Skip to content

Privacy Notice

Last modified: November 2025

Information on who we are and this Privacy Policy

This privacy policy sets out how Giftstarr collects, uses, shares and otherwise processes your personal data when you purchase, use or manage our gift cards, visit our website, use our app(s) or interact with us in any other way.

Giftstarr is a trading name of Crunch Payments in connection with its gift card programmes. Crunch Payments is made up of different legal entities as further described below. This privacy policy is issued on behalf of the group so when we mention Giftstarr, “we”, “us” or “our” in this privacy policy, we are referring to the relevant company in the group responsible for processing your data.

Crunch Payments (trading as Giftstarr) is made up of:

  1. Crunch Payments Limited incorporated in England and Wales with company number 11929149, as the controller of gift cards issued in the UK; and
  2. Crunch Payments Poland Spółka Z Ograniczoną Odpowiedzialnością incorporated in Poland with company number 0000932982, as the controller of gift cards issued in the EU.

Crunch Payments Limited is the controller for this website and the group’s mobile apps, and is registered as a data controller with the UK’s Information Commissioner’s Office (registration number is ZA540508).

If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the us using the information set out in the contact details section below.

The types of personal data we may collect about you

Personal data means any information about an individual from which that person can be identified.

We may collect, use, store and transfer different kinds of information which we have grouped together as follows:

  • Information you may provide:
    • Identity Data includes first name, last name, title, date of birth and gender.
    • Contact Data includes billing address, delivery address, email address, telephone numbers, your communication preferences and copies of the communications between you and us.
    • Profile Data includes your username and password, purchases or orders made by you, feedback and survey responses.
    • Identify Documentation Data includes passport, driving license, utility bill and bank statement details.
  • Data which may be automatically collected:
    • Purchase Information includes data which may be collected when purchasing our products and services such as gift card order details.
    • Transaction Data includes details of transactions made when using your gift card including the retailers used, the value of transactions, history, the categories of retailers and the time of transactions.
    • Payment information includes acquiring information and information you provide when loading a gift card using another payment card, including debit card number, expiry date, CVC and bank account number.
    • Technical Data includes we collect whilst you browse our website or use our app, including IP address, browser type, operating system, cookies, browser language, time zone, service provider, system settings, system tokens/keys, pages you visit, searches you make, marketing or links you click on and device location.
    • Usage Data includes information about how you interact with and use our website, products and services.
    • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We do not intentionally collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Our services, website and app are not intended for use by children and we do not knowingly collect data relating to children.

We will collect data relating to criminal offences through the measures we take to secure and protect our services and users. Further details can be found in the section titled Criminal offence data.

We also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals’ usage data to calculate the percentage of users accessing a specific website feature in order to analyse general trends in how users are interacting with our website to help improve the website and our service offering.

If we need to collect and process your personal data, either for the purpose of fulfilling our obligations under a contract made between us, or for the purpose of fulfilling our legal obligations, and you fail or refuse to provide the required personal data to us, we may not be able to perform the relevant contract or otherwise to provide you with our products and services.

How is your personal data collected?

We collect your personal data in the following way:

  • Your interactions with us. You may give us your personal data by purchasing our products or services, using our apps, website or services, or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
  • Purchase our products or services;
  • Create an account on our platform, mobile app or website;
  • Subscribe to our service, newsletter or publications;
  • Access our website;
  • Book a platform demonstration;
  • Request marketing to be sent to you;
  • Enter a competition, promotion or survey; or
  • Give us feedback or contact us.
  • Automated technologies or interactions. As you interact with our website, mobile app, payment terminals, we will automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive technical data about you if you visit other websites employing our cookies. Please see our cookie policy on our website for further details.
  • Financial and Transaction Data is collected from providers of technical, payment and delivery services when you load and/or make payments using your card.

 

Cookies

We may use cookies (small files placed on your device) and other tracking technologies to improve your experience and our development of the website, mobile app(s) and/or our services. For detailed information on the cookies we use, the purposes for which we use them and how you can exercise your choices regarding our use of your cookies, see our cookie policy on our website.

How we use your information

We will only use your personal data when we have a lawful basis to do so. Our lawful basis for each purpose for which we use your personal data is specified below. Most commonly we will use your personal data in the following circumstances:

  • Performance of a contract with you: Where we need to process your personal data to perform a contract with you or where you ask us to take steps before we enter into a contract with you. Where we rely on performance of a contract and you do not provide the necessary information, we will be unable to perform your contract.
  • Legitimate interests: We may use your personal data where it is necessary to conduct our business and pursue our legitimate interests (or those of a third party), for example to prevent fraud and enable us to give you the best and most secure customer experience. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests.
  • Legal obligation: Where we need to use your personal data to comply with a legal or regulatory obligation. Where we rely on legal obligation and you do not provide the necessary information, we may be unable to fulfil a right you have or comply with our obligations to you, or we may need to take additional steps, such as informing law enforcement or a public authority or applying for a court order.
  • Consent: We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example if you subscribe to an email newsletter or purchase a gift card from us.

Find further information on the ways in which we use your personal data:

Purpose or activity Lawful basis for processing
To provide you with services at your request, to process and fulfil orders/purchases and deliver services to you, including the purchase and usage of gift cards, redemption of gift cards and sending you service communications Performance of a contract with you

Legitimate interest

Legal obligation

Consent
To prevent fraud and confirm your identity when required Legitimate interest

Legal obligation
To send you direct marketing communications Consent

Unless we can rely on the soft opt-in and you have not opted out, in which case we rely on Legitimate Interest (to publicise and grow our business)
To administer, monitor and improve our business, services, mobile app and website including troubleshooting, data analysis and system testing Legitimate interests
Applying security measures to our processing of your personal data Legal obligation (applying appropriate technical and organisational measures)
To comply with our other legal obligations, protecting our business and other legal uses including compliance with anti-money laundering obligations, scheme rules and obligations Legal obligation
To deploy and process personal data collected via Cookies that are strictly necessary Legitimate interests
To deploy and process personal data collected via Cookies that are not strictly necessary Consent
To enforce our terms and conditions, notify you where necessary, including but not limited to changes to the services, app, terms and conditions, this privacy policy For ongoing or prospective contracts, Performance of a contract

Otherwise,

Legitimate interests

Legal obligation
To permit you to install the app and register you as a new app user Legitimate interests
To enable you to utilise our customer services, respond to your queries, fulfil your requests and to contact you where necessary Legitimate interests
Share personal data with our third-party providers for purposes not otherwise set out above Legitimate interests

 

We do not process your personal data for the purposes of automated decision-making.

Criminal offence data

We do not intentionally collect criminal offence data about you. However may process data relating to criminal offences in monitoring the use of our services for security purposes, where we suspect you may have committed a crime, such as attempting to make a fraudulent purchase or claim or circumvent the security of the services. In such circumstances we will provide that information to law enforcement and/or use it to establish, exercise or defend a legal claim. In those circumstances, according to the type of activity and purpose, we will rely on legitimate interests (protecting our business, employees and other users) and legal obligation (where required by legal, judicial or law enforcement to disclose or process that information). 

Disclosures of your personal data

We may share your personal data with the following third parties:

  • Internal third parties. Other companies within the Giftstarr group to facilitate the provision of our services, website and mobile app.
  • Suppliers and Partners:
    • Service providers who provide us with services enable us to provide our gift card services, the website and mobile app(s), including but not limited to banking partners, IT suppliers, payment networks, customer service providers, identify verification and screening providers.
    • Your Appstore Provider and mobile network operator to allow you to install the mobile app.
    • Our professional advisors including lawyers, auditors, insurers, consultants and who provide legal, accounting, insurance and other services.
    • Marketing and promotional partners and co-operatives with whom we share data to enhance our offerings and identify prospective customers.
  • Third party partners where you have subscribed to receive marketing from or with them.
  • HM Revenue and Customs, regulators, law enforcement, public authorities or other third parties where necessary to exercise our rights, prevent fraud or comply with a legal obligation.

International transfers

Where we transfer your personal data between the EU and UK, those transfers are made pursuant to the UK government’s adequacy decision in favour of countries in the EEA and the European Commission’s adequacy decision in favour of the UK (as applicable).

All transfers between our group companies are governed by our intra-group data sharing and transfer agreement. A list of our entities is included at the start of this document.

If we transfer your personal data to a country outside of the UK or EEA that doesn’t offer a standard of protection at lease equivalent to that of the UK and EEA, we will ensure a similar degree of protection is afforded to it.

Data security

Giftstarr understands the importance of keeping your personal data secure. We will take appropriate technical and organisational measures to protect against unauthorised or unlawful processing, accidental loss or destruction of, or damage to personal data. A selection of measures we take to protect your personal data are provided below:

  • Using industry standard security technology and procedures to protect your information;
  • High-security password protection on internal systems;
  • Encryption of our services using SSL (Secure Sockets Layer);
  • Regular training of our employees on information security;
  • Continual review of our policies and procedures in response to advances in technology and security best practice; and
  • Limiting access to your data appropriately.

Where we have given you (or where you have chosen) a password that enables you to access certain parts of our website, app or services, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

We have put in place procedures to detect and respond to personal data breaches and notify you and any applicable regulator when we are legally required to do so.

Data retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint, suspected fraud or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. We will otherwise keep your personal data for no more than seven years after which you cease being a customer, after which it will be disposed of securely if it is no longer required for the lawful purpose(s) for which it was obtained.

If you do not use the mobile app for a material period of time, then we may treat the account as expired and may delete your personal data.

Personal data and your rights

You have the following rights under data protection laws in relation to your personal data.

  • Access. Request access to and/or a copy of the personal data we process about you (commonly known as a data subject access request). This enables you to check that we are lawfully processing it.
  • Rectification. Request correction of any incomplete or inaccurate data we hold about you. (We may need to verify the accuracy of the new data you provide to us.)
  • Deletion. Request that we delete or remove personal data where there is no good reason for us continuing to process it. You also can ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we have processed your information unlawfully or where we need to erase your personal data to comply with law. (In some cases, we may need to continue to retain some of your personal data where required by law. If these apply, we will notify you at the time of our response.)
  • Objection. Object to us processing your personal data where (a) we are relying on legitimate interests as the lawful basis and you feel the processing impacts on your fundamental rights and freedoms, or (b) the processing is for direct marketing purposes. In some cases, we may refuse your objection if we can demonstrate that we have compelling legitimate grounds to continue processing your information which override your rights and freedoms.
  • Restriction. Request that we restrict or suspend our processing of your personal data:
    • if you want us to establish the data’s accuracy;
    • where our use of the data is unlawful, but you do not want us to erase it;
    • where we no longer require it, but you need us to hold onto it to establish, exercise or defend legal claims; or
    • you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
  • Data portability. Request we transfer certain of your personal data to you or your chosen third party in a structured, commonly used, machine-readable format. This right only applies to information processed by automated means that we process on the lawful bases of consent or performance of a contract.
  • Withdraw consent. Withdraw your consent at any time where we are relying on consent to process your personal data. Please know that this does not affect the lawfulness of any processing carried out before you withdraw your consent, and after withdrawal, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
  • Complain to a data protection regulator. If you are unhappy with how we process your personal data, you should contact us first using the details below in line with our complaints procedure on our website so that we have the chance to put it right. However, you also have the right to make a complaint to the ICO or local data protection regulator at any time.

You can exercise any of these rights at any time by contacting us support@crunchpayments.com.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month from the date on which satisfactory identification is received from the requestor. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Marketing

You have the right to ask us not to process your personal data for marketing purposes. If you have previously consented to marketing emails, but do not wish to receive marketing communications, then please send an email to info@crunchpayments.com in the following terms, as applicable:

  • “Unsubscribe me from third-party marketing”;
  • “Unsubscribe me from Giftstarr marketing”; and/or
  • “Unsubscribe me from all marketing”.

To unsubscribe from Giftstarr marketing you can also use the unsubscribe link which appears at the bottom of any marketing emails we send.

We typically take 5 working days to process these requests but please allow up to 2 weeks to take account of pre-prepared mailing lists.

Essential service communications

Giftstarr may communicate with you about important activity which has taken place on your account, for example, to alert you about suspicious transactions or problems with your account. You are not permitted to opt-out of these communications.

Third-party links 

The Giftstarr platform, website and applications may from time to time include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

Changes to the privacy policy and your duty to inform us of changes 

We keep our privacy policy under regular review. This version was last updated on the date identified at the top of page. It may change and, if it does, the updated version will be posted on this page and may be notified to you by push notification, email, when you next start the mobile, log onto your account or by any other reasonable method.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

Complaints 

We aim to provide you with the highest standards of service, however there may be occasions when our service does not meet your expectations but telling us about it gives us a chance to fix things. If you need to make a complaint, please find our complaints policy on our website.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (in line with our complaints procedure on our website).

Contact details

If you have any enquiries or questions about how we use your personal information or about this privacy policy, please contact us at compliance@crunchpayments.com.

EU Representative:

Representative: Data Protection Officer

Contact: compliance@crunchpayments.com

Postal address: Corso Filippo Turati, 65 Colleferro (RM), 00034 Italy

UK Representative:

Representative: Data Protection Officer

Contact: compliance@crunchpayments.com

Postal address: Brent Hall Warley Gap, Little Warley, Brentwood, England, CM13 3DP