Privacy Notice

HandyGifts is an online platform to buy, send, redeem, and manage digital gift cards, smart cards, and promotional deals, plus related features like loyalty, rewards, and communications. For the purposes of the Jamaica Data Protection Act, 2020 (the “JDPA”), HandyGifts is the Data Controller for the personal information we collect and process. Payments are processed by HandyPay.

We collect what is reasonably necessary to provide and improve our Services, meet legal obligations, and protect our users:

• Personal information — name, location, and date of birth.
• Contact information — email addresses, mobile numbers, postal addresses, IP addresses, device identifiers, device details, and browser types.
• Financial information — bank or card details used in transactions, processed through secure payment gateways.
• Usage information — behavioural and statistical data such as page views, clicks, feature usage, and transaction patterns.
• Geo-location — location data used to send service messages and offers based on your proximity to a participating merchant.
• Cookies & similar technologies — used to remember preferences, improve performance, and understand usage (see our Cookie Policy).

We collect personal data when you register an account, buy or redeem a card, link a payment method, subscribe to updates, join surveys or referral programs, contact support, or browse our site and apps (including via cookies and analytics). If you are a gift card recipient, some information may be provided to us by the purchaser.

We may hold data about account holders, purchasers and recipients, corporate clients and their representatives, merchants and their staff, and website and app visitors.

• confirming your identity and managing your account;
• enabling our Services and processing payments and transactions;
• issuing, redeeming, and managing gift cards and smart cards;
• providing customer service and responding to enquiries or complaints;
• improving our products, monitoring usage, and performing analytics;
• preventing, detecting, and investigating fraud and security risks;
• sending important notices about our Services, terms, or policies; and
• communicating about research, offers, or promotions (subject to your marketing preferences).

We process personal data only where we have a lawful basis under the JDPA:

• Consent — where you have given clear consent for a specific purpose (e.g. some marketing).
• Contractual necessity — to enter into or perform a contract with you (e.g. issuing a card, processing payment).
• Legal obligation — to comply with laws (e.g. anti-money laundering, tax, accounting).
• Legitimate interests — e.g. fraud prevention, service improvement, and security, where these do not override your rights.

Where consent is required, we will seek your clear, informed consent, and you may withdraw it at any time (see Section 9).

We keep personal data only as long as necessary to provide our Services, meet legal and tax obligations, resolve disputes, and prevent fraud. In general we retain data for at least two (2) years from the relevant transaction or the end of the relationship, unless a longer period is required by law. By data type:

• Account information — 2 years after account closure or inactivity.
• Order / transaction records — 7 years after each transaction (tax, accounting, AML).
• Payment data — full card details are not stored by us; limited metadata may be anonymised after 7 years (PCI-DSS).
• Marketing data — 2 years after your last interaction; we stop using it for marketing if you opt out.
• Support tickets — 2 years after resolution.

We do not sell your personal data. We share limited data only where necessary, with: service providers and data processors (e.g. cloud hosting, payment gateways, analytics, email/SMS delivery, support); regulators or law enforcement where required by law; merchants and programme partners to redeem cards or deliver offers you choose; and marketing partners only where you have opted in. Our subprocessors are contractually required to use data only to perform services for us. We follow a privacy-by-design approach, limiting sharing to what is necessary and applying safeguards such as encryption, access controls, and audit logs.

Some providers operate outside Jamaica, including in the United States and the European Union, so your data may be processed in countries with different standards. Where this happens, we limit transfers to what is necessary, expect providers to apply appropriate safeguards and comply with the JDPA where applicable, and require that data is not used beyond providing the contracted services.

We protect your data with layered technical and organisational measures: encryption in transit and at rest where appropriate, access controls and role-based permissions, multi-factor authentication for sensitive systems, regular audits and monitoring, staff training, and incident-response procedures. No system is perfectly secure, so please also keep your device, passwords, and one-time codes safe.

As a data subject, you have the right to: be informed about the data we hold and why; access your data and, where feasible, receive it in a portable format; have inaccurate or incomplete data corrected; object to or restrict certain processing; not be subject to solely automated decisions with significant effects; withdraw consent where we rely on it; and request deletion of your data or account, subject to legal and operational exceptions.

Deleting your account is permanent and cannot be undone, so save or print any gift cards first. Some data may be retained after a deletion request to record that the request was actioned and to meet legal obligations (see Section 6).

If you suspect your data has been misused, lost, or accessed without authorisation, contact us as soon as possible. Where a qualifying breach occurs, we will notify the Information Commissioner within 72 hours of becoming aware, and notify you without undue delay where there is a likely high risk to your rights.

We do not knowingly collect personal information from children under 13, and will delete such data promptly if we learn we have it. We use cookies and analytics to personalise and improve your experience; manage your preferences via your browser or our Cookie Policy.

We may update this notice to reflect changes to our Services or the law. When we make material changes we will update the date above and, where appropriate, give additional notice. To ask a question or exercise your rights, contact us at support@handygifts.com.