Privacy Policy

Last Updated: February 17, 2026

This Privacy Policy describes how GiftOS ("we", "us", or "our"), a company registered in France, collects, uses, stores, and protects your personal data when you use our platform (the "Service"). We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR).

1. Data Controller

GiftOS is the data controller responsible for your personal data. For privacy-related inquiries, you may contact us at:

GiftOS
Email: [your contact email]
Address: [your registered business address in France]

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Name, email address, password (encrypted), username
• Payment Information: Payment card details (processed and stored securely by Stripe; we only store limited tokenized references and transaction metadata)
• Profile Information: Optional profile details, GitHub username, project information
• Communication Data: Messages, support requests, feedback you send to us

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent on the Service, interaction patterns
• Device Information: IP address, browser type and version, operating system, device identifiers
• Technical Data: Log files, error reports, performance metrics
• Cookies and Tracking: Session cookies, authentication tokens, analytics cookies (see Section 8)

2.3 Information from Third-Party Sources

• Package Registries: Public package metadata from npm, PyPI, or other registries
• GitHub: Public repository information, maintainer details (if you connect your GitHub account)
• Payment Processor: Transaction status and verification data from Stripe

3. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contractual Necessity: To provide the Service and fulfill our obligations under the Terms of Service (account management, payment processing, donation distribution)
• Legitimate Interest: To improve the Service, prevent fraud, ensure security, and monitor server-side errors (balanced against your privacy rights)
• Legal Obligation: To comply with tax laws, accounting requirements, and legal processes (7-year retention of financial records under French law)
• Consent: For client-side analytics (error reporting and performance monitoring via Sentry), marketing communications, and optional data processing (you may withdraw consent at any time)

4. How We Use Your Information

We use your personal data for the following purposes:

4.1 Service Delivery

• Create and manage your account
• Process donations and financial transactions
• Calculate and execute donation distributions
• Provide customer support and respond to inquiries
• Send transactional emails (account notifications, receipts, distribution confirmations)

4.2 Service Improvement and Analytics

• Analyze usage patterns to improve features and user experience
• Debug errors and optimize performance
• Conduct research and development for new features
• Generate aggregated, anonymized statistics

4.3 Security and Fraud Prevention

• Detect and prevent fraudulent transactions
• Protect against security threats and unauthorized access
• Enforce our Terms of Service and policies
• Verify user identity and payment authenticity

4.4 Legal and Compliance

• Comply with legal obligations (tax reporting, financial audits)
• Respond to lawful requests from authorities
• Establish, exercise, or defend legal claims
• Maintain accounting records as required by French law

4.5 Marketing (With Your Consent)

• Send promotional emails about new features or updates (opt-out available)
• Conduct surveys or request feedback
• Provide personalized recommendations

5. Data Sharing and Disclosure

We do not sell your personal data. We share your information only in the following circumstances:

5.1 Service Providers

We share data with trusted third-party service providers who assist in operating the Service:

• Stripe: Payment processing (subject to Stripe's privacy policy)
• Supabase/PostgreSQL: Database hosting and management
• Vercel: Website hosting and content delivery
• Sentry: Error tracking and performance monitoring (only with your analytics consent)
• Email Service Providers: Transactional and marketing email delivery

These providers are contractually bound to protect your data and use it only for specified purposes.

5.2 Open-Source Maintainers

When you make a donation, we share limited information with designated maintainers:

• Donation amount allocated to them
• Your username or display name (if you choose not to donate anonymously)
• Transaction date

We do not share your payment details, email address, or full personal information with maintainers.

5.3 Legal Requirements

We may disclose your information if required by law or if we believe in good faith that such disclosure is necessary to:

• Comply with legal obligations, court orders, or government requests
• Enforce our Terms of Service or investigate violations
• Protect the rights, property, or safety of GiftOS, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the successor entity. We will notify you of any such change and your options regarding your data.

6. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.

6.1 Active Accounts

We retain your account data for as long as your account remains active or as needed to provide the Service.

6.2 Transaction and Financial Records

7-Year Retention: Under French tax and accounting laws, we are required to retain transaction records, invoices, payment data, and related financial information for a minimum of 7 years from the end of the fiscal year in which the transaction occurred.

6.3 Deleted Accounts

When you delete your account:

• Your personal profile data (name, email, preferences) is deleted or anonymized within 30 days
• Transaction records are retained for 7 years as required by law, but anonymized where possible
• Public contributions (e.g., comments on public projects) may remain but will be dissociated from your identity
• Backup copies may persist for up to 90 days before permanent deletion

6.4 Legal Holds

If your data is subject to legal holds, litigation, investigations, or regulatory requirements, we may retain it beyond standard retention periods until the matter is resolved.

7. Your Rights Under GDPR

As an EU/EEA data subject, you have the following rights regarding your personal data:

7.1 Right of Access

You have the right to request a copy of the personal data we hold about you. We will provide this information in a structured, commonly used, and machine-readable format.

7.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. You can update most information directly in your account settings.

7.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data in certain circumstances:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent (where processing was based on consent)
• You object to processing and there are no overriding legitimate grounds
• The data was unlawfully processed

Note: We may retain data if required by law (e.g., 7-year financial record retention) or to establish, exercise, or defend legal claims. In such cases, we will restrict processing to only what is necessary.

7.4 Right to Restriction of Processing

You have the right to request that we restrict processing of your personal data in certain situations, such as when you contest the accuracy of the data or object to processing.

7.5 Right to Data Portability

You have the right to receive your personal data in a structured, machine-readable format and transmit it to another data controller where technically feasible.

7.6 Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate grounds that override your interests.

7.7 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in your EU member state of residence, workplace, or where an alleged infringement occurred. In France, the relevant authority is the Commission Nationale de l'Informatique et des Libertés (CNIL):www.cnil.fr

7.9 Exercising Your Rights

To exercise any of these rights, please contact us at [your contact email]. We will respond to your request within one month, or inform you if we need additional time (up to three months for complex requests).

8. Cookies and Tracking Technologies

8.1 What Are Cookies

Cookies are small text files stored on your device when you visit our Service. We use cookies and similar tracking technologies to enhance your experience, analyze usage, and provide security.

8.2 Types of Cookies We Use

• Essential Cookies: Required for the Service to function (authentication, session management, security). These cannot be disabled.
• Functional Cookies: Remember your preferences and settings to enhance usability (only with your consent).
• Analytics: Error tracking and performance monitoring via Sentry (only with your explicit consent). No data is sent to Sentry until you accept analytics in our cookie consent banner.

8.3 Managing Cookies

When you first visit GiftOS, a cookie consent banner allows you to accept or reject non-essential cookies and analytics. You can change your preferences at any time in your account settings. You can also control cookies through your browser settings. However, disabling essential cookies may impair functionality. Most browsers allow you to:

• View and delete cookies
• Block third-party cookies
• Block all cookies (not recommended)
• Delete all cookies when closing the browser

8.4 Third-Party Analytics

We use Sentry for error tracking and performance monitoring. Sentry collects error reports and performance data only when you have granted analytics consent. No personally identifiable information (PII) is sent to Sentry. For more information, see Sentry's Privacy Policy.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption: Data transmitted over the internet is encrypted using TLS/SSL. Passwords are hashed using bcrypt with strong salt rounds.
• Access Controls: Strict access controls limit who can access personal data internally. Employees access data only on a need-to-know basis.
• Secure Infrastructure: Our servers and databases are hosted with reputable providers (Supabase, Vercel) with industry-standard security certifications.
• Regular Audits: We conduct regular security reviews and vulnerability assessments.
• Payment Security: Payment data is processed by Stripe, a PCI DSS Level 1 certified provider. We do not store full payment card details.
• Incident Response: We have procedures to detect, respond to, and notify users of data breaches as required by law.

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

10. International Data Transfers

10.1 Transfers Outside the EU/EEA: Our Service may involve transferring your personal data to countries outside the European Economic Area (EEA), including the United States (where some service providers like Stripe and Vercel are based).

10.2 Safeguards: When we transfer data outside the EU/EEA, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Service providers certified under recognized frameworks (e.g., EU-U.S. Data Privacy Framework)
• Adequacy decisions by the European Commission for certain countries

For more information about the safeguards we use for international data transfers, please contact us.

11. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete such information promptly.

If you believe we have collected information from a child, please contact us immediately.

12. Third-Party Links

The Service may contain links to third-party websites, services, or resources (e.g., GitHub, npm, maintainer profiles). We are not responsible for the privacy practices or content of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

13. Changes to This Privacy Policy

13.1 Updates: We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. Material changes will be communicated via email or prominent notice on the Service at least 30 days before the effective date.

13.2 Effective Date: The "Last Updated" date at the top of this policy indicates when it was last revised. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

13.3 Notification: For significant changes that affect your rights, we will seek your explicit consent where required by law.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

GiftOS - Data Protection Officer
Email: [your contact email / DPO email]
Address: [your registered business address in France]

We will respond to your inquiry within a reasonable timeframe, typically within 30 days.

15. Consent and Acknowledgment

By using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and processing of your personal data as described herein, to the extent permitted by applicable law.

For processing activities that require explicit consent (e.g., marketing communications, non-essential cookies), we will obtain your separate, affirmative consent through opt-in mechanisms.