Privacy Policy

Giffy ("we", "our", or "us") is operated by FTFPL Pvt. Ltd., a company registered in India. We are committed to protecting your privacy and handling your personal data responsibly in accordance with the Information Technology Act, 2000, the Information Technology (Amendment) Act, 2008, and the Digital Personal Data Protection Act, 2023 (DPDP Act).

This Privacy Policy explains how we collect, use, store, and share your personal information when you use the Giffy website (giffy.in), mobile application, or any associated services (collectively, the "Services").

By using our Services, you consent to the practices described in this Policy. If you do not agree, please discontinue use of our Services.

2.1 Information You Provide

• Account information: Name, email address, phone number, and home/society address when you register or sign up for early access.
• Booking information: Service type, preferred date and time, recurring schedule preferences.
• Payment information: When you pay through our payment gateway (Razorpay), we collect the necessary transaction details. We do not store your full card number, CVV, or net banking credentials — this data is handled directly by Razorpay and is PCI DSS Level 1 compliant.
• Communications: Messages you send to our support team via email, WhatsApp, or in-app chat.
• Reviews and ratings: Feedback you submit about our helpers and services.

2.2 Information Collected Automatically

• Device information: IP address, browser type, operating system, device identifiers.
• Usage data: Pages visited, time spent, features used, booking history.
• Location data: Approximate location based on IP address; precise location only if explicitly permitted via your device settings.
• Cookies: Session cookies, preference cookies, and analytics cookies (see Section 8).

2.3 Information from Third Parties

• Social sign-in providers (Google, Apple) — name and email only.
• Razorpay — transaction status, payment method type (e.g., UPI, card, net banking).

Giffy uses Razorpay (Razorpay Software Private Limited, registered in India) as our payment gateway for processing all financial transactions. When you make a payment:

• Your payment details (card number, UPI ID, net banking credentials) are entered directly on Razorpay's secure, PCI DSS Level 1 certified payment interface.
• Giffy does not have access to, nor does it store, your sensitive payment credentials.
• Razorpay shares only the transaction status (success/failure), payment method type, and masked card/bank details (last 4 digits of card) with us.
• Razorpay's processing of your payment data is governed by Razorpay's Privacy Policy.
• All transactions are encrypted using TLS 1.2+ and are processed through RBI-authorized payment channels.

We retain transaction records (amount, date, service booked) as required by Indian tax laws (GST records must be maintained for 8 years per the CGST Act).

• Service delivery: Matching you with verified helpers, scheduling bookings, sending confirmations.
• Account management: Creating and managing your Giffy account.
• Payments: Processing transactions via Razorpay, generating invoices, handling refunds.
• Safety: Background verification of helpers; fraud detection.
• Communications: Booking reminders, service updates, support responses, and (with consent) promotional offers.
• Product improvement: Analysing usage patterns to improve our app, website, and services.
• Legal compliance: Responding to legal requests, enforcing our Terms, preventing illegal activity.

We process your personal data under the following legal bases:

• Contractual necessity: Processing required to fulfil your booking or service agreement.
• Legitimate interests: Fraud prevention, security, product improvement.
• Consent: Marketing communications; precise location tracking.
• Legal obligation: Tax records, regulatory compliance under Indian law.

We share your data only in these circumstances:

• With your helper: Your name, building name/society (not full address), and scheduled service time are shared with your assigned Giffy helper to complete the service.
• Payment processor (Razorpay): As described in Section 3.
• Service providers: Cloud hosting (Supabase/AWS), email delivery (Resend), error monitoring (Sentry), analytics — all bound by data processing agreements.
• Legal requirements: When required by Indian law, court order, or to protect the rights of Giffy users.
• Business transfers: In the event of a merger, acquisition, or asset sale — with advance notice to users.

We do not sell your personal data to third parties.

• Account data: Retained while your account is active; deleted within 90 days of account deletion request.
• Booking records: 3 years from booking date (for dispute resolution).
• Payment/transaction records: 8 years as required by Indian tax law (CGST Act).
• Support communications: 2 years from last interaction.
• Waitlist signups (no account): 12 months, then deleted.

We use the following types of cookies:

• Essential cookies: Required for the website to function (session management, security).
• Preference cookies: Remember your settings (language, city preference).
• Analytics cookies: Vercel Analytics — privacy-preserving, no cross-site tracking, no personal data.

You can control non-essential cookies via your browser settings. Essential cookies cannot be disabled without affecting site functionality.

We implement industry-standard technical and organisational measures to protect your data:

• All data transmitted over HTTPS (TLS 1.2+).
• Database encrypted at rest (AES-256) via Supabase/AWS infrastructure.
• Row-Level Security (RLS) on all Supabase database tables.
• Access controls: only authorised team members can access user data.
• Payment data handled exclusively by Razorpay (PCI DSS Level 1 certified).
• Regular security audits and penetration testing.

Under India's Digital Personal Data Protection Act 2023, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data (subject to legal retention obligations).
• Grievance redressal: Lodge a complaint with our Data Protection Officer.
• Nomination: Nominate a person to exercise your rights in the event of death or incapacity.

To exercise these rights, email us at privacy@giffy.in or write to our Data Protection Officer at the address below. We will respond within 30 days.

Our Services are not directed to children under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us immediately at privacy@giffy.in.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email (if you have an account) or by posting a prominent notice on our website at least 30 days before the change takes effect.

Data Protection Officer
FTFPL Pvt. Ltd.
Delhi NCR, India
Email: privacy@giffy.in
Website: giffy.in