Privacy Policy

GiftCue · Effective: [TBD upon V1.1 launch] · Last updated: May 11, 2026

This Privacy Policy explains how GiftCue ("we," "us," "our") collects, uses, and protects information when you use our service at giftcue.app, getgiftcue.com, giftcue.ai, giftcue.org, and any related apps. By using GiftCue you agree to this policy.

GiftCue is operated by BOSSTORQUE (Jason Johnson, sole proprietor), based in Oregon, USA.

1. The two kinds of people GiftCue serves

GiftCue exists to help one person (the Sender) give a gift to another person (the Recipient). The Sender provides information about the Recipient so we can build a personalized gift picker. This privacy policy treats both groups carefully — and treats the Recipient with extra care, because they didn't choose to share their information themselves.

2. What we collect

From the Sender (the person building a picker)

Account information: email address used for sign-in. We do not store passwords (we use magic-link or HMAC-cookie sign-in).
Payment information: if you pay for a picker or subscription, your payment method is collected and processed by Stripe — we never see or store your full card number. We retain a token + last 4 digits.
Form input: when you build a picker, the information you provide about the Recipient (their name, approximate location, age band, likes, dislikes, occasion, budget, gift type preference, free-text notes).
Usage data: standard server logs (IP address, user agent, timestamps) retained for 30 days for abuse detection.

From the Recipient (the person opening the gift link)

Their pick: which option they selected from the 8 generated for them.
Page interaction: when they opened the link, how long they spent, whether they used the help chat.
Optional help-chat content: if they ask Cue (our help assistant) a question, the question and our response are stored for that session only.
What we do NOT collect from the Recipient: we do not ask the Recipient to sign in, give us their email, or share their phone number. We never know who they actually are beyond what the Sender told us.

3. How we use what we collect

Generate the picker: Recipient profile data is sent to our AI provider (Anthropic) to generate 8 personalized gift options.
Render images: Each option's hero photo is generated by Cloudflare Workers AI based on a text description we generate.
Deliver the experience: store the session so the Recipient can come back to their link, and so the Sender can see the pick.
Send notifications: if you opt in, we email the Sender when the Recipient picks. We never send unsolicited emails or texts.
Improve the service: we may use aggregated, anonymized usage data to improve the product (e.g. "what percentage of recipients pick experiences vs. products").
Comply with law: respond to valid legal process.

We do not sell your data. We do not run third-party ad networks or analytics that fingerprint users. We do not share Recipient information with anyone other than the Sender who created their picker.

4. How long we keep things

Gift sessions: 30 days from creation, then deleted automatically.
Account email: until you ask us to delete it.
Payment records: 7 years (required for tax/accounting).
Server logs: 30 days.
Help-chat transcripts: session duration only, then deleted.

5. Cookies

We use one cookie: giftcue_auth, an HMAC-signed timestamp used to keep you signed in. It's httpOnly, Secure, SameSite=Lax, and expires after 14 days. We don't use tracking cookies, third-party cookies, analytics cookies, or advertising cookies.

6. Third parties we use

Provider	What they do	What they receive
Cloudflare	Hosting, CDN, storage, AI image generation	All service data (encrypted in transit + at rest)
Anthropic	AI option generation, help-chat	Recipient profile info, help questions
Stripe	Payment processing	Payment method, billing info
Resend	Email delivery (notifications, magic links)	Recipient email + email body
Twilio	SMS delivery (when V1.1 ships, opt-in only)	Phone number + SMS body
Yelp Fusion	Real local business data for option curation	Recipient city + category preferences (no PII)
Tremendous	Digital gift card delivery	Recipient email (only if Sender chooses to fulfill via gift card)

7. Your rights

Regardless of where you live, you can:

Request a copy of the personal information we hold about you.
Request correction or deletion of your personal information.
Withdraw consent for any optional processing.
Opt out of email or SMS communications at any time.

To exercise any right, email privacy@giftcue.app. We respond within 30 days.

California residents (CCPA / CPRA)

California residents have the right to know what personal information we collect, request deletion, and opt out of "sale" or "sharing" of personal information. We don't sell personal information. We don't share it with third parties for cross-context behavioral advertising.

EU / UK residents (GDPR)

If you're in the EU or UK, our legal basis for processing is: (a) contract for service delivery (generating your picker), (b) legitimate interests for fraud prevention and product improvement, and (c) consent for optional features (marketing email, etc.).

Note: GiftCue is currently a US service. EU/UK users access at their own discretion. We do not actively target EU/UK markets in V1.1.

8. Recipient privacy specifically

If you are a Recipient who received a GiftCue link, your information was provided to us by the Sender who built your picker. We don't have your phone number, email, or any contact information beyond what the Sender wrote in the form (typically your first name and city).

If you want us to delete the entire session: email privacy@giftcue.app with the picker URL. We'll honor it within 7 days, which means the Sender will no longer see your pick.

9. Children

GiftCue is not intended for children under 13. We do not knowingly collect information about anyone under 13. If you believe we have, email us and we'll delete it.

10. Security

All traffic uses HTTPS / TLS. Authentication is HMAC-signed and httpOnly. Database access is encrypted at rest. We follow standard infrastructure security practices and use Cloudflare's enterprise-grade security platform. No system is 100% secure; we encourage you to use a strong, unique password and contact us immediately if you suspect an issue.

11. Changes to this policy

If we make material changes, we'll post the updated policy here and update the "Last updated" date. For users with an account, we'll also email you. Continued use after changes means you accept them.

12. Contact

For any privacy questions: privacy@giftcue.app

BOSSTORQUE / GiftCue
Operated from Oregon, USA

DRAFT v0.1 — drafted by Hugo Mercer, CEO. Not legal advice; not yet reviewed by counsel. Review and ratify before public launch.