Privacy and Data Protection Policy
This Privacy and Data Protection Policy covers all aspects of the Surprisygift sites. Please read it carefully before accessing and/or using the Website.
When reviewing the present Privacy and Data Protection Policy, reference be made to the Terms and Conditions as these are applicable to Users (available here) and Participating Merchants (available here).
Surprisygift Ltd is a Cyprus-based company. By using Surprisygift’s services, you are transmitting information to Cyprus and any other location of the world where Surprisygift has bases in. By using the Surprisygift Services you agree to having your information and data stored and processed in the country/city where our servers are located in; our servers are hosted and located in Cyprus. Although in the future we might distribute our database instances across multiple Availability Zones in a Multi-AZ deployment, to enhance the functionality and quality of Surprisygift. If you are a resident of another country, note that Cyprus may not afford the same privacy protections as your country of residence
Information collection
Surprisygift is the controller of the information circulating on the Website and by the Website. We may process the users’ preferences for purposes of providing a better experience to the End-users and the Participating Merchants, as defined in our terms and conditions as available in our Sites.
Surprisygift takes all necessary precautions to ensure that the personal information of our Users and Participating Merchants are safely kept confidential. At Surprisygift we recognize that privacy is important to you.
This Privacy and Data Protection Policy explains how Surprisygift and all its affiliates and subsidiaries collect, use and disclose your personal data, and your rights in relation to the personal data as these are held. Keeping your data secure and private is part of our philosophy for delivering high standards of services.
In this privacy policy, “us’, “we’, “our” is the data controller of your personal data and is subject to the EU General Data Protection Regulation 2016/679 (“GDPR”) and any locally applicable data protection laws.
Privacy and Data Protection Policy and what this covers
The Surprisygift Privacy and Data Protection Policy (“Policy”) explains what categories of personal information is collected and for what purpose it is processed as well as when and why personal data may be shared within Surprisygift and with third parties. Finally, the Policy outlines your rights and options available to you when it comes to your personal data.
This Policy applies to you with regards to your interactions with our Sites and/or our communications with you about our products and services.
What types of personal data do we collect and for what purpose?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). Such personal data, collected by us within the context of our business relationship may include:
- First & Last Name
- City of Residence
- Full postal address is only required in the case of product
- Email address
- Mobile phone data
- Birthday
Surprisygift collects the minimum required personal data that would allow Surprisygift to perform the service for which the User and Participating Merchant has signed up.
User Personal Data is collected solely for marketing purposes and may be used (in accordance with any preferences you have expressed and/or instructions given) to send you marketing messages by email, post, phone and social media to keep you updated in relation to the brands you have signed up for.
Anytime you contact us about our services either by phone, email or post or when you contact us via social media, we may also collect personal data you provide us.
We may also contact you in order to manage promotions and competitions you participate in.
Personal data are collected online and/or via the participation in any one of our events and/or competitions.
We process the aforementioned personal data in compliance with the provisions of GDPR and the applicable local legislation as amended from time to time for:
- compliance with a legal obligation;
- City of Residence
- the purposes of safeguarding legitimate interests;
- marketing to you;
- the administration and management of our business, including recovering money you owe to us, and archiving or statistical analysis;
- seeking advice on our rights and obligations, such as where we require our own legal advice
As part of running our business, we have a legitimate interest to promote our Participating Merchants using marketing messages to existing Users of Surprisygift unless you have asked us not to. This includes the management and dispatch of information on exclusive promotions, latest news and events in store via email, SMS or ordinary mail.
On the basis of your consent
We may rely on your freely given consent at the time you provided your personal data to us for a purpose of the process other than for the purposes set out hereinabove, then the lawfulness of such processing is based on that consent. You have the right to withdraw consent at any time. However, any processing of personal data will not be affected prior to the receipt of the withdrawal of consent by contacting us and the revocation of such consent does not affect the legality of any processing that has been performed prior to the revocation.
When we collect your personal data, we will always give you the opportunity to revoke your consent and/or instruct us to stop sending marketing messages at any time.
- For email marketing, the best way to do this is to click on the ‘unsubscribe’ link in any email you receive.
- For SMS marketing, you may call us provided on the SMS and your number will automatically be added to an opt-out list.
We do what is possible to process User and Participating Merchant requests within 48 hours of receiving them. We continuously work on improving our customer experience to allow you to opt-out easily of our communications.
When and why Surprisygift may share personal data within Surprisygift and with other organizations
The personal data collected may be transferred/communicated to third party data processing companies that carry out certain functions on our behalf. Surprisygift works with carefully selected Service Providers that help us with technology services. We assure you that we only share personal data that are absolutely necessary to enable our Service Providers to provide their services. Where the party to whom we share your personal information is a legal entity, we hereby affirm that we will take all reasonable steps and/or actions to confirm that the employees and/or representatives of such a third party will execute their duties in accordance with the highest industry standards and will comply with all provisions and requirements of the provisions of this Policy and the local laws and regulations on the protection of personal data (as amended from time to time) and GDPR and any legislation to success it or complement it.
Some of the Service Providers we work with operate online media channels, and they place relevant online advertising for our products and services on those online media channels on our behalf. For example, you may see an advert for our products and services as you use particular social media sites.
The personal data may be transferred/communicated to our partners or may be processed by third parties who work for our partners. We would like to reassure you that we have in place appropriate protection measures to make sure that your personal data remains adequately protected and is treated in line with this Policy.
Other than the disclosures referred to in this Policy, we will not disclose any personal information without your consent unless we are legally entitled or obliged to do so (for example, if required to do so by Court Order or for the purposes of prevention of fraud or other crime or as a result of any legal obligations) and/or if necessary to defend our legal rights.
Surprisygift does not, under any circumstances, sell customer data to third parties.
How we protect your personal data
The Management of Surprisygift are committed to respect, protect and maintain your privacy. We have put in place a number of measures to ensure this is implemented.
Indicatively, we use computer safeguards such as firewalls and data encryption. Authorized access is only granted to the employees who need it to carry out their job responsibilities.
As part of our policies, we enforce physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personal data.
You should be aware that the internet is an insecure environment. Whilst we take appropriate technical and organizational measures to safeguard your personal data, please note that we cannot guarantee the security of any personal data that you transfer over the internet to us. However, we will continue to update these measures, as appropriate, when new technology becomes available.
Why do we process and use personal data?
We might process personal data related to the users of our sites to facilitate the provision of our services as per our applicable terms. We process the data provided by our users to provide a personalized experience. We do not keep our user’s data. Our user’s data are stored on our servers. Once our users delete their account, their data will be erased by our servers within 7 (seven) years.
We process, use and store on our servers personal data under the following lawful bases:
- where we have consent by the data subject
- where necessary to execute a contract with the data subject;
- where it is necessary for compliance with a legal obligation;
- where processing is necessary to protect the vital interests of the data subject or of another person;
- where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- where justified by the legitimate interest of Surprisygift or of the data subject’s legitimate interest or other’s
What personal data of users we temporarily store and how we process
When you use Surprisygift, we temporarily store and process personal data about you to provide our services.
The above-mentioned data may include but is not limited to information and content you provide including, full name, username, password, email, date of birth, phone number, the user’s card’s details when paying for a service, country of residence, your device’s location, device information (device type e.g., android or IOS, FMT token), device permissions such as location, storage, camera (as applicable) information as to your personal preferences, demographics and psychographics. We also collect information which refer to the user’s personal preferences, demographics and psychographics. Where applicable, users may be requested to insert their card’s details in order to book a service.
What personal data of service providers we temporarily store and how we process it
The above-mentioned data may include but is not limited to information and content you provide including, full name, username, password, email, date of birth, phone number, the details of the service provider when receiving money for a service, country of residence, sector of expertise, information as to their degree/certification, registration/ license number, sufficient proof of having the right to be exercising your profession in the relevant country, official national identity card or international passport or driving license, your device’s location, device information (device type e.g., android or IOS, FMT token), device permissions (location, storage, camera).
Account Credentials
In order to use Surprisygift, you are required to create a profile by registering. To register you have to provide your full name, username, password, email, date of birth, phone number and country. Alternatively, the users can open a Surprisygift account by logging in through their Facebook account or Google account and select the account type. When creating an account, we temporarily store these data for authentication and/or verification purposes.
When you create an account with Surprisygift, you choose to provide us with personal data about yourself. Such data which will be displayed on your Surprisygift profile. For example, in the Website, you may voluntarily provide your Personal Data, such as your profile photo, information you write on your profile bio, and any other information that you add on your profile on the Website. You should carefully consider what personal data to include in your Profile, and you can review and change that information at any time by accessing the “Edit Profile” section of the Website. It is noted that any changes on a Merchant’s profile will need to be approved by the Company before being published.
Location and Distance Information
When you use the Website, you have permitted us to have the access to view your precise location (e.g. your latitude and longitude) ("Location"). You may also revoke this permission and disable the location services on your device.
Mailing list
Surprisygift may create a mailing list for some or all of the site using the user’s email address and use it to send promotional emails or any other type of emails relating to the Surprisygift services. We will only use this information in aggregate form in order to assess general users’ interest in various internal and third-party products and services. We will not pass your personal and contact information to any other organization apart from any affiliate entities of Surprisygift. You will receive regular emails from the Website if you choose to sign up for a mailing list. If you no longer wish to receive our newsletters, you may unsubscribe from our mailing list at any time.
Hardware and Software Information
We collect certain hardware and software information about you and your device such as device make, device model, carrier, data connection type, browser type, operating system, IP address, domain name, all of the foregoing collectively known as “Hardware and Software Information”.
How long are general data retained?
We temporarily store personal data for the period necessary to fulfill the purposes outlined in this Policy unless a longer retention period is required by law. As long as the account is in the Website, we will temporarily store the data necessary to run and display their account. Surprisygift’s general retention policy is to retain personal data for 7 (seven) years following termination of our contractual relationship with you. In some circumstances, such as to meet our legal or regulatory obligations, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions, we may hold on to your personal information after we’ve finished providing services to you, or for longer than our general retention policy. For more information about the retention period of specific data please contact us.
Your contact information and personal data are stored securely, using a mixture of password protection, and servers/back-ups all kept with multiple lock protection.
We have put in place appropriate technical and organisational measures including physical, electronic and procedural measures to protect personal data from loss, misuse, alteration or destruction. We restrict access to information at our premises so that only officers and/or employees who need to know the information have access to it. Those individuals who have access to the data are required to maintain the confidentiality of such information. Please be aware that users should also take care with how they handle and disclose their personal data and should avoid sending personal data through insecure email.
Who do we share personal data with?
We will not share information about the data subject with anyone without a contractual legal basis and unless the law and our policies allow us to do so.
If you book a service, you privately submit personal data such as your name, payment card information, billing information, address, telephone number, and email address to one of our third-party payment processors.
Surprisygift will not receive or process payment card information directly; however, our third-party service providers may provide certain information to us (e.g., your name, phone number, partial payment card number, and email address).
We may have or may create multiple bases around the world and therefore we may share information globally and around the world with/to our different branches and organisations that fall under the Surprisygift parent company, in accordance with this Policy. Information controlled by Surprisygift may be stored, transferred or transmitted to, and processed in other countries outside where you live for the purposes described in this Policy. These data transfers are necessary to provide the services set forth in the Surprisygift Terms and Conditions, and to globally operate and provide our Services to you. We utilize standard contractual clauses approved by the European Commission and rely on the European Commission's adequacy decisions about certain countries, as applicable, for data transfers from the EEA to the United States and other countries.
Data subject rights:
Under the General Data Protection Regulation, you as the Data subject, have the following rights:
- the right to be informed about what we do with your information;
- the right to access personal data and supplementary information;
- the right to have inaccurate personal data rectified, or completed if it is incomplete. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us;
- the right to erasure (to be forgotten) in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. In such a case, your data will be stored but not processed until expiration of the retention obligation;
- the right to object to or restrict processing in certain circumstances. This enables you to ask us to stop processing your information or to ask us to limit the ways in which we process the information. If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms;
- the right to data portability, which allows the data subject to obtain and reuse your personal data for your own purposes across different services. Request to receive a copy of the personal data concerning you in a format that is structured and commonly used and transmit such data to other organizations. You also have the right to have your personal data transmitted directly by ourselves to other organizations you will name;
- the right to withdraw consent. This enables you to withdraw your consent regarding the processing of your personal data for marketing purposes at any time. You may withdraw your consent given to us either by opting out of SMS messages, unsubscribing to email newsletters or changing preferences via a link in the footer of all non-transactional email messages. These options are made available when you sign-up for our email lists and in email messages delivered from us. Note that any withdrawal of consent shall not affect the lawfulness of processing based on consent before it was withdrawn or revoked by you;
- the right to lodge a complaint. If you have exercised any or all of your data protection rights and still feel that your concerns about how we use your personal data have not been adequately addressed by us, you have the right to file a complaint with the Commissioner for the Protection of Private Data.
Data transferred to a country outside the European Union
GDRP and the applicable local legislation as amended from time to time prohibits the transfer of personal information outside the European Economic Area (“EEA”) unless specific requirements are met for the protection of that personal information.
When sharing your personal data with third parties as set out in this Policy, it may be transferred outside the European Union. Such third parties have access to personal data solely for the purposes of performing the services specified in the applicable service agreement, and not for any other purpose. In these circumstances, your personal data will only be transferred on one of the following bases:
- The country that we send the personal data to is approved by the European Commission as providing an adequate level of protection for personal data;
- The recipient has entered into European Commission standard contractual clauses with us or contract terms ensuring adequate data protection;
- You have explicitly consented to the same; or
- If it is required by law (e.g. reporting obligations under tax law).
If service providers in a third country are used, all reasonable and practicable measures will be taken to ensure that they will comply with the data protection level in the European Union in accordance with the GDPR.
Any transfers to parties located outside the European Union will be in line with the legal and regulatory provisions of the GDPR and applicable local legislation as amended from time to time.
To what extent we carry automated decision-making and profiling.
In establishing and carrying out a business relationship, we generally do not use automated decision-making. If we use this procedure in individual cases, we will inform you of this separately.
Legal disclaimer and compliance with legal obligations
Though we make every effort to preserve user privacy, Surprisygift may need to disclose personal information when required by relevant law where we have a good-faith belief that such action is necessary to comply with a current judicial proceeding, a court order or legal process served on Surprisygift.
We also process your personal data for our compliance with a legal obligation which we are under. In this respect, we will use your personal data for the following:
- meet our compliance and regulatory obligations, such as compliance with anti-money laundering laws;
- As required by tax authorities or any competent court or legal authority under the relevant laws.
In this respect, we will share your personal data with the following:
- Our advisers where it is necessary for us to obtain their advice or assistance;
- Our auditors where it is necessary as part of their auditing functions;
- With third parties who assist us in conducting background checks;
- With relevant regulators or law enforcement agencies where we are required to do so under relevant laws.
Business transitions
In the event Surprisygift goes through a business transition, such as a merger, acquisition by another person, company or other legal entity, or sale of a portion of its assets, users' personal information will, in most instances, be part of the assets transferred and you hereby consent to such transfer of information.
Links and information
Our Website contains links to other sites. Please be aware that Surprisygift is not responsible for the privacy practices of such other sites. We encourage you to be aware when you leave our Website and to read the privacy statements of each and every website that collects personally identifiable information. This privacy statement applies solely to information collected by Surprisygift.
Notification of changes
We are committed to offer you with the best possible shopping experience; consequently, additional functions and features may in the future be incorporated into our Website. This may result in periodic changes to this Policy to reflect how we are processing your personal information. We do encourage you to review our Policy periodically so as to be always informed about how we are processing and protecting your personal information.
Whenever Surprisygift changes its Policy, we will post those changes here, and other places we think appropriate so you will always be aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. Surprisygift will notify you, via email or another appropriate contact method, when/if such change occurs.
This Privacy and Data Protection Policy was last updated on 27 June 2023.
How to contact us
Your concerns are very important to us and we endeavor to address all of your requests promptly. If, at any time, you believe that you have received an unsolicited commercial email from Surprisygift, on behalf of somebody else, you may report it to us.
Data subjects can exercise any one and all of their rights or if you have any other questions about our use of your personal data please contact us by submitting a request by email to [email protected]
For any General Data Protection Regulation (EU) 2016/679 (“GDPR”)-related inquiries, any suggestions about our privacy policy or complaints, please contact us at [email protected]
Data Protection Officer
We have designated a Data Protection Officer (“DPO”), who is responsible to monitor compliance with this Policy as well as the applicable Laws and liaise with the relevant authorities.
The DPO may be contacted directly with regards to all matters concerning this policy and the processing of your personal data including the enforcement of all applicable and available rights.
Official requests may be made electronically at: [email protected]
If you have a concern about the way we collect or use your personal information, you should raise your concern with the DPO in the first instance or directly to the office of the Commissioner for the Protection of Private Data. You can be provided with the complaint forms from the Commissioner’s office at www.dataprotection.gov.cy.