← Back to home
Legal

Privacy Policy

Last updated: July 2026

This privacy policy explains how Recogift processes personal data when you visit our website, use the gift finder, or create an account. We take data protection seriously and collect only what is necessary to provide our service.

01

Controller

The controller within the meaning of the GDPR is Smart Soft Solution OÜ, Laeva 7, 10151 Tallinn, Estonia (registry code 17531612). Further details are in the imprint.

For data protection questions, contact us at privacy@recogift.com or via the details in the imprint. We have not appointed a data protection officer, as the legal conditions for doing so are not met.

02

Data we collect

When you use Recogift, we process the following categories of data:

  • Server logs: IP address, timestamp, browser type, device type, and pages accessed — retained for up to 30 days.
  • Gift plan data: your questionnaire answers (recipient, occasion, budget, interests, constraints) are transmitted to our server to generate recommendations. The resulting gift plan is stored in our database as anonymised JSON (no name or email required).
  • Click logs: when you follow a product link from a recommendation, the click event is recorded (product ID and timestamp only — no account data).
  • Local browser storage: your questionnaire progress is additionally saved in your browser's localStorage so you can resume where you left off. You can clear this at any time in your browser settings.
  • Contact communications: if you email us, we process the data you include solely to respond to your inquiry.
  • Account data (only if you register): if you create an optional user account, we process your email address, optional profile details (display name, country, language preference), and your marketing-email preference. Registration is voluntary — the gift finder works without an account.
03

Purposes and legal bases

We process your data to provide the gift finder and generate recommendations (Art. 6(1)(b) GDPR — performance of a service at your request), to maintain the security and stability of our systems (Art. 6(1)(f) GDPR — legitimate interests), and to respond to inquiries (Art. 6(1)(b) or (f) GDPR). We do not use your data for profiling, advertising, or sale to third parties.

If you create an account, we process your account data to provide and manage the account (Art. 6(1)(b) GDPR). We currently do not send marketing emails. If you consent to marketing emails, that consent is stored; should we send marketing emails in future, we will do so solely on the basis of your explicit, freely revocable consent (Art. 6(1)(a) GDPR), and every email will contain an unsubscribe link.

04

Local storage

The gift finder saves your selections in your browser's localStorage so you can return to them later. This data never leaves your device automatically — it is only transmitted when you submit your answers. Strictly necessary writes are limited to your questionnaire answers (gc_phase1_wizard_state_v1), your shortlist (recogift_saved_ideas_v1), and the record of your consent itself (recogift_consent_v2). Only with your "Comfort & memory" consent do we additionally store your most recent recommendations and your preferred comparison view locally. You can delete all of this at any time via your browser settings (Settings → Privacy → Clear site data) or withdraw your consent via the footer link "Privacy settings".

05

Affiliate links and sponsored-content disclosure

Some product links in our recommendations may be affiliate links. If you click such a link and make a purchase from the retailer, Recogift may receive a small commission — at no extra cost to you. Affiliate commissions do not influence which products appear in your recommendations; our scoring is based solely on fit to your profile. The commercial nature is disclosed by a clearly visible notice above the recommendation sections, and technically by the rel="sponsored" attribute on every affiliate link (UWG § 5a sponsored-content labelling requirement).

Affiliate networks

There are currently no active affiliate partnerships, and our product links carry no affiliate identifiers. As soon as we work with an affiliate network, we will name it here — including any cookies it sets and its privacy policy. Such networks set cookies or comparable tracking mechanisms only on the merchant's own pages (not on recogift.com).

What happens when you click an affiliate link?

When you click an affiliate link, you are first redirected to our own server (recogift.com/out/catalog/... or recogift.com/out/offer/...). The request is logged there: timestamp, plus SHA-256-hashed values of your IP address and user-agent, used for click validation and fraud prevention. For offer links we additionally store a click reference (clickref) together with the offer and report identifier, so that an order later reported by the affiliate network can be matched to the recommendation that led to it (commission accounting); this click reference contains no IP address, no user-agent and no account data. We then redirect you via HTTP to the merchant's product page. Recogift does not set any cookies or tracking scripts on your device during this process. Whatever cookies or trackers the destination merchant subsequently sets on its own pages is the merchant's responsibility; the merchant's privacy notices apply there.

Legal basis and right to object

Because Recogift does not store or read information on your terminal equipment when you click an affiliate link, § 25 TDDDG (the German Telecommunications Digital Services Data Protection Act, successor to the TTDSG since 14 May 2024; consent requirement for end-user device storage) does not apply. The server-side click log and the storage of the click reference for commission accounting are processed on the basis of our legitimate interest in click validation, fraud prevention and correct commission accounting (Art. 6(1)(f) GDPR). The hashed click-log values are pseudonymous (SHA-256 hashes of IP and user-agent) and are automatically deleted after 90 days; the click references contain no personal data and are retained for up to 400 days, because affiliate networks sometimes confirm orders only weeks to months later. You can object to this processing at any time under Art. 21 GDPR — please write to the email address listed in the imprint.

06

Hosting and processors

Our website, API, and database are operated by carefully selected data processors (Art. 28 GDPR) under data processing agreements. All personal data is stored within the European Economic Area (EEA):

  • Microsoft Azure — hosting of the API, database, and background jobs in the Germany (Frankfurt) region.
  • Supabase (Supabase, Inc.) — authentication and account management in the EU Central (Frankfurt) region.
  • Cloudflare (Cloudflare, Inc.) — delivery of the website (static hosting/CDN) with EU data localization.
  • Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia — privacy-friendly audience measurement, EU-hosted.

Storage takes place within the EEA. Cloudflare and Supabase have US parent companies; any access from a third country is safeguarded by EU Standard Contractual Clauses (Art. 46 GDPR) and data processing agreements. If processors or regions change, we will update this information.

07

Cookies, browser storage, and audience measurement

Recogift does not set advertising or cross-site tracking cookies. We only use your device's local storage (localStorage). The strictly necessary writes are your questionnaire answers, your shortlist, and the storage of your consent choice itself (Art. 6(1)(f) GDPR in conjunction with § 25(2) No. 2 TDDDG). With your consent ("Comfort & memory") we additionally remember your most recent recommendations and your preferred comparison view. You can withdraw your consent at any time via the footer link "Privacy settings" (Art. 7(3) GDPR); the lawfulness of processing carried out before withdrawal remains unaffected.

Audience measurement with Plausible: we use Plausible Analytics (Plausible Insights OÜ, Tartu, Estonia; EU-hosted). Plausible is fully cookieless, does not store IP addresses, and does not build cross-device profiles. Only aggregated, non-personal events (e.g. "Wizard: Start", "Wizard: Complete", "Report: Share", "Offer: Click") are transmitted. The legal basis is our legitimate interest in privacy-friendly audience measurement (Art. 6(1)(f) GDPR). Because no information is read from or written to your terminal equipment, § 25 TDDDG does not apply. You can object to this processing at any time — please write to the email address listed in the imprint.

08

Your rights

Under the GDPR, you have the following rights regarding your personal data. To exercise any of them, please contact us via the email in the imprint:

  • Right of access (Art. 15 GDPR) — you can request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16 GDPR) — you can ask us to correct inaccurate data.
  • Right to erasure (Art. 17 GDPR) — you can request deletion of your data where no overriding legal basis applies.
  • Right to restriction of processing (Art. 18 GDPR) — you can ask us to restrict how we use your data.
  • Right to data portability (Art. 20 GDPR) — you can request your data in a structured, machine-readable format.
  • Right to object (Art. 21 GDPR) to processing based on legitimate interests, and the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The lead authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee); you may also contact the authority in your country of residence.
  • Right to withdraw consent (Art. 7(3) GDPR) — you can withdraw any consent you have given (e.g. "Comfort & memory") at any time via the footer link "Privacy settings". The lawfulness of processing carried out before withdrawal remains unaffected.
09

Retention periods

Server logs are deleted after 30 days. Gift plan data in our database is retained for up to 30 days and then automatically deleted. Shared reports and shortlists expire 90 days after creation and are deleted at that point. Click log entries (hashed IP and user-agent values) are retained for 90 days and then automatically purged. Click references used for commission accounting (which contain no IP or user-agent values) are retained for up to 400 days and then automatically purged. Reports linked to a signed-in account are kept as your saved history until you delete them or delete your account. Account data is stored until you delete your account; you can delete your account and its data at any time (Art. 17 GDPR). Local browser storage persists until you clear it.

10

Security

We use TLS encryption for all data in transit and apply access controls to our production systems. We do not collect payment data. Recogift itself stores no passwords; sign-in is handled by our authentication provider Supabase. Gift plan inputs made without an account are stored without a link to any personal identifier such as name or email address.

11

Changes to this policy

We may update this privacy policy when our services change materially. The date at the top of this page will be updated accordingly. The version applicable at the time of processing always governs; for material changes affecting data-subject rights we will, where required, obtain renewed consent. We do not infer consent to disadvantageous changes from continued use alone.

← Back to home