Last Updated: May 29, 2026 · Effective Date: April 1, 2026 · Jurisdiction: Ontario, Canada
Your privacy matters. This Privacy Policy explains how SYNC-Gift Inc. ("SYNC-Gift", "we", "us", or "our") collects, uses, discloses, and protects your personal information when you use our platform, mobile application, and related services (collectively, the "Services"). Please read it carefully.
SYNC-Gift Inc. is the data controller responsible for your personal information. We are incorporated in Ontario, Canada. Our designated Data Protection Officer (DPO) can be reached at dpo@syncgift.com.
Our Services include a digital gifting platform, digital wallet, SYNC Points rewards programme, event ticketing, and related financial services features, available via web and mobile application.
2. Information We Collect
2.1 Information You Provide Directly
Account data: Full name, email address, phone number, username/handle, and profile photo.
Identity verification (KYC): Government-issued ID documents, selfie/liveness photos, date of birth, and residential address — required for regulatory compliance under AML and financial services laws.
Payment information: Billing address and payment method details. Card data is handled exclusively by Stripe — we do not store raw card numbers or CVV data on our servers.
Communications: Gift messages, support correspondence, and feedback you submit to us.
User-generated content: Photos, videos, captions, and other media you attach to gifts or upload to your profile.
Referral data: If you refer another user, we record the referral attribution to credit your account.
2.2 Information Collected Automatically
Usage data: Pages and features accessed, timestamps, session duration, transaction history, and in-app interaction logs.
Device information: IP address, browser type and version, operating system, device identifiers, screen resolution, and language settings.
Location data: Approximate location derived from IP address. Precise GPS location is only requested if you grant permission for a specific location-based feature.
Cookies and similar technologies: Session tokens, preference cookies, and internal analytics identifiers. See Section 12 for details.
2.3 Information from Third Parties
Payment processors: Stripe provides payment confirmation and fraud signals. See Stripe's Privacy Policy.
Identity verification providers: KYC/AML compliance partners provide identity match scores and document verification results.
Sign-in providers: If you choose to sign in with Apple or Google, we receive your name, email address, and provider-issued user ID. We do not receive your Apple or Google password.
We do not collect sensitive personal information such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification purposes (beyond KYC), health data, or sexual orientation, except where strictly required by law.
3. Legal Basis for Processing (GDPR — EU/EEA/UK Users)
Under the General Data Protection Regulation (GDPR) and UK GDPR, we process your personal data on the following legal bases:
Contract performance (Art. 6(1)(b)): To create and manage your account, process transactions, and deliver our Services.
Legal obligation (Art. 6(1)(c)): To comply with anti-money laundering (AML), know-your-customer (KYC), tax reporting, FINTRAC (Canada), FinCEN (USA), and other applicable financial regulations.
Legitimate interests (Art. 6(1)(f)): To prevent fraud, ensure platform security, improve our Services, and send essential service-related communications. We have balanced these interests against your rights and do not believe they override your fundamental rights.
Consent (Art. 6(1)(a)): For optional marketing communications and non-essential cookies — you may withdraw consent at any time without affecting prior processing.
For UK users, the same bases apply under the UK GDPR as retained in domestic law. The UK Information Commissioner's Office (ICO) is the relevant supervisory authority.
4. How We Use Your Information
Providing, operating, and maintaining the SYNC-Gift platform and Services.
Processing financial transactions, gift transfers, and wallet operations.
Verifying your identity and complying with KYC/AML regulatory requirements.
Personalising your experience and displaying relevant content within the platform.
Sending transactional emails (gift notifications, receipts, security alerts) and, with your consent, promotional messages.
Detecting, investigating, and preventing fraudulent, abusive, or illegal activity.
Improving platform performance, reliability, and features using aggregated, internal analytics.
Complying with applicable laws, regulations, court orders, and legal processes.
Resolving disputes and enforcing our Terms of Use.
We do not use your personal information for third-party advertising, retargeting, or behavioural ad profiling. We do not share your data with advertising networks or data brokers.
5. Sharing and Disclosure of Your Information
✓ We do not sell your personal information
We share data only in the following circumstances:
Service providers: Stripe (payments — privacy policy), Apple (privacy policy), Google (privacy policy), cloud infrastructure providers, email notification services, and identity verification providers. All operate under data processing agreements with appropriate safeguards.
Gift recipients: When you send a gift, the recipient's name, delivery email/phone, and gift message are shared with the recipient to fulfil the gift.
Regulatory and legal authorities: When required by law, court order, regulator, or to protect the rights, safety, or property of SYNC-Gift, our users, or the public — including mandatory AML/KYC reporting to FINTRAC or FinCEN.
Business transfers: In the event of a merger, acquisition, restructuring, or sale of assets, with confidentiality obligations and notice to affected users.
With your explicit consent: For any other purpose disclosed at the time of collection that you have specifically agreed to.
6. International Data Transfers
SYNC-Gift is headquartered in Canada and serves users in Canada and the United States. Your personal data may be processed in countries where our service providers operate, including the United States. Canada is recognised by the European Commission as providing an adequate level of data protection for commercial organisations under PIPEDA.
For transfers of EU/EEA/UK personal data to countries without an adequacy decision, we rely on: (a) Standard Contractual Clauses (SCCs) approved by the European Commission; (b) the UK International Data Transfer Agreement (IDTA) for UK transfers; or (c) your explicit consent. You may request details of our transfer mechanisms by contacting dpo@syncgift.com.
7. Data Retention
Account data: Retained for the duration of your account, plus 7 years after closure to meet financial record-keeping obligations.
Transaction records: Minimum 7 years (FINTRAC / AML / PCMLTFA — Canada; Bank Secrecy Act — USA).
KYC documents: 5 years after account closure (PCMLTFA — Canada; FinCEN — USA).
Support and communication logs: 3 years for dispute resolution.
Marketing consent records: Retained until you withdraw consent, then archived for evidence of compliance.
Server and access logs: 12 months, then automatically deleted.
Deleted account data: Anonymised within 90 days of account deletion, except where legal retention obligations apply.
8. Your Rights — GDPR / UK GDPR (EU, EEA, and UK Residents)
Right of Access (Art. 15)Request a copy of your personal data we hold.
Right to Rectification (Art. 16)Request correction of inaccurate or incomplete data.
Right to Erasure (Art. 17)Request deletion of your data, subject to legal retention obligations.
Right to Restriction (Art. 18)Request that we limit processing of your data in certain circumstances.
Right to Portability (Art. 20)Receive your data in a structured, machine-readable format.
Right to Object (Art. 21)Object to processing based on legitimate interests or direct marketing.
Automated Decision-Making (Art. 22)Not be subject to solely automated decisions that significantly affect you without human review.
Right to Withdraw ConsentAt any time, without affecting the lawfulness of prior processing.
Right to lodge a complaint: You may lodge a complaint with your national supervisory authority — for example, the ICO (UK), the CNIL (France), the DPC (Ireland), or the OPC (Canada). We would, however, appreciate the chance to address your concerns before you contact a regulator.
To exercise any of these rights, contact us at privacy@syncgift.com or via our Contact page. We will respond within 30 days (extendable by two further months for complex requests). Identity verification may be required before we can action your request.
9. Your Rights — Canada (PIPEDA / Quebec Law 25)
Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Act respecting the protection of personal information in the private sector (Law 25 / Bill 64), you have the right to:
Access: Request access to the personal information we hold about you and how it has been used or disclosed.
Correction: Request that we correct inaccurate or incomplete personal information.
Withdraw consent: Withdraw consent to collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions and reasonable notice.
Portability (Quebec Law 25): Request that your personal information be communicated to you or transferred to another organisation in a structured, commonly used technological format.
De-indexing (Quebec Law 25): Request that we cease disseminating your personal information or de-index any hyperlink that allows access to it, where continued dissemination causes you serious injury.
Lodge a complaint: With the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca, or, for Quebec residents, with the Commission d'accès à l'information (CAI).
We collect, use, and disclose your personal information with your knowledge and consent, except where otherwise required or permitted by law. We do not use automated decision-making tools to make significant decisions about individuals without human involvement.
Quebec residents: Our Privacy Officer can be contacted at privacy@syncgift.com. We maintain a written privacy governance framework and conduct Privacy Impact Assessments (PIAs) for high-risk processing activities, as required by Law 25.
10. Your Rights — U.S. State Privacy Laws
Depending on the U.S. state in which you reside, you may have additional privacy rights. We honour requests from residents of all U.S. states with applicable privacy laws, including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and others.
California Residents (CCPA / CPRA)
Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, used, disclosed, or sold.
Right to Delete: Request deletion of personal information, subject to exceptions (e.g., completing transactions, legal obligations).
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale / Sharing: We do not sell or share your personal information for cross-context behavioural advertising. No opt-out is currently required, but you have this right if our practices change.
Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those permitted under CPRA.
Right to Non-Discrimination: We will not deny, charge different prices, or provide a different level of service because you exercised a privacy right.
Other U.S. State Residents
Residents of Virginia, Colorado, Connecticut, Texas, and other states with comprehensive privacy laws have similar rights including access, correction, deletion, portability, and the right to opt out of targeted advertising and profiling. Because we do not engage in targeted advertising or sell personal data, most opt-out rights are not currently applicable, but we will honour all valid requests.
To submit a U.S. privacy request, contact us at privacy@syncgift.com or via our Contact page. We will respond within 45 days (extendable by a further 45 days where reasonably necessary). Authorised agent requests must include written proof of authorisation.
11. Children's Privacy
Our Services are intended for individuals aged 18 and over. We do not knowingly collect, use, or disclose personal information from anyone under 18. If we become aware that a minor has created an account or provided personal information, we will terminate the account and delete the information promptly.
If you believe a minor has provided us with personal information, please contact privacy@syncgift.com immediately.
12. Cookies and Tracking Technologies
We use cookies and similar technologies on our web platform. For a full description, see our Cookie Policy. In summary:
Strictly necessary cookies: Required for authentication sessions, security tokens, and core platform functionality. These cannot be disabled.
Preference cookies: Remember your settings (currency, theme). You can disable these via your browser or our consent manager without affecting core functionality.
Internal analytics: We use limited, internal session analytics to understand aggregate platform usage. This data is not shared with third-party analytics platforms and is not used to build advertising profiles.
We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking technologies. You can manage cookie preferences using the tool or your browser settings.
13. Security
We implement industry-standard technical and organisational security measures, including:
TLS 1.3 encryption for all data in transit.
AES-256 encryption for data at rest.
4-digit PIN authentication with bcrypt hashing (minimum cost factor 12).
Optional biometric authentication (Face ID / Touch ID) on the mobile app.
Role-based access controls and principle of least privilege for staff.
Regular security reviews and vulnerability assessments.
Payment card data is handled exclusively by Stripe, which is PCI DSS Level 1 certified. We never store raw card numbers or CVV data.
Despite these measures, no system is entirely immune to security incidents. In the event of a breach affecting your personal data, we will notify you and the relevant supervisory authorities in accordance with applicable law (72 hours under GDPR; 30 days under PIPEDA).
14. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this page will reflect the date of the most recent revision. For material changes — changes to how we collect, use, or share your data — we will provide at least 30 days' advance notice via email or a prominent in-app notification before the changes take effect.
Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated policy. If you disagree with the changes, you may close your account before the effective date.
15. Contact Us
For privacy questions, requests, or complaints, please contact us through any of the following channels:
We aim to respond to all privacy enquiries within 2 business days and to fulfil verified access/deletion requests within 30 days (GDPR) or 45 days (CCPA/US), or within the timeframe required by applicable law.