1. Who is responsible for your data
GiftCasher is the data controller for the personal data described here. Our address is 78 Grange Rd, Bedford, MK44 3NS, United Kingdom. For anything to do with your data, or to exercise any of the rights in section 8, write to support@giftcasher.uk.
This policy is written to the UK GDPR and the Data Protection Act 2018. If you are in the EU or the EEA, the EU GDPR gives you equivalent rights and we apply this policy to you in the same way.
2. What we collect
2.1 Data you give us
- Account: your name, email address, and a password (which we never see in readable form).
- Gift cards: card type, face value, currency, the card code, and any photo of the card you choose to upload.
- Payout details: your PayPal email address or cryptocurrency wallet address.
- Correspondence: anything you send us through the contact form or by email.
2.2 Data we generate or collect automatically
- Transactions: your orders, balances, payouts and withdrawal history.
- Technical data: your IP address and basic request information, recorded in server logs by our hosting provider.
We do not run advertising or analytics trackers, and we do not build a profile of your browsing. See our Cookie Policy for what is stored in your browser and why.
3. Why we use it, and our lawful basis
Under the UK GDPR we must have a lawful basis for each use. Ours are:
- To perform our contract with you — creating your account, verifying cards, calculating payouts, holding your balance, and paying you out.
- Our legitimate interests — preventing fraud and money laundering, keeping the platform secure, and defending legal claims. We have weighed these against your rights and consider them proportionate, in particular because gift card fraud directly harms other customers.
- Our legal obligations — keeping records we are required by law to keep, and responding to lawful requests from the authorities.
- Your consent — only if we ever send you marketing. We do not do so today, and if we start, you will be asked first and can withdraw consent at any time.
4. Who we share it with
We do not sell your personal data, and we do not share it for anyone else's marketing. We share it only with:
- Supabase — our database and authentication provider, which stores your account, orders and card photos on our behalf.
- Vercel — our hosting provider, which processes requests to the site.
- PayPal, and the public cryptocurrency networks — when we pay you. Note that a transaction sent to a public blockchain is, by design, permanent and visible to anyone.
- Law enforcement, regulators or our advisers — where we are legally required to, or where it is necessary to investigate fraud or defend a legal claim.
5. Sending data outside the UK
Our providers may process your data outside the United Kingdom. Where that happens we rely on the UK Government's adequacy regulations, or on the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, so that your data keeps an equivalent level of protection. You can ask us for details of the safeguards that apply.
6. How long we keep it
We keep your account data for as long as your account is open. After you close it, we delete or anonymise what we no longer need.
We keep records of transactions and of the identity checks behind them for five years after our relationship with you ends, because anti-money-laundering law requires it. During that period the data is retained for that purpose alone and is not used to market to you.
Card photos are deleted once the card they relate to has been verified and settled, unless they form part of a fraud investigation.
7. How we protect it
- All traffic to the site is encrypted in transit with TLS.
- Passwords are hashed by our authentication provider. We never store or see them.
- Card photos go into private storage, not a public bucket. They are readable only through short-lived links issued to our verification team.
- Database row-level security means your account can only ever read your own rows, enforced by the database itself rather than by application code.
- Access to production data is limited to staff who need it.
No system is perfectly secure. If a breach occurs that is likely to put your rights at risk, we will tell you, and we will report it to the ICO within 72 hours where the law requires.
8. Your rights
Under the UK GDPR you have the right to:
- be told how your data is used — that is what this policy is for;
- get a copy of the data we hold about you;
- have it corrected if it is wrong or incomplete;
- have it erased, where we no longer have a reason to keep it;
- restrict or object to our use of it, including where we rely on legitimate interests;
- receive it in a portable format, or have it sent to another provider;
- withdraw consent at any time, where we rely on consent.
Write to support@giftcasher.uk and we will respond within one month. There is no charge.
Some rights have limits. We may not be able to erase records we are legally required to keep, and we may need to keep enough data to stop a closed account being reopened to commit fraud. If we refuse a request, we will tell you why.
9. Complaining
If you are unhappy with how we have handled your data, please tell us first so we can put it right. You also have the right to complain to the Information Commissioner's Office, the UK's data protection regulator, at ico.org.uk or on 0303 123 1113. You do not need our permission, and complaining to us first does not take away that right.
10. Children
GiftCasher is for adults. You must be 18 or over to hold an account, and we do not knowingly collect data from anyone younger. If we find that an account belongs to a child, we will close it and delete the data.
11. Changes to this policy
If we change this policy in a way that materially affects you, we will tell you by email before the change takes effect. The date at the top always shows when it was last revised.
12. Contact
GiftCasher
78 Grange Rd, Bedford, MK44 3NS, United Kingdom
support@giftcasher.uk






