Privacy Policy

1. Who we are

GiftTrax is operated by Third Eye Lab Ltd. In this Privacy Policy, “GiftTrax”, “we”, “us” or “our” means Third Eye Lab Ltd as the operator of the GiftTrax website and services.

We are responsible for deciding how your personal data is used for the purposes described in this policy.

2. Information we collect

Depending on how you use GiftTrax, we may collect the following types of personal data:

• Contact details, such as your name, email address, billing address, delivery address and telephone number where provided;
• Order and transaction details, including the products or services you order, payment status, order history, and related communications;
• Personal content you submit, such as names, stories, messages, preferences, dates, musical references, and any other details you provide for the creation of a personalised song or related product;
• Technical and usage data, such as IP address, browser type, device information, pages viewed and interactions with the website, where this is collected through analytics or server logs;
• Marketing preferences, such as whether you have opted in to receive promotional emails or updates from us;
• Customer service records, including enquiries, support messages and correspondence with us.

We do not normally need special category personal data for standard GiftTrax orders. Please do not send sensitive personal information unless it is genuinely necessary and relevant to your request.

3. How we use your information

We may use your personal data to:

• process orders, take payment, deliver services and manage customer accounts;
• create, produce and supply personalised songs, lyrics, keepsakes or related products you request from us;
• communicate with you about your order, revisions, delivery, support requests or other service-related matters;
• maintain business records, accounts and internal administration;
• improve our website, services, products and customer experience;
• send marketing communications where you have consented or where we are otherwise permitted to do so by law;
• prevent fraud, protect the security of the site, and enforce our legal rights.

4. Lawful bases for processing

Under UK GDPR, we rely on one or more of the following lawful bases depending on the context:

• Contract: where processing is necessary to take steps at your request or to perform a contract with you, such as fulfilling an order.
• Legitimate interests: where it is necessary for our legitimate business interests, provided those interests are not overridden by your rights and interests. This may include customer service, internal administration, fraud prevention, and improving our services.
• Legal obligation: where we need to comply with legal or regulatory requirements, such as accounting and tax obligations.
• Consent: where we rely on your consent, such as for certain marketing communications or non-essential cookies.

5. Sharing your information

We may share your personal data with trusted service providers where necessary for the operation of our business and website. Depending on the live site setup, these may include providers for:

• payment processing, such as Stripe;
• website hosting, content delivery, security and form handling;
• website analytics, such as Google Analytics if used;
• email communications and marketing, such as Mailchimp if used;
• professional advisers, accountants, legal advisers or insurers where necessary;
• law enforcement, regulators or courts where required by law or to protect our rights.

We do not sell your personal data.

Where third-party processors act on our behalf, they are expected to process personal data only on appropriate instructions and with suitable safeguards.

6. International transfers

Some of our service providers may process personal data outside the UK. Where this happens, we will take reasonable steps to ensure that your personal data remains protected and is handled in accordance with applicable data protection law.

This may include relying on adequacy regulations, standard contractual clauses, or other lawful transfer mechanisms where appropriate.

7. Data retention

We keep personal data only for as long as reasonably necessary for the purposes set out in this policy, including for fulfilling orders, dealing with follow-up queries, keeping business and tax records, resolving disputes, and meeting legal obligations.

In practice, retention periods may vary depending on the type of information. For example:

• order, billing and transaction records may be kept for up to [insert retention period, e.g. 6 years] to meet accounting and tax requirements;
• customer correspondence may be kept for as long as reasonably necessary to manage the customer relationship and resolve any issues;
• marketing data may be retained until you unsubscribe or ask us to stop;
• cookie-related information should be managed in line with the durations stated in the Cookie Policy or consent platform.

Do not leave this section vague in the final version. Set clear retention periods where you can, especially for order and payment records.

8. Your rights

Depending on the circumstances, you may have the right to:

• request access to the personal data we hold about you;
• ask us to correct inaccurate or incomplete personal data;
• ask us to erase your personal data in certain circumstances;
• ask us to restrict the way we use your personal data in certain circumstances;
• object to processing carried out on the basis of legitimate interests;
• withdraw consent at any time where we rely on consent;
• request a copy of certain personal data in a portable format where applicable;
• complain to the UK Information Commissioner’s Office (ICO) if you believe your data protection rights have been breached.

If you would like to exercise any of these rights, please contact us using the details at the end of this policy.

9. Cookies

Our website may use cookies and similar technologies for essential website functions and, where permitted, for analytics, functionality and marketing. For more detailed information, including how to manage your choices, please see our Cookie Policy.

Non-essential cookies should not be set unless you have given the appropriate consent through our cookie banner or preference tool.

10. Security

We take reasonable technical and organisational measures to help protect personal data against unauthorised access, loss, misuse, alteration or disclosure. However, no system or online transmission can be guaranteed to be completely secure.

11. Children’s information

GiftTrax products may be purchased for children or may include information about children where this is provided by a parent, guardian or other adult placing an order. We expect the person submitting that information to have the authority to do so.

We do not knowingly provide a general consumer ordering service directly to children without adult involvement.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to our business, services, website features, legal requirements or data practices. The latest version will always be posted on this page.

Last updated: [Insert date]

13. Contact us

If you have any questions about this Privacy Policy or the way we handle your personal data, please contact us using the details below.