Privacy Policy
Last updated: March 2026
1. Who We Are
Cardgiftpayment.com ("we", "us", "our") is operated by VALUE FORWARD LIMITED, company number 17163549, a company incorporated in England and Wales with its registered office at Suite A, 82 James Carter Road, Mildenhall, United Kingdom, IP28 7DE. We are the data controller for personal data collected through the Platform. For questions about this Policy, contact us at info@cardgiftpayment.com.
2. Data We Collect
- Account data: first name, last name, email address, hashed password, account role (buyer/seller), and email verification status.
- Transaction data: gift card listings (retailer, denomination, currency, region, discount), order records (amounts, statuses, timestamps), and dispute information including reasons submitted.
- Payment data: payout card details (card number stored encrypted using AES-256-GCM, cardholder name, expiry date). We do not store full payment card numbers used to make purchases — these are passed directly to our payment processor.
- KYC and verification data (for Sellers): personal details (first name, last name, date of birth), government-issued identity documents, and proof of address dated within the last 3 months. This information is collected where required to verify identity, perform sanctions and PEP screening, and enable withdrawals.
- Technical data: IP address, browser type, device information, pages visited, and timestamps of activity. This data is collected via server logs and cookies.
- Communications: any messages you send to our support team.
3. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Create and manage your account | Contract performance |
| Process payments and payouts | Contract performance |
| Resolve disputes | Contract performance |
| Fraud prevention and security | Legitimate interests |
| Comply with legal obligations (including identity verification, AML, sanctions and PEP screening) | Legal obligation |
| Send transactional emails (OTP, order updates) | Contract performance |
| Improve the Platform | Legitimate interests |
4. Data Retention
- Account and transaction data: retained for 6 years after your last transaction to comply with financial record-keeping obligations under UK law.
- If you request account deletion and have no open or recent transactions, we will anonymise your account data within 30 days.
- Technical logs: retained for 90 days.
- Support correspondence: retained for 3 years.
- KYC documents: retained for a minimum of 6 years from submission date, as required by AML legislation.
5. Who We Share Your Data With
- Payment processor: card transaction data is processed by our payment infrastructure. Card numbers are not stored by us.
- Email service provider: used to send OTP and transactional emails. Only your email address and message content are shared.
- Hosting provider: our servers are hosted by a third-party cloud provider. Data is stored within the UK/EEA.
- Compliance and verification providers: we may share KYC data with third-party identity verification and screening providers to perform identity checks and sanctions/PEP screening.
- Law enforcement / regulators: where required by law or court order.
We do not sell your personal data to third parties.
If we transfer your data outside the UK or EEA, we ensure an equivalent degree of protection through appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.
6. Your Rights
Under UK GDPR, you have the following rights:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate data.
- Right to erasure — request deletion of your data, subject to legal retention obligations.
- Right to restrict processing — request that we limit how we use your data.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests.
To exercise any of these rights, contact us at privacy@cardgiftpayment.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
7. Cookies
We use essential cookies to maintain your session and security. No tracking or advertising cookies are used. See our Cookie Policy for details.
8. Security
We implement appropriate technical and organisational measures to protect your personal data, including AES-256-GCM encryption of sensitive payment data, bcrypt password hashing, and TLS encryption for data in transit.
9. Changes to This Policy
We may update this Privacy Policy from time to time. The updated version will be posted on this page with a revised date. Continued use of the Platform following any changes constitutes acceptance of the updated Policy.