Privacy Policy

Last updated: April 1, 2026

This Privacy Policy describes how HackWeb ("we", "us", or "our") collects, uses, stores, and protects your personal information when you use the GiftPot mobile application and website (the "Service"). We are committed to protecting your privacy and ensuring transparency about our data practices.

1. Information We Collect

1.1 Information You Provide

Account Information: Email address, username, and display name when you create an Account.
Profile Information: Optional profile details you choose to provide.
Pool Information: Pool titles, descriptions, recipient names, occasion types, target amounts, deadlines, and gift suggestions.
Contribution Information: Contribution amounts and personal messages attached to contributions.
Messages: Content of messages sent through in-pool chat.
Payment Information: Payment details are collected and processed directly by Stripe. We do not store your full credit card number, CVV, or bank account details on our servers.
Identity Verification: If you sign up for Stripe Connect to receive Payouts, Stripe may collect additional identity verification information as required by applicable law.

1.2 Information Collected Automatically

Device Information: Device type, operating system, unique device identifiers, and app version.
Usage Data: Features used, screens viewed, interactions, and timestamps.
Log Data: IP address, browser type, referring pages, and access times.
Push Notification Tokens: If you enable push notifications, we collect your device's push notification token.

1.3 Information from Third Parties

Stripe: Payment confirmation, transaction status, and Stripe Connect account status.

2. How We Use Your Information

Purpose	Legal Basis (GDPR)
Provide and operate the Service	Contract performance
Process payments and Payouts	Contract performance
Send transactional notifications (contributions, Payouts, pool updates)	Contract performance
Authenticate your identity and secure your Account	Contract performance / Legitimate interest
Improve and optimize the Service	Legitimate interest
Detect and prevent fraud, abuse, and security threats	Legitimate interest
Comply with legal obligations	Legal obligation
Send promotional communications (only with your consent)	Consent

3. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

With Other Users: Your display name and contributions are visible to other Pool members. Pool Creators can see contributor details for their Pools.
With Stripe: Payment and identity information is shared with Stripe for payment processing, fraud prevention, and regulatory compliance.
With Service Providers: We may share information with trusted third-party service providers who assist us in operating the Service (e.g., hosting, analytics, push notification delivery), under strict data processing agreements.
For Legal Reasons: We may disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, safety, or property of HackWeb, our users, or the public.
Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

4. Data Retention

We retain your personal information for as long as your Account is active or as needed to provide the Service. After Account deletion, we may retain certain information for a reasonable period to comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

Account data: Retained until you delete your Account, then anonymized or deleted within 90 days.
Transaction records: Retained for up to 7 years as required by financial regulations.
Usage and log data: Retained for up to 24 months, then aggregated or deleted.

5. Data Security

We implement industry-standard security measures to protect your personal information, including:

Encryption in transit (TLS/HTTPS) and at rest.
Secure authentication via magic links (passwordless).
Regular security assessments and monitoring.
Access controls limiting employee access to personal data on a need-to-know basis.

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.
Rectification: Request correction of inaccurate or incomplete data.
Erasure: Request deletion of your personal data ("right to be forgotten").
Restriction: Request restriction of processing in certain circumstances.
Portability: Request your data in a structured, machine-readable format.
Objection: Object to processing based on legitimate interests.
Withdraw Consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or as required by applicable law).

7. International Data Transfers

Your data may be processed in countries outside your country of residence, including countries that may not provide the same level of data protection. When transferring data internationally, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission.

8. Cookies and Tracking

Our website may use essential cookies for functionality (e.g., session management). We do not use third-party advertising cookies. If we introduce analytics cookies in the future, we will update this policy and obtain your consent where required.

9. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will promptly delete it. If you believe a child has provided us with personal information, please contact us immediately.

10. Push Notifications

With your permission, we send push notifications about Pool activity (new contributions, messages, Payout updates). You can manage or disable push notifications through your device settings at any time.

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date and, where appropriate, through in-app notifications or email. We encourage you to review this policy periodically.

13. Data Protection Officer

For questions about data protection or to exercise your rights, you may contact our Data Protection Officer at:

Email: [email protected]

14. Supervisory Authority

If you are located in the European Economic Area (EEA) and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

15. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

Email: [email protected]