PRIVACY POLICY
Last updated: 1 April 2026 · GDPR (EU) 2016/679 compliant
At ONE GIFT we are committed to protecting your privacy and processing your personal data with full transparency. This policy explains what data we collect, for what purpose, how long we retain it and what rights you have over it, in accordance with the General Data Protection Regulation (GDPR) and Organic Law 3/2018 (LOPD-GDD).
1. Data Controller
In compliance with EU Regulation 2016/679 (GDPR) and Organic Law 3/2018 (LOPD-GDD), the controller of your personal data is:
| Company name | ONE GIFT S.L. |
| Registered address | Spain |
| General contact | itsonegift@gmail.com |
2. Personal Data We Process
Depending on your activity on our site, we process the following categories of data:
Registration and account data
- First and last name
- Email address
- Password (stored as an irreversible hash)
- Phone number (optional)
Order and shipping data
- Full delivery address
- Purchase history
- Information about returns or claims
Payment data
- Payment is handled entirely through Stripe. ONE GIFT does not store any card data.
Navigation and technical data
- IP address
- Browser type and operating system
- Pages visited and session duration
Newsletter data (with consent only)
- Email address
- Communication preferences
We do not process special categories of data or data from children under 14.
3. Purpose and Legal Basis
| Purpose | Legal basis |
|---|---|
| User account management | Art. 6.1.b — Performance of contract |
| Order processing and shipping | Art. 6.1.b — Performance of contract |
| Transactional communications | Art. 6.1.b — Performance of contract |
| Payment processing via Stripe | Art. 6.1.b — Performance of contract |
| Compliance with tax and accounting obligations | Art. 6.1.c — Legal obligation |
| Fraud prevention and site security | Art. 6.1.f — Legitimate interest |
| Newsletter and commercial communications | Art. 6.1.a — Explicit consent |
| Claims management and customer support | Art. 6.1.b / 6.1.c — Contract / Legal obligation |
4. Recipients and Data Processors
ONE GIFT does not sell or transfer your personal data to third parties for commercial purposes. We share data only with service providers acting on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Secure payment processing | US / EU (SCC) |
| Hosting provider | Platform and database hosting | EU |
| Transactional email provider | Sending confirmation emails | EU / US (SCC) |
| Logistics companies | Order delivery | EU |
SCC = Standard Contractual Clauses adopted by the European Commission.
5. International Transfers
Some providers have infrastructure outside the EEA. In all cases, these transfers are carried out with adequate safeguards through the Standard Contractual Clauses adopted by the European Commission (Decision EU 2021/914).
6. Retention Periods
We retain your data for the minimum time necessary for each purpose:
| Category | Period |
|---|---|
| Active account data | While you maintain the account; deleted upon request or after 2 years of inactivity |
| Order history and invoices | 5 years (tax obligation) |
| Newsletter consent | Until you withdraw consent |
| Security logs | 12 months |
| Encrypted backups | Maximum 30 additional days after active deletion |
7. Your Rights (GDPR)
As a data subject, you may exercise the following rights at any time:
Access (art. 15)
Obtain confirmation of whether we process your data and receive a copy.
Rectification (art. 16)
Correct inaccurate or incomplete data.
Erasure / "right to be forgotten" (art. 17)
Request deletion when data is no longer necessary or has been unlawfully processed.
Restriction of processing (art. 18)
Request that we suspend use of your data in certain circumstances.
Data portability (art. 20)
Receive your data in a structured format (JSON/CSV).
Objection (art. 21)
Object to processing based on legitimate interest or for direct marketing purposes.
Withdrawal of consent
You may withdraw consent at any time without affecting the lawfulness of prior processing.
How to exercise your rights
Send an email to itsonegift@gmail.com indicating the right you wish to exercise. We will respond within a maximum of 1 month.
8. Data Security
ONE GIFT applies appropriate technical and organisational measures: TLS encryption in transit, passwords stored with bcrypt hashing, access restricted to staff on a need-to-know basis, and periodic security reviews.
9. Minors
Our services are intended for persons aged 18 and over. We do not knowingly collect data from children under 14. If we become aware that a minor has provided their data without parental consent, we will delete it immediately.
10. Changes to this Policy
When we make material changes, we will notify you via a prominent notice on the website or by email at least 15 days in advance. The “Last updated” date at the top of this document will always reflect the current version.
11. Contact
For any queries or rights requests, you can contact us:
- Privacy email: itsonegift@gmail.com
- General email: itsonegift@gmail.com
- Suggested subject: “GDPR — [type of request]”
If you are not satisfied with our response, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es.
