Privacy and Data Protection Policy

Surprisygift is the controller of the information circulating on the Website and by the Website. We may process the users’ preferences for purposes of providing a better experience to the End-users and the Participating Merchants, as defined in our terms and conditions as available in our Sites.
Surprisygift takes all necessary precautions to ensure that the personal information of our Users and Participating Merchants are safely kept confidential. At Surprisygift we recognize that privacy is important to you.
This Privacy and Data Protection Policy explains how Surprisygift and all its affiliates and subsidiaries collect, use and disclose your personal data, and your rights in relation to the personal data as these are held. Keeping your data secure and private is part of our philosophy for delivering high standards of services.
In this privacy policy, “us’, “we’, “our” is the data controller of your personal data and is subject to the EU General Data Protection Regulation 2016/679 (“GDPR”) and any locally applicable data protection laws.

The Surprisygift Privacy and Data Protection Policy (“Policy”) explains what categories of personal information is collected and for what purpose it is processed as well as when and why personal data may be shared within Surprisygift and with third parties. Finally, the Policy outlines your rights and options available to you when it comes to your personal data.
This Policy applies to you with regards to your interactions with our Sites and/or our communications with you about our products and services.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). Such personal data, collected by us within the context of our business relationship may include:

Surprisygift collects the minimum required personal data that would allow Surprisygift to perform the service for which the User and Participating Merchant has signed up.
User Personal Data is collected solely for marketing purposes and may be used (in accordance with any preferences you have expressed and/or instructions given) to send you marketing messages by email, post, phone and social media to keep you updated in relation to the brands you have signed up for.
Anytime you contact us about our services either by phone, email or post or when you contact us via social media, we may also collect personal data you provide us.
We may also contact you in order to manage promotions and competitions you participate in.
Personal data are collected online and/or via the participation in any one of our events and/or competitions.
We process the aforementioned personal data in compliance with the provisions of GDPR and the applicable local legislation as amended from time to time for:

As part of running our business, we have a legitimate interest to promote our Participating Merchants using marketing messages to existing Users of Surprisygift unless you have asked us not to. This includes the management and dispatch of information on exclusive promotions, latest news and events in store via email, SMS or ordinary mail.

We may rely on your freely given consent at the time you provided your personal data to us for a purpose of the process other than for the purposes set out hereinabove, then the lawfulness of such processing is based on that consent. You have the right to withdraw consent at any time. However, any processing of personal data will not be affected prior to the receipt of the withdrawal of consent by contacting us and the revocation of such consent does not affect the legality of any processing that has been performed prior to the revocation.
When we collect your personal data, we will always give you the opportunity to revoke your consent and/or instruct us to stop sending marketing messages at any time.

We do what is possible to process User and Participating Merchant requests within 48 hours of receiving them. We continuously work on improving our customer experience to allow you to opt-out easily of our communications.

The personal data collected may be transferred/communicated to third party data processing companies that carry out certain functions on our behalf. Surprisygift works with carefully selected Service Providers that help us with technology services. We assure you that we only share personal data that are absolutely necessary to enable our Service Providers to provide their services. Where the party to whom we share your personal information is a legal entity, we hereby affirm that we will take all reasonable steps and/or actions to confirm that the employees and/or representatives of such a third party will execute their duties in accordance with the highest industry standards and will comply with all provisions and requirements of the provisions of this Policy and the local laws and regulations on the protection of personal data (as amended from time to time) and GDPR and any legislation to success it or complement it.
Some of the Service Providers we work with operate online media channels, and they place relevant online advertising for our products and services on those online media channels on our behalf. For example, you may see an advert for our products and services as you use particular social media sites.
The personal data may be transferred/communicated to our partners or may be processed by third parties who work for our partners. We would like to reassure you that we have in place appropriate protection measures to make sure that your personal data remains adequately protected and is treated in line with this Policy.
Other than the disclosures referred to in this Policy, we will not disclose any personal information without your consent unless we are legally entitled or obliged to do so (for example, if required to do so by Court Order or for the purposes of prevention of fraud or other crime or as a result of any legal obligations) and/or if necessary to defend our legal rights.
Surprisygift does not, under any circumstances, sell customer data to third parties.

The Management of Surprisygift are committed to respect, protect and maintain your privacy. We have put in place a number of measures to ensure this is implemented.
Indicatively, we use computer safeguards such as firewalls and data encryption. Authorized access is only granted to the employees who need it to carry out their job responsibilities.
As part of our policies, we enforce physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of personal data.
You should be aware that the internet is an insecure environment. Whilst we take appropriate technical and organizational measures to safeguard your personal data, please note that we cannot guarantee the security of any personal data that you transfer over the internet to us. However, we will continue to update these measures, as appropriate, when new technology becomes available.

We might process personal data related to the users of our sites to facilitate the provision of our services as per our applicable terms. We process the data provided by our users to provide a personalized experience. We do not keep our user’s data. Our user’s data are stored on our servers. Once our users delete their account, their data will be erased by our servers within 7 (seven) years.

When you use Surprisygift, we temporarily store and process personal data about you to provide our services.
The above-mentioned data may include but is not limited to information and content you provide including, full name, username, password, email, date of birth, phone number, the user’s card’s details when paying for a service, country of residence, your device’s location, device information (device type e.g., android or IOS, FMT token), device permissions such as location, storage, camera (as applicable) information as to your personal preferences, demographics and psychographics. We also collect information which refer to the user’s personal preferences, demographics and psychographics. Where applicable, users may be requested to insert their card’s details in order to book a service.

The above-mentioned data may include but is not limited to information and content you provide including, full name, username, password, email, date of birth, phone number, the details of the service provider when receiving money for a service, country of residence, sector of expertise, information as to their degree/certification, registration/ license number, sufficient proof of having the right to be exercising your profession in the relevant country, official national identity card or international passport or driving license, your device’s location, device information (device type e.g., android or IOS, FMT token), device permissions (location, storage, camera).

In order to use Surprisygift, you are required to create a profile by registering. To register you have to provide your full name, username, password, email, date of birth, phone number and country. Alternatively, the users can open a Surprisygift account by logging in through their Facebook account or Google account and select the account type. When creating an account, we temporarily store these data for authentication and/or verification purposes.
When you create an account with Surprisygift, you choose to provide us with personal data about yourself. Such data which will be displayed on your Surprisygift profile. For example, in the Website, you may voluntarily provide your Personal Data, such as your profile photo, information you write on your profile bio, and any other information that you add on your profile on the Website. You should carefully consider what personal data to include in your Profile, and you can review and change that information at any time by accessing the “Edit Profile” section of the Website. It is noted that any changes on a Merchant’s profile will need to be approved by the Company before being published.

When you use the Website, you have permitted us to have the access to view your precise location (e.g. your latitude and longitude) ("Location"). You may also revoke this permission and disable the location services on your device.

Surprisygift may create a mailing list for some or all of the site using the user’s email address and use it to send promotional emails or any other type of emails relating to the Surprisygift services. We will only use this information in aggregate form in order to assess general users’ interest in various internal and third-party products and services. We will not pass your personal and contact information to any other organization apart from any affiliate entities of Surprisygift. You will receive regular emails from the Website if you choose to sign up for a mailing list. If you no longer wish to receive our newsletters, you may unsubscribe from our mailing list at any time.

We collect certain hardware and software information about you and your device such as device make, device model, carrier, data connection type, browser type, operating system, IP address, domain name, all of the foregoing collectively known as “Hardware and Software Information”.

We temporarily store personal data for the period necessary to fulfill the purposes outlined in this Policy unless a longer retention period is required by law. As long as the account is in the Website, we will temporarily store the data necessary to run and display their account. Surprisygift’s general retention policy is to retain personal data for 7 (seven) years following termination of our contractual relationship with you. In some circumstances, such as to meet our legal or regulatory obligations, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions, we may hold on to your personal information after we’ve finished providing services to you, or for longer than our general retention policy. For more information about the retention period of specific data please contact us.
Your contact information and personal data are stored securely, using a mixture of password protection, and servers/back-ups all kept with multiple lock protection.
We have put in place appropriate technical and organisational measures including physical, electronic and procedural measures to protect personal data from loss, misuse, alteration or destruction. We restrict access to information at our premises so that only officers and/or employees who need to know the information have access to it. Those individuals who have access to the data are required to maintain the confidentiality of such information. Please be aware that users should also take care with how they handle and disclose their personal data and should avoid sending personal data through insecure email.

We will not share information about the data subject with anyone without a contractual legal basis and unless the law and our policies allow us to do so.
If you book a service, you privately submit personal data such as your name, payment card information, billing information, address, telephone number, and email address to one of our third-party payment processors.
Surprisygift will not receive or process payment card information directly; however, our third-party service providers may provide certain information to us (e.g., your name, phone number, partial payment card number, and email address).
We may have or may create multiple bases around the world and therefore we may share information globally and around the world with/to our different branches and organisations that fall under the Surprisygift parent company, in accordance with this Policy. Information controlled by Surprisygift may be stored, transferred or transmitted to, and processed in other countries outside where you live for the purposes described in this Policy. These data transfers are necessary to provide the services set forth in the Surprisygift Terms and Conditions, and to globally operate and provide our Services to you. We utilize standard contractual clauses approved by the European Commission and rely on the European Commission's adequacy decisions about certain countries, as applicable, for data transfers from the EEA to the United States and other countries.

Under the General Data Protection Regulation, you as the Data subject, have the following rights: 

GDRP and the applicable local legislation as amended from time to time prohibits the transfer of personal information outside the European Economic Area (“EEA”) unless specific requirements are met for the protection of that personal information.
When sharing your personal data with third parties as set out in this Policy, it may be transferred outside the European Union. Such third parties have access to personal data solely for the purposes of performing the services specified in the applicable service agreement, and not for any other purpose. In these circumstances, your personal data will only be transferred on one of the following bases:

If service providers in a third country are used, all reasonable and practicable measures will be taken to ensure that they will comply with the data protection level in the European Union in accordance with the GDPR.
Any transfers to parties located outside the European Union will be in line with the legal and regulatory provisions of the GDPR and applicable local legislation as amended from time to time.

In establishing and carrying out a business relationship, we generally do not use automated decision-making. If we use this procedure in individual cases, we will inform you of this separately.

Though we make every effort to preserve user privacy, Surprisygift may need to disclose personal information when required by relevant law where we have a good-faith belief that such action is necessary to comply with a current judicial proceeding, a court order or legal process served on Surprisygift.
We also process your personal data for our compliance with a legal obligation which we are under. In this respect, we will use your personal data for the following:

In this respect, we will share your personal data with the following:

In the event Surprisygift goes through a business transition, such as a merger, acquisition by another person, company or other legal entity, or sale of a portion of its assets, users' personal information will, in most instances, be part of the assets transferred and you hereby consent to such transfer of information.

Our Website contains links to other sites. Please be aware that Surprisygift is not responsible for the privacy practices of such other sites. We encourage you to be aware when you leave our Website and to read the privacy statements of each and every website that collects personally identifiable information. This privacy statement applies solely to information collected by Surprisygift.

We are committed to offer you with the best possible shopping experience; consequently, additional functions and features may in the future be incorporated into our Website. This may result in periodic changes to this Policy to reflect how we are processing your personal information. We do encourage you to review our Policy periodically so as to be always informed about how we are processing and protecting your personal information.
Whenever Surprisygift changes its Policy, we will post those changes here, and other places we think appropriate so you will always be aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. Surprisygift will notify you, via email or another appropriate contact method, when/if such change occurs.
This Privacy and Data Protection Policy was last updated on 27 June 2023.

Your concerns are very important to us and we endeavor to address all of your requests promptly. If, at any time, you believe that you have received an unsolicited commercial email from Surprisygift, on behalf of somebody else, you may report it to us.
Data subjects can exercise any one and all of their rights or if you have any other questions about our use of your personal data please contact us by submitting a request by email to [email protected]
For any General Data Protection Regulation (EU) 2016/679 (“GDPR”)-related inquiries, any suggestions about our privacy policy or complaints, please contact us at [email protected]

We have designated a Data Protection Officer (“DPO”), who is responsible to monitor compliance with this Policy as well as the applicable Laws and liaise with the relevant authorities.
The DPO may be contacted directly with regards to all matters concerning this policy and the processing of your personal data including the enforcement of all applicable and available rights.
Official requests may be made electronically at: [email protected]
If you have a concern about the way we collect or use your personal information, you should raise your concern with the DPO in the first instance or directly to the office of the Commissioner for the Protection of Private Data. You can be provided with the complaint forms from the Commissioner’s office at www.dataprotection.gov.cy.