Giftaweb Privacy Policy
This English version is provided for the convenience of international customers. In case of any discrepancy between the Estonian and English versions, the Estonian version prevails.
1. Data controller
Navik OÜ (hereinafter We or Service Provider):
- Registry code: 17454389
- Address: Rehe põik 5, 76909 Vääna-Jõesuu, Estonia
- Phone: +372 5067651
- Email: veeb@navik.ee
Giftaweb is a trade name and trademark of Navik OÜ.
2. What data do we collect?
2.1. When buying a gift card (buyer's data)
- First and last name
- Email address
- Phone number (optional)
- Billing address (when ordered with an invoice)
- Payment method and transaction reference (via the payment service provider; we do not store card data)
2.2. When redeeming the gift card (recipient's/customer's data)
- First and last name
- Email address
- Phone number
- Company details (name, registry code, address)
- Brief form contents: industry, description of services, desired domain, style preferences, social media links, colours, etc.
- Uploaded images and logos
2.3. Automatically collected data
- IP address (for security only, retained max 30 days)
- Browser type and version
- Visited pages info (only as aggregated statistics)
- Cloudflare Turnstile (anti-spam) default data
3. How do we use personal data?
3.1. To perform the contract (GDPR art. 6(1)(b))
- Generating and sending the gift card
- Building and delivering the website to the Customer
- Communicating with the Customer during the service
- Registering the domain in the Customer's name
3.2. To comply with legal obligations (GDPR art. 6(1)(c))
- Retention of accounting data under accounting law (7 years)
- Tax reporting
3.3. Based on legitimate interests (GDPR art. 6(1)(f))
- Improving service quality
- Ensuring security (anti-spam and anti-fraud)
- Direct marketing of the service to existing customers (6-month reminder)
4. To whom do we transfer data?
We do not sell or share your personal data with third parties for marketing purposes. We transfer data to the following service providers who help us deliver the service:
| Service provider | Location | Purpose | Data |
|---|---|---|---|
| Cloudflare Inc. | USA (EU-US DPF) | Hosting, database, security layer | All data flowing through the service |
| Swedbank AS / EveryPay AS | Estonia | Payment processing (bank link, card payment) | Buyer's name, email, payment amount (no card data) |
| Resend Inc. | USA (EU-US DPF) | Email delivery | Recipient email, email contents |
| Namecheap Inc. | USA | Domain registrar (.com/.eu) | Customer name, address, email (ICANN requirement) |
| Estonian Internet Foundation | Estonia | Domain registrar (.ee) | Customer name, address, email, registry code |
All third parties are required to process data in accordance with GDPR and a data processing agreement (DPA).
5. Retention periods
| Data type | Retention period |
|---|---|
| Accounting documents (invoices) | 7 years (Accounting Act) |
| Customer brief (website data) | 2 years after end of service |
| Uploaded images | 2 years after end of service |
| Email correspondence | 2 years after the last message |
| Security logs (IP, logs) | 30 days |
| Gift card data | 1 year after end of validity |
After the retention period ends, data is deleted or anonymised.
6. Cookies
Giftaweb uses the following cookies:
| Name | Purpose | Validity |
|---|---|---|
| Turnstile (Cloudflare) | Anti-spam | Session |
| Autosave token | Periodic saving of form data | 30 days |
| Edit token | Subsequent editing of form responses | Until service is locked |
We do not use marketing or analytics cookies (e.g., Google Analytics, Facebook Pixel) unless the customer has explicitly given consent.
7. Your rights
Under GDPR, you have the following rights:
- Right of access — to obtain a copy of your data
- Right to rectification — to have incorrect or incomplete data corrected
- Right to erasure ("right to be forgotten") — to have personal data deleted when there is no legal basis for retention
- Right to restriction of processing
- Right to data portability — to receive your data in a structured form
- Right to object — to processing based on legitimate interests
- Right to lodge a complaint — with the Estonian Data Protection Inspectorate (aki.ee)
To exercise your rights, send a request to: veeb@navik.ee. We respond within 30 days.
8. Data security
- HTTPS encryption for all traffic (Cloudflare SSL)
- Cloudflare WAF (web application firewall) for anti-spam and anti-attack protection
- Limited access to personal data (only authorised persons of the Service Provider)
- Regular backups
- Encrypted passwords (where used)
9. Data transfers outside the European Union
Some of our service providers (Cloudflare, Resend, Namecheap) are located in the USA. Data transfers take place under the EU-US Data Privacy Framework (DPF), which provides a level of protection equivalent to GDPR. If necessary and where DPF does not apply, we rely on data transfers under Standard Contractual Clauses (SCCs) approved by the European Commission.
We additionally confirm that neither We nor the AI service providers we use (via API) use the Customer's submitted personal data or form data to publicly train their AI models. AI processing is performed only for the purpose of delivering the specific service (building the website), and data is not retained at the AI service provider after processing ends.
10. Minors
Giftaweb services are aimed at persons aged at least 18. We do not knowingly collect data from minors. If we identify that a minor has submitted data, we delete it without delay.
11. Changes to the Privacy Policy
We may amend this Privacy Policy from time to time. We will notify you of significant changes by email. Changes take effect 14 days after publication.
Contact for data protection matters:
Email: veeb@navik.ee
Address: Navik OÜ, Rehe põik 5, Vääna-Jõesuu küla, Harku vald, Harjumaa, Estonia
Data protection supervisory authority:
Estonian Data Protection Inspectorate (AKI)
Tatari 39, 10134 Tallinn
info@aki.ee · www.aki.ee