Privacy Policy
Last updated: July 4, 2026
1. Information We Collect
Account Information: Name, email address, and a bcrypt-hashed password when you register. Optional display name and 2FA secret if you enable two-factor authentication. Gift Card Data: Card numbers and PINs you submit for exchange. This data is encrypted with AES-256-CBC and stored only for as long as needed to complete the exchange and keep an audit trail for dispute investigations. Transaction Data: Swap requests, match history, dispute reports, completed exchange records, and your reputation score. Device & Network Data (Fraud Prevention): IP address and a device fingerprint (a non-tracking hash derived from browser characteristics) are stored on registration and updated on login. We use this exclusively to prevent duplicate accounts, Sybil attacks, and matching fraud. We do not share this data with advertisers or any third party. Usage Data: Pages visited, timestamps of key actions, and basic technical information (user-agent, browser type) for security monitoring. Referral & Attribution Data: Who referred you (if applicable) and who you’ve referred, along with the status of each referral. If you arrived via a partner or advertising link, we also record the campaign parameters and partner click identifier from that link.
2. How We Use Your Information
- To facilitate gift card exchanges between users. - To verify gift card balances manually before and during matching. - To run automated fraud-detection signals (device/IP matching, card-code deduplication, pattern analysis). - To investigate dispute reports — admins may access both sides’ full account history and card contents during active investigations. - To manage your account and enforce Platform rules (bans, limits, flags). - To send transactional emails about swap status, matches, dispute outcomes, and security alerts. - To improve the Platform and matching algorithms.
3. Data Security
We take data security seriously: - All gift card numbers and PINs are encrypted using AES-256-CBC at rest. - Card data is only decrypted for authorized verification, delivery to matched users, and dispute investigation. - Card codes are never sent via email — you must log in to view them. - Passwords are hashed using bcrypt (12 rounds). - Authentication uses secure HTTP-only cookies with short-lived JWT tokens. - Login attempts and registration are rate-limited to prevent brute-force attacks. - Admin accounts may enable TOTP-based two-factor authentication.
4. Data Sharing
We do not sell or rent your personal information to data brokers. We never share gift card codes, PINs, or account credentials with any third party. Limited sharing occurs only: - When required by law, court order, or other valid legal process. - To protect the rights, safety, or property of our users, third parties, or the Platform. - With email delivery service providers (for transactional emails only — no content beyond what is strictly necessary). - With Google (Gemini AI) for customer support tickets you submit — only the ticket text is shared, never card data or personal identifiers beyond your display name. - With Google Analytics and Google Ads: pseudonymous usage and conversion data (e.g. that a signup or transaction happened, its value, and a browser identifier) — only if you consent to analytics/advertising cookies. We never send Google your name, email, card data, or transaction counterparties. - With affiliate/partner networks: if you arrive via a partner’s link, we may report back that the visit led to a signup or qualifying transaction (a click identifier, an internal order number, and the commissionable amount) so the partner can be paid. No name, email, or card data is ever included.
5. Card Data Handling
When a swap completes, your card data is delivered to the matched user through their authenticated dashboard (masked by default, revealable with a click). Card codes are never sent via email, SMS, or any off-platform channel. After swap completion, card data remains encrypted in our database as part of the transaction record — needed for dispute investigations within the dispute window and for compliance with recordkeeping obligations.
6. Dispute Data
If a swap is disputed, the dispute reason, admin notes, and outcome are associated with both users’ accounts. This information is kept as part of account history and may be used to inform future fraud decisions, even after the specific dispute is closed. Banned users’ device fingerprints and IPs are retained to prevent re-registration.
7. Email Communications
We send transactional emails for: - Card verification status (approved/rejected). - Match notifications and swap completion. - Giveaway winnings. - Referral milestone rewards. - Dispute updates. - Account security alerts. We do not send marketing emails. All communications are related to your account activity. You can opt out of non-essential emails in your account settings; critical security alerts cannot be disabled.
8. Cookies & Similar Technologies
Essential (always on): an authentication cookie (HTTP-only, Secure, SameSite=Lax) that maintains your login session, and a consent-preference entry that remembers your cookie choice. Attribution (first-party): if you arrive through a referral or partner link, we store a first-party cookie for up to 30 days containing the referral code or partner click identifier, so the referrer/partner can be credited if you sign up. This cookie identifies the link you clicked, not you personally. Analytics & advertising (consent-based): we use Google Analytics 4 to understand how the Platform is used, and Google Ads conversion measurement to know when our advertising works. These set third-party cookies only if you click “Accept all” in the cookie banner; if you decline, they operate in cookieless mode with no persistent identifiers. You can change your mind at any time by clearing site data in your browser — the banner will re-appear.
9. Data Retention
- Active account data: retained as long as your account is active. - Completed swap records: retained indefinitely for audit and dispute purposes (card codes remain encrypted). - Banned account data (including fingerprint/IP): retained indefinitely to prevent re-registration. - Deleted account data: personal identifiers (name, email) are removed on request; transaction records are anonymized but retained for integrity of the Platform’s history.
10. Your Rights
You have the right to: - Access your personal data through your dashboard. - Request correction of inaccurate information. - Request deletion of your account (subject to the retention rules above). - Export your transaction history. - Enable 2FA for additional account security. To exercise these rights, contact us at [email protected]. Deletion requests from banned accounts may be denied where retention is necessary to prevent re-offence.
11. Children's Privacy
The Platform is not intended for users under 18 years of age. We do not knowingly collect information from minors. If we learn that a user is under 18, their account will be terminated and associated data purged (except as needed for fraud prevention).
12. International Users
The Platform is operated from the United States and primarily intended for US users. If you access the Platform from outside the US, your data will be transferred to and stored in the US. By using the Platform, you consent to this transfer.
13. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be announced on the homepage and via email to registered users at least 7 days before taking effect. Continued use after changes constitutes acceptance.
14. Contact
For privacy-related inquiries, contact us at [email protected].