upon request, but it will be anonymized (removal of name, email).

4. How long we retain data

4.1 Active accounts

For the duration of your account:

• All profile data, recipients, recommendations
• Credit history and transactions
• Preferences and settings

4.2 Inactive accounts

After 24 months of inactivity:

• We will send you a warning email
• We will offer the option to extend the account

After 36 months of inactivity:

• Account will be automatically deleted
• You will be notified 30 days in advance

4.3 After account deletion

Personal data (immediately, max. 30 days):

• All recipient profiles - DELETED
• All AI recommendations - DELETED
• Preferences and settings - DELETED
• Email and name - DELETED
• User account - DELETED

Financial data (5-10 years, anonymized):

• Credit and payment history - ANONYMIZED (without name and email)
• Invoices - ANONYMIZED (replaced with anonymous ID)
• Reason: Legal obligation (accounting, taxes)

Anonymized data (indefinitely):

• Aggregated statistics (e.g., "average number of recipients per user")
• Cannot be traced back to you

4.4 AI recommendation history

Automatic limit:

• Max. 500 records per user
• Oldest records are automatically deleted when limit exceeded

Recommendation: Regularly export important recommendations (JSON format).

4.5 Cookies

Session cookies: Deleted after logout or browser close Persistent cookies: Validity 30 days - 1 year (depending on type) Analytics cookies: Validity 2 years (Google Analytics default)

5. Who we share your data with

5.1 Processors (subcontractors)

We use the following trusted processors:

5.1.1 Anthropic Inc. (Claude API)

• Purpose: Generating AI gift recommendations
• Data shared:
  • Recipient information (name, age, gender, interests, personality)
  • Occasion, budget, urgency
  • Gift history (for better recommendations)
  • Product blacklist
• Legal basis: Performance of contract (providing AI service)
• Location: USA
• Protection:
  • Anthropic has its own GDPR-compliant policies
  • Data is not stored long-term nor used for AI training
  • Standard contractual clauses (SCCs) for transfer to USA
• More info: https://www.anthropic.com/legal/privacy

5.1.2 Stripe Inc.

• Purpose: Processing payments for credits
• Data shared:
  • Email, name (for invoice)
  • Payment details (cards processed only by Stripe)
  • Billing address (if you provide)
• Legal basis: Performance of contract (payments)
• Location: USA/EU (EU data centers available)
• Protection:
  • PCI DSS Level 1 certification (highest security level)
  • GDPR-compliant Data Processing Agreement (DPA)
  • Standard contractual clauses (SCCs)
• More info: https://stripe.com/privacy

5.1.3 Vercel Inc. (hosting)

• Purpose: Web application hosting
• Data shared:
  • Technical data (IP addresses, User Agent)
  • Session data
• Legal basis: Legitimate interest (service operation)
• Location: Edge Network, primarily EU region (Frankfurt, Amsterdam)
• Protection: GDPR-compliant, SOC 2 Type II certification
• More info: https://vercel.com/legal/privacy-policy

5.1.4 MongoDB Inc. (database)

• Purpose: Storing application data
• Data shared: All application data (profiles, recommendations, credits)
• Legal basis: Performance of contract (data storage)
• Location: According to MongoDB Atlas configuration (usually EU region)
• Protection: GDPR-compliant, ISO 27001, SOC 2 Type II
• More info: https://www.mongodb.com/legal/privacy-policy

5.1.5 Resend (email provider)

• Purpose: Sending transactional and marketing emails
• Data shared:
  • Email, name
  • Personalization data (e.g., recipient name for reminder)
• Legal basis: Performance of contract / Consent (marketing)
• Location: USA/EU (according to configuration)
• Protection: GDPR-compliant service
• More info: https://resend.com/legal/privacy-policy

5.1.6 Google Analytics 4

• Purpose: Website traffic and user behavior analysis
• Data shared:
  • Anonymized IP address
  • User Agent, website behavior
  • Cookies (with consent)
• Legal basis: Consent (Art. 6(1)(a) GDPR)
• Location: USA
• Protection:
  • IP anonymization enabled
  • Google Analytics 4 (GDPR-friendly)
  • Can be declined via cookie banner
  • Does not run without consent - consent control implemented
• More info: https://policies.google.com/privacy

5.1.7 Microsoft Clarity (Session Recording & Heatmaps)

• Purpose: User behavior analysis, session recording, heatmaps, UX improvement
• Data shared:
  • With consent:
    • Session recordings (mouse movements, clicks, scrolling)
    • Heatmaps (where users click and scroll)
    • IP address (anonymized)
    • User Agent, device type
    • URLs of visited pages
    • Session ID for cross-visit linking
  • Without consent (no-consent mode):
    • Only basic anonymous metrics without cookies
    • No session recordings
    • No cross-visit linking
• Legal basis: Consent (Art. 6(1)(a) GDPR)
• Location: USA (Microsoft Azure cloud)
• Data controller: Microsoft Ireland Operations Limited (for EU users)
• Retention period:
  • Session recordings: 30 days
  • Heatmaps: 13 months
  • Favorite recordings: up to 13 months
• Protection:
  • EU-US Data Privacy Framework compliance (approved by EC in July 2023)
  • Standard Contractual Clauses (SCCs) under Art. 46 GDPR
  • Automatic anonymization of sensitive data (passwords, card numbers)
  • Clarity Consent API v2 implemented (consent enforcement from Oct 31, 2025)
  • GDPR-compliant Data Processing Agreement
  • Does not run without consent - session recording active only after consent
• Your rights:
  • You can decline in cookie banner
  • You can revoke consent anytime in cookie settings
  • Without consent operates in "no-consent" mode (no tracking)
• More info:
  • https://learn.microsoft.com/en-us/clarity/faq
  • https://privacy.microsoft.com/en-us/privacystatement

5.1.8 Error Tracking System (Debugging and Monitoring)

• Purpose: Ensuring website stability and security, detecting and resolving technical errors
• Data collected:
  • Error messages
  • Stack traces (technical error information)
  • URL of page where error occurred
  • User Agent (browser, OS)
  • IP address (anonymized)
  • User ID and email (only for logged-in users)
  • Timestamp (time of error occurrence)
• Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
  • Justification: Ensuring security and functionality of the service is essential for website operation. Users expect a stable and functioning service. Error monitoring is necessary to identify and fix technical problems.
  • Balancing test: Minimal privacy intrusion (technical data only) vs. critical need to ensure service functionality → legitimate interest prevails
  • Recital 49 GDPR: Processing of personal data to the extent strictly necessary for ensuring network and information security constitutes a legitimate interest
• Location: MongoDB Atlas (EU region)
• Retention period: 90 days, then automatic deletion
• Protection:
  • We store only data necessary for debugging
  • IP addresses anonymized where possible
  • No sensitive information (passwords, payment details) is logged
  • Automatic retention policy (90 days)
  • Access only for admins
  • End-to-end encryption in transit (TLS)
• Your rights:
  • You can object to processing (see section 7.5)
  • Upon objection, we will consider ceasing processing unless compelling reasons exist
  • Note: Error monitoring is critical for service security - without it we cannot ensure application stability
• Features: Automatic capturing of JavaScript errors, unhandled promises, React render errors, API errors

5.2 Affiliate partners

Partners we link to:

• Google (search)
• Heureka.cz (price comparison)
• Alza.cz, Mall.cz, Datart.cz (e-shops)
• Amazon.cz (marketplace)

What we DO NOT SHARE with them:

• Your name, email, phone
• Recipient profiles
• AI recommendations

What they may receive:

• Referrer (that you came from giftwego.com)
• UTM parameters (tracking codes for commission)
• Anonymous Click ID (for conversion tracking)

If you purchase from a partner:

• Partner has its own Privacy Policy
• Their terms apply, not ours
• GiftWeGo is not responsible for their data processing

5.3 Legal requirements

We may be required to disclose data to:

• Courts - based on court order
• Police - during criminal investigation
• Tax authorities - for accounting audit
• Office for Personal Data Protection - during GDPR compliance check

In these cases we will disclose only the minimum necessary data.

5.4 What we NEVER do

❌ DO NOT SELL your data to third parties ❌ DO NOT SHARE data for third-party marketing (targeted advertising) ❌ DO NOT RENT email database ❌ DO NOT TRANSFER data outside the above processors

6. Data transfers outside EU

6.1 Transfers to USA

Some of our processors are based in USA:

• Anthropic Inc. (Claude API)
• Stripe Inc. (payments)
• Resend (emails)
• Google Analytics 4 (analytics - with consent)
• Microsoft Clarity (session recording, heatmaps - with consent)
• Error Tracking System (error monitoring - legitimate interest)

6.2 Protection mechanisms

For transfers to USA we use:

1. Standard contractual clauses (SCCs) - approved by European Commission
2. Data Processing Agreements (DPA) - data processing contracts
3. EU Data Centers - when available (Stripe, Vercel)
4. Additional security measures:
   • Encryption in transit (TLS 1.3)
   • Encryption at rest
   • Minimization of transferred data

6.3 Your rights

You have the right to:

• Obtain a copy of standard contractual clauses
• Object to transfer outside EU
• In case of objection, we cannot provide services requiring transfer (e.g., AI Advisor)

Send requests to: info@giftwego.com

7. Your rights (GDPR Art. 15-22)

7.1 Right of access (Art. 15)

You have the right to obtain:

• Confirmation whether we process your data
• Copy of all your personal data
• Information on processing purpose, data category, recipients
• Information on retention period
• Information on your rights

How to exercise:

1. In application: Log in → Settings → Export data → Download JSON
2. By email: Write to info@giftwego.com (we will verify your identity)

Delivery time: 30 days from request (FREE, first request)

7.2 Right to rectification (Art. 16)

You have the right to correct:

• Inaccurate personal data
• Incomplete data (add missing)

How to exercise:

1. In application: Log in → Profile / Recipients → Edit data
2. By email: info@giftwego.com (for data you cannot edit yourself)

Time: Immediately (when editing in application), 7 days (when requested by email)

7.3 Right to erasure / Right to be forgotten (Art. 17)

You have the right to request deletion of data if:

• Data is no longer needed for the original purpose
• You withdraw consent and there is no other legal basis
• You successfully object (see 7.6)
• Data was processed unlawfully
• Data must be deleted according to legal obligation

How to exercise:

1. In application: Log in → Settings → Delete account
   • Confirm phrase "DELETE MY ACCOUNT"
   • Deletion is irreversible
2. By email: info@giftwego.com (if you cannot log in)

What will be deleted:

• ✅ All recipient profiles
• ✅ All AI recommendations
• ✅ Your preferences and settings
• ✅ Email, name, phone
• ✅ User account

What will NOT be deleted (legal obligation):

• ⚠️ Credit and payment history (5 years) - but ANONYMIZED
• ⚠️ Invoices (10 years) - but ANONYMIZED
• Reason: Accounting act, tax regulations

Time: Immediately (max. 30 days for complete deletion)

7.4 Right to data portability (Art. 20)

You have the right to obtain data in machine-readable format:

• Format: JSON (JavaScript Object Notation)
• Content: All data you provided to us

How to exercise: Log in → Settings → Export data → Download JSON

Export contains:

• ✅ User profile (name, email, preferences)
• ✅ All recipient profiles (including gift history, blacklist)
• ✅ All AI recommendations (including reasoning and feedback)
• ✅ Credit history (transactions, purchases)

Time: Immediately (generation takes approx. 5-10 seconds)

Transfer to another controller:

• You can request direct data transfer to another controller (if technically feasible)
• Send request to: info@giftwego.com

7.5 Right to restriction of processing (Art. 18)

You have the right to request restriction (suspension) of processing if:

• You contest data accuracy (restriction for verification period)
• Processing is unlawful but you don't want deletion (you want only restriction)
• We no longer need the data but you need it for legal claim
• You have objected (restriction for assessment period)

How to exercise: By email to: info@giftwego.com (describe reason)

What it means:

• Your data will be stored but we will not actively process it
• Account will be deactivated (cannot log in)
• After resolving the restriction reason we will inform you

Time: 7 working days from request

7.6 Right to object (Art. 21)

You have the right to object to processing based on legitimate interest:

• ❌ Affiliate tracking
• ❌ Analytics (behavior tracking)
• ❌ Marketing (even with consent - you can withdraw consent)

How to exercise:

1. In application: Settings → Privacy → Disable affiliate tracking / analytics
2. Marketing: "Unsubscribe" link in email
3. By email: info@giftwego.com

What will happen:

• We will stop processing data for that purpose
• If we have another legal basis (e.g., performance of contract), we may continue

Time: Immediately (when disabled in application), 7 days (when requested by email)

7.7 Right not to be subject to automated decision-making (Art. 22)

GiftWeGo DOES NOT USE fully automated decision-making that would have legal consequences or significantly affect you.

AI Advisor:

• AI recommendations are only suggestions and inspiration
• Final decision is always yours
• AI has no legal effect on you

There is no automated:

• ❌ Account approval/rejection
• ❌ Pricing based on profile
• ❌ Decisions about service access

7.8 Right to lodge a complaint

If you think we violate GDPR, you have the right to lodge a complaint:

Office for Personal Data Protection (ÚOOÚ) Pplk. Sochora 27 170 00 Prague 7 Czech Republic

Phone: +420 234 665 111 Email: posta@uoou.cz Web: www.uoou.cz

Online filing: https://www.uoou.cz/rades

We recommend: Contact us first (info@giftwego.com) - we resolve most issues directly.

8. Security of your data

8.1 Technical measures

Encryption:

• ✅ HTTPS (TLS 1.3) - all communication between you and server is encrypted
• ✅ Encryption at rest - data in database is encrypted
• ✅ Bcrypt hash - passwords are hashed with 12 salt rounds (cannot be decrypted)

Authentication and authorization:

• ✅ JWT tokens - secure session management (30 days validity)
• ✅ User isolation - every database query filtered by userId (protection against data leakage)
• ✅ CSRF protection - protection against cross-site request forgery attacks
• ✅ Rate limiting - protection against brute-force attacks

Infrastructure:

• ✅ Vercel Edge Network - DDoS protection, geographic distribution
• ✅ MongoDB Atlas - managed database with automatic backups
• ✅ Stripe - PCI DSS Level 1 certification for payments

8.2 Organizational measures

Data access:

• ✅ Principle of least privilege - access only for authorized persons
• ✅ Audit logs - recording access to sensitive data
• ✅ Regular reviews - checking access rights

Training:

• ✅ Operator is familiar with GDPR requirements
• ✅ Using secure practices during development

Agreements with processors:

• ✅ Data Processing Agreements (DPA) with all subcontractors
• ✅ Ensuring GDPR compliance with processors

8.3 Security incident reporting

In case of data breach:

• ✅ We will notify ÚOOÚ within 72 hours of discovery (if there is a risk)
• ✅ We will inform affected users without undue delay (if there is a high risk)
• ✅ We will describe the nature of the incident, its consequences and measures taken

Reporting security vulnerabilities: If you discover a security vulnerability, contact us: info@giftwego.com

9. Children's data

GiftWeGo IS NOT intended for children under 16.

• ❌ We do not intentionally collect data from children under 16
• ❌ If we discover we have accidentally collected a child's data, we will delete it immediately
• ⚠️ Parents: If you believe your child has provided us with data, contact us: info@giftwego.com

Profiles of child recipients:

• ✅ You can create profiles of child recipients (for gift tips)
• ✅ This is acceptable because YOU (adult) provide the data, not the child

10. Changes to this policy

10.1 Policy updates

We may change this policy for reasons:

• Changes in laws (new GDPR requirements)
• New application features
• Changes in processors (new email provider, etc.)
• User feedback

10.2 Notification of changes

Minor changes (grammatical corrections, clarifications):

• We will update the "Last updated" date
• We will publish on the website

Significant changes (new processing purposes, new processors):

• We will send email 30 days in advance
• We will display notification in application
• We will ask for review of new policy

10.3 Your consent

If you continue using the service after changes take effect:

• It is considered consent to the new policy

If you do not consent:

• You can delete account before changes take effect
• Contact us: info@giftwego.com

10.4 Archive of older versions

• Older versions of policy are archived
• Available upon request: info@giftwego.com

11. International users

11.1 Service available globally

GiftWeGo is available in 4 languages:

• 🇨🇿 Czech
• 🇬🇧 English
• 🇩🇪 German
• 🇫🇷 French

11.2 Governing law

This policy is governed by:

• Czech law (operator based in Czech Republic)
• GDPR (EU regulation 2016/679) - applies to all users in EU
• Local data protection laws (if you are outside EU)

11.3 Users outside EU

If you use GiftWeGo outside EU:

• Your data may be transferred to EU (server in EU)
• By using the service you consent to data transfer to EU
• This policy and GDPR apply (even if you are outside EU)

Additional rights outside EU:

• California Consumer Privacy Act (CCPA) - for users in California
• Other local privacy laws

12. Contact

12.1 Data Controller

Ondřej Smutný Business ID: 75343533 Registered address: Družstevní 511, 294 41 Dobrovice, Czech Republic Email: info@giftwego.com Web: https://giftwego.com

12.2 Data Protection Officer (DPO)

Not designated (not mandatory for self-employed individuals)

For data protection inquiries contact: Email: info@giftwego.com

12.3 Response times

• General inquiries: 7 working days
• Data access requests (Art. 15): 30 days
• Other requests (Art. 16-21): 7-30 days (depending on complexity)
• Complaints: 14 days

Confirmation and consent

By using GiftWeGo service you confirm that:

✓ You have read and understood this privacy policy ✓ You consent to processing of your personal data according to this policy ✓ You are over 16 years old (or have parental consent) ✓ Provided data is truthful and complete

Effective date: October 7, 2025 Version: 1.0

© 2025 GiftWeGo. All rights reserved.