Privacy Policy
Last updated: April 22, 2026
1. Information We Collect
Account Information: Name, email address, and a bcrypt-hashed password when you register. Optional display name and 2FA secret if you enable two-factor authentication. Gift Card Data: Card numbers and PINs you submit for exchange. This data is encrypted with AES-256-CBC and stored only for as long as needed to complete the exchange and keep an audit trail for dispute investigations. Transaction Data: Swap requests, match history, dispute reports, completed exchange records, and your reputation score. Device & Network Data (Fraud Prevention): IP address and a device fingerprint (a non-tracking hash derived from browser characteristics) are stored on registration and updated on login. We use this exclusively to prevent duplicate accounts, Sybil attacks, and matching fraud. We do not share this data with advertisers or any third party. Usage Data: Pages visited, timestamps of key actions, and basic technical information (user-agent, browser type) for security monitoring. Referral Data: Who referred you (if applicable) and who you’ve referred, along with the status of each referral.
2. How We Use Your Information
- To facilitate gift card exchanges between users. - To verify gift card balances manually before and during matching. - To run automated fraud-detection signals (device/IP matching, card-code deduplication, pattern analysis). - To investigate dispute reports — admins may access both sides’ full account history and card contents during active investigations. - To manage your account and enforce Platform rules (bans, limits, flags). - To send transactional emails about swap status, matches, dispute outcomes, and security alerts. - To improve the Platform and matching algorithms.
3. Data Security
We take data security seriously: - All gift card numbers and PINs are encrypted using AES-256-CBC at rest. - Card data is only decrypted for authorized verification, delivery to matched users, and dispute investigation. - Card codes are never sent via email — you must log in to view them. - Passwords are hashed using bcrypt (12 rounds). - Authentication uses secure HTTP-only cookies with short-lived JWT tokens. - Login attempts and registration are rate-limited to prevent brute-force attacks. - Admin accounts may enable TOTP-based two-factor authentication.
4. Data Sharing
We do not sell, rent, or share your personal information with advertisers, data brokers, or marketing partners. Limited sharing occurs only: - When required by law, court order, or other valid legal process. - To protect the rights, safety, or property of our users, third parties, or the Platform. - With email delivery service providers (for transactional emails only — no content beyond what is strictly necessary). - With Google (Gemini AI) for customer support tickets you submit — only the ticket text is shared, never card data or personal identifiers beyond your display name.
5. Card Data Handling
When a swap completes, your card data is delivered to the matched user through their authenticated dashboard (masked by default, revealable with a click). Card codes are never sent via email, SMS, or any off-platform channel. After swap completion, card data remains encrypted in our database as part of the transaction record — needed for dispute investigations within the dispute window and for compliance with recordkeeping obligations.
6. Dispute Data
If a swap is disputed, the dispute reason, admin notes, and outcome are associated with both users’ accounts. This information is kept as part of account history and may be used to inform future fraud decisions, even after the specific dispute is closed. Banned users’ device fingerprints and IPs are retained to prevent re-registration.
7. Email Communications
We send transactional emails for: - Card verification status (approved/rejected). - Match notifications and swap completion. - Giveaway winnings. - Referral milestone rewards. - Dispute updates. - Account security alerts. We do not send marketing emails. All communications are related to your account activity. You can opt out of non-essential emails in your account settings; critical security alerts cannot be disabled.
8. Cookies
We use a single authentication cookie (HTTP-only, Secure, SameSite=Lax) to maintain your login session. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.
9. Data Retention
- Active account data: retained as long as your account is active. - Completed swap records: retained indefinitely for audit and dispute purposes (card codes remain encrypted). - Banned account data (including fingerprint/IP): retained indefinitely to prevent re-registration. - Deleted account data: personal identifiers (name, email) are removed on request; transaction records are anonymized but retained for integrity of the Platform’s history.
10. Your Rights
You have the right to: - Access your personal data through your dashboard. - Request correction of inaccurate information. - Request deletion of your account (subject to the retention rules above). - Export your transaction history. - Enable 2FA for additional account security. To exercise these rights, use Live Support in your Dashboard. Deletion requests from banned accounts may be denied where retention is necessary to prevent re-offence.
11. Children's Privacy
The Platform is not intended for users under 18 years of age. We do not knowingly collect information from minors. If we learn that a user is under 18, their account will be terminated and associated data purged (except as needed for fraud prevention).
12. International Users
The Platform is operated from the United States and primarily intended for US users. If you access the Platform from outside the US, your data will be transferred to and stored in the US. By using the Platform, you consent to this transfer.
13. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be announced on the homepage and via email to registered users at least 7 days before taking effect. Continued use after changes constitutes acceptance.
14. Contact
For privacy-related inquiries, please use Live Support in your Dashboard.