Skip to content
Viewing offline

Privacy Policy for GiveTwice

Last updated: February 21, 2026

1. Information we collect

We collect information you provide directly to us, such as when you create an account, create a wishlist, or contact us for support.

  • Account information (name, email address, profile picture)
  • Wishlist content (product URLs, titles, descriptions, prices, images)
  • Claim information (name and email address for gift claims)
  • Preferences (language and currency settings)
  • Social login identifiers (if you choose to sign in with Google, Facebook, or Apple)
  • Session data (IP address, browser information, last activity timestamp)

Note: Social login via Google, Facebook, or Apple is entirely optional. You can always create an account using just your email address.

2. How we use your information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Send you technical notices and support messages
  • Respond to your comments and questions
  • Analyze anonymized, aggregated data about claimed gifts (such as which retail platforms are most popular) to identify affiliate program opportunities β€” this helps us maximize charitable donations

When analyzing gift claim data for affiliate program purposes, we only use anonymized information (e.g., domain names of gift URLs) and never associate this data with individual users.

3. Data retention periods

We retain your data only for as long as necessary. Specific retention periods are:

  • Account data β€” retained while your account is active, plus 2 years after your last activity. Inactive accounts are deleted after 24 months (with a warning email sent at 22 months).
  • Guest sessions β€” automatically deleted after 7 days of inactivity.
  • Authenticated sessions β€” automatically deleted after 30 days of inactivity.
  • List invitations β€” expired, accepted, or declined invitations are deleted after 60 days.
  • Password reset tokens β€” automatically deleted after 1 hour.

4. Information sharing

We do not sell, trade, or otherwise transfer your personal information to third parties. We may share information in the following circumstances:

  • With your consent
  • To comply with legal obligations
  • To protect our rights and safety

Gift claims: When someone claims a gift from your wishlist, you will receive their name and email address so you can coordinate the gift-giving. Similarly, if you claim a gift, your name and email will be shared with the wishlist owner.

Third-party services: If you choose to sign in using Google, Facebook, or Apple, their respective privacy policies apply to the data they collect during authentication. We only receive your basic profile information (name, email, profile picture) from these services.

Subprocessors: We use a limited number of third-party service providers to operate GiveTwice. For a complete list, see our subprocessors page.

5. International data transfers

Your data is primarily processed within the European Union. Some of our subprocessors may process data outside the EU/EEA. In such cases, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.

6. Data processing agreements

We have Data Processing Agreements (DPAs) in place with all third-party service providers that process personal data on our behalf. These agreements ensure that your data is processed in compliance with the GDPR and only according to our instructions.

7. Your rights

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access (Art. 15) β€” you can request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) β€” you can update or correct inaccurate personal data via your account settings.
  • Right to erasure (Art. 17) β€” you can delete your account and all associated data from your account settings.
  • Right to data portability (Art. 20) β€” you can export all your personal data in a machine-readable JSON format from your account settings.
  • Right to object (Art. 21) β€” you can object to the processing of your personal data for certain purposes.
  • Right to lodge a complaint β€” you have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.

To exercise any of these rights, please contact us.

8. Data security

We implement appropriate technical and organizational security measures to protect your personal information, including encrypted connections (HTTPS), secure password hashing, and access controls. However, no method of transmission over the Internet is 100% secure.

9. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours. If the breach is likely to result in a high risk to you, we will also notify you directly via email.

10. Cookies

We use only essential cookies that are strictly necessary for the operation of our service:

  • Session cookie β€” maintains your login session and remembers your preferences. Expires when you close your browser or after the session lifetime.
  • XSRF token β€” protects against cross-site request forgery attacks. Expires with your session.

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

11. Changes to this policy

We may update this privacy policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.

12. Contact us

If you have any questions about this Privacy Policy or want to exercise your data protection rights, please contact us.

Back to Home