GyFTR
GyFTRBrochure

Privacy Policy

GyFTR (Vouchagram India Pvt. Ltd.) (“GyFTR”, “we”, “us”, or “the Company”) is committed to protecting the privacy of individuals whose personal data we process in connection with our website (https://www.gyftr.com), mobile application, and corporate gifting services.

This Privacy Policy explains how we collect, use, disclose, transfer, secure, retain and manage personal data in compliance with applicable data protection and information technology laws in India, including but not limited to the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000, and any rules, regulations or amendments thereto.

Registered office: Vouchagram India Pvt. Ltd., 3rd Floor, B-11, Block B, Qutub Institutional Area, New Delhi – 110016, India.
Contact & grievance officer / DPO: For privacy queries or to exercise your rights under applicable law, please contact us at help@gyftr.com or via our customer support at 1800-1033-314.

1. Scope & Applicability

This Privacy Policy applies to all personal data processed by GyFTR in the course of providing its services, including the Corporate Gifting offering (bulk issuance, CSV/API uploads, redemptions, delivery via Email/SMS/WhatsApp, dashboards, and related operational services). It applies to:

  • Individuals who use our website or App
  • Individuals whose personal data is provided to us by Corporate Clients (for example, recipients of vouchers or Client contact persons).

When we refer to “you” or “your” in this Privacy Policy we mean the relevant individual whose personal data we process.

2. What information do we collect?

We may collect and process the following categories of personal data (as applicable and necessary for the relevant purpose):

  1. Identity & contact information (name, email, phone, address, etc.)
  2. Transaction data & payment information (orders, invoices, transaction IDs; card/UPI handled by processors)
  3. Delivery & redemption metadata (voucher codes, expiry, redemption logs, IP, device, delivery receipts)
  4. Recipient lists & corporate data (CSV/API uploads from Clients with recipient details for gifting)
  5. Support & correspondence (emails, calls, communications)
  6. Usage data & technical logs (cookies, browser info, logs, analytics)
  7. Other information you provide (feedback, preferences, logos/messages for branding)
  8. Only authorized personnel, on a strict need‑to‑know basis, may use any information collected from individual customers. We constantly review our systems and data-handling practices to ensure appropriate protection of personal data.

3. Purposes of processing

We process personal data for one or more of the following purposes:

  1. To provide and operate our services (vouchers, gift cards, loyalty, payments, redemption support and related fulfilment services).
  2. To deliver, activate, and validate vouchers and to send transactional communications to recipients and Client contacts regarding order status, issuance, delivery failures and redemption support.
  3. To process payments, undertake fraud detection and prevention, perform reconciliation, and comply with tax and accounting requirements.
  4. To comply with legal and regulatory obligations (including anti-money laundering and anti-bribery laws).
  5. To provide customer support and respond to enquiries, complaints and disputes.
  6. To enable Corporate Clients to upload recipient data, manage campaigns, and access reporting dashboards and analytics.
  7. To provide marketing and promotional communications where consent has been obtained or where permitted by law; and for market research and service improvement.
  8. To detect, investigate and prevent security incidents, abuse, or fraudulent activity; and for internal record keeping, auditing, and risk management.
  9. For Corporate Gifting specifically, we may process business contact details, recipient lists provided by Corporate Clients, delivery and redemption metadata, and related programme records for issuance, delivery, support, invoicing, and compliance in accordance with this Privacy Policy and any contractual terms agreed with the Client.

4. Lawful basis for processing

Where applicable, GyFTR will rely on one or more lawful bases to process personal data under applicable law including the DPDP Act. Typical lawful bases include:

  1. Performance of a contract: processing necessary to perform contractual obligations (for example, delivering vouchers to recipients designated by a Corporate Client or processing an order you place).
  2. Compliance with legal obligations: processing necessary to comply with laws and regulatory obligations (e.g., tax, accounting, AML/KYC obligations).
  3. Consent: where explicit consent is required and has been obtained (for example, for marketing communications or where Client-provided recipient data is shared for non-contractual purposes).
  4. Legitimate interests: processing necessary for legitimate business interests of GyFTR (for example, fraud prevention, network and information security, internal analytics), provided such interests are not overridden by the rights of the data principal.

Clients and users must ensure they have the necessary legal basis or consents to provide recipient personal data to GyFTR. By supplying recipient contact information to GyFTR, the Client represents and warrants that it has obtained all requisite notices and consents required under applicable law for such disclosure and processing, unless the processing is otherwise lawful without consent (for example, performance of contract).

5. How we share personal data

We may disclose personal data to the following categories of recipients to the extent necessary for the purposes described above:

  1. Issuer partners, brands and merchants: for voucher activation, redemptions and merchant/issuer reconciliation.
  2. Delivery and communications providers: email, SMS, and WhatsApp providers used for delivery of vouchers and communications.
  3. Payment processors and banking partners: for processing payments and refunds (for example PayU or other processors as specified on our website or Invoice).
  4. IT service providers, cloud hosting and analytics providers: for hosting, storage, and analysis of platform operations.
  5. CRM, helpdesk and customer support providers: to enable us to deliver customer service functions.
  6. Professional advisers, auditors, legal and regulatory bodies: where required for legal compliance, dispute resolution or audit.
  7. Successors & assigns: where GyFTR assigns or transfers all or part of its business; personal data may form part of any transferred assets.

For Corporate Gifting, disclosures may be made to brand/issuer partners (for issuance/validation), delivery vendors (Email/SMS/WhatsApp), payment and banking partners, CRM/helpdesk providers, auditors and professional advisers, strictly for performance of services, with consent where required, or as mandated by law.

All third parties with whom we share personal data are required to process such data only for the specified purposes and under contractual terms requiring appropriate confidentiality and security measures.

6. Confidentiality and client records

We regard Client records as confidential and, subject to the disclosures permitted above, will not disclose such records to third parties other than our suppliers and as required by law. Clients have the right to request sight of, and copies of, any Client Records we keep provided reasonable notice is given.

Where appropriate and agreed in writing, we will provide Clients with copies of records, handouts, or written information as part of the contracted service. Clients are requested to retain copies of any literature issued in relation to provision of our services.

7. Payment & third-party processors

Payments on our Website may be processed via third‑party payment processors (for example PayU) and other authorized payment channels (credit/debit cards, UPI, wallets, netbanking, bank transfers or payment links). We do not control the privacy practices of payment providers; please review their privacy policies. Payment processors may collect and process payment data in accordance with their contractual obligations.

8. Cookies & similar technologies

We may use cookies, web beacons and similar technologies to collect usage data and improve our website and services. Cookies allow us to personalize your experience, remember preferences, and support analytics and fraud detection. You may choose to disable cookies via your browser settings, but this may impact the functionality of the Website or delivery of certain services.

9. Data retention

We shall retain personal data only as long as is necessary to fulfil the purposes set out in this Privacy Policy, to comply with legal obligations, to resolve disputes, and to enforce our agreements. Where a longer retention period is required by law (for example, for tax or accounting purposes), we will retain personal data for the period required by law. Upon expiry of the retention period, we will securely delete, anonymize, or aggregate personal data as appropriate.

10. Data Subject Rights

Subject to applicable law and verification requirements, data principals have the right to:

  1. Request access to their personal data held by GyFTR;
  2. Request correction of inaccurate or incomplete data.
  3. Request erasure of personal data, subject to legal and contractual retention obligations.
  4. Withdraw consent where processing is based on consent (withdrawal will not affect processing prior to withdrawal).
  5. Object to or restrict processing as permitted by law.
  6. Request data portability where technically feasible and required under law; and
  7. Lodge a complaint with the relevant supervisory or regulatory authority.

To exercise any of the above rights, please contact us at help@gyftr.com. We will respond to verified requests in accordance with applicable law and within the timeframes required by the DPDP Act or other applicable legislation.

11. Security measures

We implement reasonable technical, administrative and organizational measures to protect personal data against unauthorized access, loss, theft, misuse, alteration or destruction. These measures include access controls, encryption where appropriate, secure development practices, and ongoing security monitoring. However, no system is completely secure, and we cannot guarantee absolute security of personal data.

12. Cross-border transfers

Where personal data is transferred outside India (for example, to cloud hosting providers or service vendors), such transfers will be carried out in accordance with applicable laws and with appropriate safeguards (contractual clauses, security measures or other legally recognized mechanisms) to protect the personal data.

13. Children & age restrictions

Our services are intended for persons aged 18 years or above. We do not knowingly collect personal data from children under the age of 18. If we become aware that we have collected personal data of a child without parental consent, we will take steps to delete the information in accordance with applicable law.

14. Marketing & promotional communications

We may use personal data to send marketing communications about our products and services where we have a lawful basis to do so, including where consent has been given. Recipients can opt‑out of marketing messages by following the unsubscribe link in marketing emails or by contacting help@gyftr.com. Transactional and operational messages (for example, issuance, delivery, redemption support) are necessary for performance of contract and may not be subject to opt‑out.

15. Changes to this Privacy Policy

We may amend this Privacy Policy from time to time to reflect changes in legal, regulatory or business requirements. Where changes materially affect how we use personal data, we will post a notice on our Website and, where applicable, provide reasonable notice to affected individuals (for example, by e-mail) in advance of any material change. Continued use of the Website/App after such changes constitutes acceptance of the revised Privacy Policy.

Any changes to our privacy policy will be posted on our Website or App 30 days prior to these changes taking place, and where there are significant changes in how personally identifiable information is used, notification by e-mail will be made to those affected.

16. Contact & disputes

If you have questions, concerns or complaints about our privacy practices or this Privacy Policy, please contact us at help@gyftr.com or by calling 1800-1033-314.

If you are not satisfied with our response, you may lodge a complaint with the applicable data protection authority in India.

17. Incorporation into Terms

This Privacy Policy forms part of, and is incorporated by reference into, the Website/App Terms & Conditions governing use of GyFTR services, including any Corporate Gifting terms. To the extent of any inconsistency between the Privacy Policy and separate contractual terms agreed with a Corporate Client, the contractual terms will prevail with respect to that Client, unless otherwise stated.

© Vouchagram India Pvt. Ltd. All rights reserved.

whatsapp-icon