Privacy Policy

We collect only what’s necessary to deliver GiftGuard Authorise and to provide an auditable Gifts & Hospitality compliance flow. This notice explains what we collect, how we use it, and your rights.

Who we are

• Service: GiftGuard Authorise (the “Service”)
• Data controller: GiftGuard Technologies Ltd trading as GiftGuard Authorise
• Contact: [email protected]
• Jurisdiction: England & Wales (UK GDPR / Data Protection Act 2018)

What data we process

We keep the footprint intentionally small (“data minimalism”). Depending on your organisation’s configuration, we may process:

• Submission data: employee/submitter email, department, recipient/host name, organisation, offer type, monetary value, offer date, attendees count, public-official status, and the free-text context/description provided by the user.
• Decision data: policy version, decision (ALLOW/ESCALATE), rationale/explanation, threshold checks, and immutable audit identifiers.
• Technical & audit meta: submission timestamp, immutable ID, request identifiers, tenant identifier, basic error/diagnostic logs for reliability and abuse prevention.

Why we process it (lawful bases)

• Contract — to provide the Service to your organisation (e.g. process submissions, render decisions, retain audit trails).
• Legitimate interests — to maintain security, prevent abuse, operate analytics essential to reliability, and improve the Service.
• Legal obligation — where required to comply with applicable law or respond to lawful requests.

How long we keep it (retention)

Retention is configurable per client policy. By default we retain submission and audit data in the tenant’s namespace for the duration of the subscription plus a short administrative buffer (typically up to 90 days) unless you instruct deletion sooner.

Where it’s stored

We run on Cloudflare infrastructure. Submission records are stored in Cloudflare KV under a tenant-specific key (or namespace). This uses edge replication for performance and resilience. We do not sell or monetise your data.

Sharing & subprocessors

We share data only with service providers essential to operate the Service (e.g. Cloudflare for edge compute/storage). These providers act as data processors under contract and are limited to the minimum necessary processing. We do not share personal data with third parties for marketing.

International transfers

Cloudflare may replicate data internationally to provide edge performance and availability. Transfers are covered by standard contractual clauses and Cloudflare’s security certifications and commitments.

Security

• Tenant isolation via key prefixes or per-tenant namespaces
• Immutable identifiers for auditability
• Access controls via Cloudflare Access (SSO, policies)
• Encrypted in transit (HTTPS). Data at rest as provided by Cloudflare KV

Your rights (UK GDPR)

You can exercise the following rights by contacting us. Where we act as processor for your employer, please contact your employer’s admin first.

• Access, rectification, erasure
• Restriction or objection to processing
• Data portability (where applicable)
• Complaint to the UK ICO: ico.org.uk

Cookies & tracking

We don’t use advertising cookies or third-party tracking pixels. Operational cookies may be used strictly for authentication/security.

Children

The Service is for business use only and not directed to children.

Changes

We may update this notice if our processing changes. We’ll post the new version here and update the date below.

Version: 1.1 • Updated: 13 Nov 2025 • Contact: [email protected]