GDPR Compliance

Hudson Solutions AB, operating Gifterly, is committed to protecting the privacy and rights of individuals in the European Economic Area (EEA) and United Kingdom. This page explains your rights under the General Data Protection Regulation (GDPR) and how we comply with these regulations.

As a Swedish company, we are subject to GDPR and the Swedish Data Protection Act (Dataskyddsförordningen). We take our data protection obligations seriously and are committed to transparency about how we handle your personal data.

For detailed information about how we collect, use, and protect your data, please see our Privacy Policy.

Data Controller: Hudson Solutions AB is the data controller responsible for your personal data.

Hudson Solutions AB
Organization Number: 559505-8842
Kungsgatan 66Y
75341 Uppsala, Sweden
Email: privacy@gifterly.se

Under GDPR, we must have a legal basis for processing your personal data. We process your data under the following legal bases:

3.1 Contractual Necessity (Article 6(1)(b) GDPR)

We process your personal data when it is necessary to provide our Service and fulfill our contract with you. This includes:

• Creating and managing your account
• Storing and organizing your people, events, and wishlists
• Sending you push notifications about upcoming events
• Providing customer support

3.2 Consent (Article 6(1)(a) GDPR)

We process your personal data based on your explicit consent for:

• Marketing communications
• Non-essential cookies (analytics and advertising)
• Push notifications (you can manage this in your account settings)

You can withdraw your consent at any time by adjusting your account settings or contacting us. Withdrawing consent will not affect the lawfulness of processing before you withdrew consent.

3.3 Legitimate Interests (Article 6(1)(f) GDPR)

We process your personal data based on our legitimate interests for:

• Improving our Service and user experience
• Analyzing usage patterns (using aggregated, anonymized data)
• Preventing fraud and ensuring security
• Marketing our Service to potential users (with appropriate safeguards)

We balance our legitimate interests against your privacy rights and will not process your data if your interests override ours.

3.4 Legal Obligations (Article 6(1)(c) GDPR)

We process your personal data to comply with legal obligations, such as:

• Responding to legal requests and court orders
• Complying with tax and accounting requirements
• Retaining data as required by law

Under GDPR, you have the following rights regarding your personal data:

4.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation as to whether we process your personal data and, if so, access to that data. This includes:

• The purposes of processing
• The categories of personal data concerned
• The recipients or categories of recipients to whom your data has been or will be disclosed
• The retention period or criteria used to determine it
• Your rights to rectification, erasure, restriction, or objection

You can access most of your data directly through your account settings. For a complete copy, please contact us.

4.2 Right to Rectification (Article 16 GDPR)

You have the right to have inaccurate or incomplete personal data corrected. You can update most information directly through your account settings, or contact us to request corrections.

4.3 Right to Erasure - "Right to be Forgotten" (Article 17 GDPR)

You have the right to request deletion of your personal data in the following circumstances:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• The data must be erased to comply with a legal obligation

You can delete your account at any time through your account settings, which will trigger the deletion of your personal data (subject to legal retention requirements).

4.4 Right to Restrict Processing (Article 18 GDPR)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when:

• You contest the accuracy of the data
• The processing is unlawful, but you prefer restriction to erasure
• We no longer need the data, but you need it for legal claims
• You have objected to processing, pending verification of overriding legitimate grounds

4.5 Right to Data Portability (Article 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. This applies to:

• Data you provided to us
• Data processed based on consent or contract
• Data processed by automated means

We can provide your data in JSON format. Please contact us to request your data export.

4.6 Right to Object (Article 21 GDPR)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. If you object, we will stop processing your data unless we can demonstrate compelling legitimate grounds that override your interests.

You can object to marketing communications at any time by unsubscribing or adjusting your account settings.

4.7 Right to Withdraw Consent (Article 7(3) GDPR)

Where we process your data based on consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing before you withdrew consent.

You can withdraw consent for cookies through your browser settings or our cookie consent banner. You can withdraw consent for marketing communications through your account settings or by contacting us.

4.8 Rights Related to Automated Decision-Making (Article 22 GDPR)

Currently, we do not use automated decision-making, including profiling, that produces legal effects or significantly affects you. If we introduce such features in the future, we will inform you and provide appropriate safeguards.

To exercise any of your GDPR rights, you can:

• Through your account: Access, update, or delete most of your data directly through your account settings
• By email: Contact us at privacy@gifterly.se with your request
• By mail: Send a written request to our address listed above

5.1 What to Include in Your Request

To help us process your request efficiently, please include:

• Your name and email address associated with your account
• A clear description of the right you wish to exercise
• Any specific information or data you are requesting
• Proof of identity (to ensure we only disclose data to the rightful owner)

5.2 Response Time

We will respond to your request within one month (30 days) of receipt. If your request is complex or we receive multiple requests, we may extend this period by up to two additional months, and we will inform you of the extension and the reasons for it.

5.3 Fees

We will not charge a fee for exercising your rights, except in cases where requests are manifestly unfounded or excessive, particularly if they are repetitive. In such cases, we may charge a reasonable fee or refuse to act on the request.

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our service providers operate:

• Supabase: Provides authentication and database services. Data is stored in the EU/US depending on your region.
• PostHog: Provides analytics services. Data may be processed in the US.
• TikTok and Meta: Provide advertising services. Data may be processed in the US and other countries.

6.1 Safeguards for Data Transfers

We ensure that such transfers are made in accordance with GDPR requirements, including:

• Standard Contractual Clauses (SCCs): Approved by the European Commission to ensure adequate protection of personal data
• Adequacy Decisions: Where the European Commission has determined that a country provides adequate protection
• Other Appropriate Safeguards: As required by GDPR Article 46

Our service providers are contractually obligated to protect your data and comply with applicable data protection laws.

We retain your personal data only for as long as necessary to provide our Service and fulfill the purposes outlined in our Privacy Policy, unless a longer retention period is required by law.

7.1 Retention Periods

• Account data: Retained while your account is active and for a reasonable period after account deletion (typically 30 days) to comply with legal obligations and prevent fraud
• Usage data: Retained for analytics purposes, typically in aggregated and anonymized form
• Marketing data: Retained until you withdraw consent or opt out
• Legal obligations: Some data may be retained longer if required by law (e.g., tax records)

7.2 Deletion

When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal purposes. Deleted data cannot be recovered.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

• Encryption of data in transit (HTTPS/TLS) and at rest
• Secure authentication through Supabase Auth
• Regular security assessments and updates
• Access controls and authentication requirements
• Secure data storage on Supabase's infrastructure
• Employee training on data protection

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

While we are not currently required to appoint a Data Protection Officer (DPO) under GDPR, we have designated a data protection contact person to handle your privacy inquiries and requests.

You can contact our data protection team at privacy@gifterly.se for any questions about data protection or to exercise your rights.

If you believe that we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority. However, we encourage you to contact us first at privacy@gifterly.se so we can address your concerns.

10.1 Swedish Supervisory Authority

As we are a Swedish company, you can lodge a complaint with:

Integritetsskyddsmyndigheten (IMY)
Swedish Authority for Privacy Protection
Box 8114
104 20 Stockholm, Sweden
Website: www.imy.se
Email: imy@imy.se

10.2 Other Supervisory Authorities

If you are located in another EEA country, you can also lodge a complaint with your local supervisory authority. A list of all EEA supervisory authorities can be found on the European Data Protection Board website.

We may update this GDPR information page from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated information on this page with a new "Last updated" date.

We encourage you to review this page periodically to stay informed about your GDPR rights and how we protect them.

If you have any questions about GDPR compliance or your data protection rights, please contact us:

Hudson Solutions AB
Organization Number: 559505-8842
Kungsgatan 66Y
75341 Uppsala, Sweden
Email: privacy@gifterly.se
Website: gifterly.se