PRIVACY POLICY

Last updated: 1 April 2026 · GDPR (EU) 2016/679 compliant

At ONE GIFT we are committed to protecting your privacy and processing your personal data with full transparency. This policy explains what data we collect, for what purpose, how long we retain it and what rights you have over it, in accordance with the General Data Protection Regulation (GDPR) and Organic Law 3/2018 (LOPD-GDD).

1. Data Controller

In compliance with EU Regulation 2016/679 (GDPR) and Organic Law 3/2018 (LOPD-GDD), the controller of your personal data is:

Company nameONE GIFT S.L.
Registered addressSpain
General contactitsonegift@gmail.com

2. Personal Data We Process

Depending on your activity on our site, we process the following categories of data:

Registration and account data

  • First and last name
  • Email address
  • Password (stored as an irreversible hash)
  • Phone number (optional)

Order and shipping data

  • Full delivery address
  • Purchase history
  • Information about returns or claims

Payment data

  • Payment is handled entirely through Stripe. ONE GIFT does not store any card data.

Navigation and technical data

  • IP address
  • Browser type and operating system
  • Pages visited and session duration

Newsletter data (with consent only)

  • Email address
  • Communication preferences

We do not process special categories of data or data from children under 14.

3. Purpose and Legal Basis

PurposeLegal basis
User account managementArt. 6.1.b — Performance of contract
Order processing and shippingArt. 6.1.b — Performance of contract
Transactional communicationsArt. 6.1.b — Performance of contract
Payment processing via StripeArt. 6.1.b — Performance of contract
Compliance with tax and accounting obligationsArt. 6.1.c — Legal obligation
Fraud prevention and site securityArt. 6.1.f — Legitimate interest
Newsletter and commercial communicationsArt. 6.1.a — Explicit consent
Claims management and customer supportArt. 6.1.b / 6.1.c — Contract / Legal obligation

4. Recipients and Data Processors

ONE GIFT does not sell or transfer your personal data to third parties for commercial purposes. We share data only with service providers acting on our behalf:

ProviderPurposeLocation
Stripe, Inc.Secure payment processingUS / EU (SCC)
Hosting providerPlatform and database hostingEU
Transactional email providerSending confirmation emailsEU / US (SCC)
Logistics companiesOrder deliveryEU

SCC = Standard Contractual Clauses adopted by the European Commission.

5. International Transfers

Some providers have infrastructure outside the EEA. In all cases, these transfers are carried out with adequate safeguards through the Standard Contractual Clauses adopted by the European Commission (Decision EU 2021/914).

6. Retention Periods

We retain your data for the minimum time necessary for each purpose:

CategoryPeriod
Active account dataWhile you maintain the account; deleted upon request or after 2 years of inactivity
Order history and invoices5 years (tax obligation)
Newsletter consentUntil you withdraw consent
Security logs12 months
Encrypted backupsMaximum 30 additional days after active deletion

7. Your Rights (GDPR)

As a data subject, you may exercise the following rights at any time:

Access (art. 15)

Obtain confirmation of whether we process your data and receive a copy.

Rectification (art. 16)

Correct inaccurate or incomplete data.

Erasure / "right to be forgotten" (art. 17)

Request deletion when data is no longer necessary or has been unlawfully processed.

Restriction of processing (art. 18)

Request that we suspend use of your data in certain circumstances.

Data portability (art. 20)

Receive your data in a structured format (JSON/CSV).

Objection (art. 21)

Object to processing based on legitimate interest or for direct marketing purposes.

Withdrawal of consent

You may withdraw consent at any time without affecting the lawfulness of prior processing.

How to exercise your rights

Send an email to itsonegift@gmail.com indicating the right you wish to exercise. We will respond within a maximum of 1 month.

8. Data Security

ONE GIFT applies appropriate technical and organisational measures: TLS encryption in transit, passwords stored with bcrypt hashing, access restricted to staff on a need-to-know basis, and periodic security reviews.

9. Minors

Our services are intended for persons aged 18 and over. We do not knowingly collect data from children under 14. If we become aware that a minor has provided their data without parental consent, we will delete it immediately.

10. Changes to this Policy

When we make material changes, we will notify you via a prominent notice on the website or by email at least 15 days in advance. The “Last updated” date at the top of this document will always reflect the current version.

11. Contact

For any queries or rights requests, you can contact us:

  • Privacy email: itsonegift@gmail.com
  • General email: itsonegift@gmail.com
  • Suggested subject: “GDPR — [type of request]”

If you are not satisfied with our response, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es.

This document has been drafted based on the GDPR (EU) 2016/679, the LOPD-GDD 3/2018 and applicable Spanish law. Periodic review by a data protection legal professional is recommended.