GIFT CARD EXCHANGE
GDPR Compliance Statement
Effective Date: 25 July 2025
Business Entity: GCX Group Pty Ltd (ACN 644 988 938, ABN 45 644 988 938)
Trading As: Gift Card Exchange (www.giftcardexchange.com.au)
Jurisdiction: Australia
Introduction
Gift Card Exchange is committed to protecting the privacy and personal data of users, including those located in the European Union (EU) and the European Economic Area (EEA). This GDPR Compliance Statement outlines your rights and our responsibilities under the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
1. Data Controller
GCX Group Pty Ltd is the Data Controller responsible for your personal data collected via this website.
📧 Contact Email: [email protected]
📬 Postal Address: P.O. Box 323, SANDRINGHAM VIC 3191, Australia
2. Legal Basis for Processing
We process your personal data lawfully, fairly, and transparently. The legal bases for processing under the GDPR may include:
- Consent – when you opt in to marketing or competitions
- Contractual necessity – to fulfil purchases or transactions involving gift cards
- Legitimate interest – to improve website functionality, security, and fraud prevention
- Legal obligation – to comply with anti-money laundering (AML), tax, and accounting regulations
3. Categories of Data Collected
We may collect and process the following types of personal data:
- Name
- Email address
- Phone number (where required for contact or verification)
- IP address and device/browser data
- Gift card transaction details
- Location data (via IP geolocation, not GPS)
4. Use of Third-Party Processors
We may use external services to process or store personal data, including (but not limited to):
- iDenfy – for identity verification (KYC/KYB)
- Sift Science – for fraud prevention and behavioural risk scoring
- Hotjar – for anonymised user analytics and session recording (no keystrokes or sensitive data)
- Google Analytics – for pseudonymised website traffic analytics
- Klaviyo – for email marketing and automation (newsletter, cart reminders, etc.)
- SendGrid – for transactional emails (e.g. order confirmation, password reset)
- randomdraws.com – for anonymised competition draw selection
All processors are contractually required to adhere to GDPR-compliant practices and data protection safeguards.
5. Data Retention
We retain your personal data only as long as necessary for legal, regulatory, or operational purposes. For example:
- Transaction records – 5 to 7 years (for AML/CTF compliance)
- Email or account contact – until account deletion or withdrawal of consent
- Competition entries – deleted within 6 months of promotion end unless legally required to retain
6. Your Rights Under GDPR
If you are located in the EU/EEA, you have the following rights under GDPR:
- Right to access – request a copy of the data we hold about you
- Right to rectification – request corrections to inaccurate or incomplete data
- Right to erasure (“right to be forgotten”) – request deletion of your data, where legally allowed
- Right to restrict processing – limit how we use your data in certain circumstances
- Right to data portability – receive your data in a structured, machine-readable format
- Right to object – object to certain types of processing (e.g. direct marketing)
- Right to lodge a complaint – with your local data protection authority
You may exercise any of these rights by contacting us at 📧 [email protected].
7. International Data Transfers
As we are based in Australia, your personal data may be transferred outside of the EU/EEA. In doing so, we ensure appropriate safeguards are in place, such as using GDPR-compliant processors and standard contractual clauses where required.
8. Security
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
9. Automated Decision-Making
We do not use personal data for fully automated decision-making that produces legal or significant effects on individuals. However, our fraud detection and compliance systems (e.g., Sift Science) may use rule-based or AI-assisted triggers subject to human review.
10. Changes to This Statement
This GDPR statement may be updated from time to time. Material changes will be clearly communicated on our website or via email where appropriate.