Privacy Policy

Last updated: February 17, 2026

The short version: We collect the minimum data needed to process gift card purchases and deliver gifts via our MCP service. We do not sell your data. We do not use it for advertising. We do not track you across the web.

1. Who We Are

aipicks.gift ("we," "us," "our") operates the website aipicks.gift and the associated MCP (Model Context Protocol) gift delivery service. We are based in Berlin, Germany.

For questions about this policy, contact us at: support@aipicks.gift

2. What Data We Collect

We collect and process the following categories of personal information:

Purchase data: When you buy a gift card, our payment processor (RevenueCat / Stripe) collects your payment information (card number, billing address, email). We receive a transaction confirmation and your email address, but we do not store your full payment details.

Gift card data: We store gift card codes, balances, and purchase history (which gifts were selected) in our system. Gift cards are identified by code, not linked to a personal account.

MCP interaction data: When an AI assistant connects to our MCP service, we process the gift card code and tool requests (browse, pick, view). We do not receive or store the contents of your conversations with AI assistants.

Technical data: Standard server logs including IP addresses, browser type, and request timestamps. These are retained for up to 30 days for security and debugging purposes.

Data we do NOT collect: We do not collect names (unless provided voluntarily), we do not use cookies for tracking or advertising, we do not build user profiles, and we do not monitor your AI conversations.

3. How We Use Your Data

We use your data exclusively for the following purposes:

Processing and fulfilling gift card purchases
Delivering the MCP gift service (catalog browsing, gift selection, balance tracking)
Sending you your gift card code via email after purchase
Preventing fraud and abuse
Responding to support requests
Legal compliance

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data on the following legal bases:

Contract performance (Art. 6(1)(b) GDPR): Processing purchase data to fulfill your gift card order
Legitimate interests (Art. 6(1)(f) GDPR): Server logs for security and fraud prevention
Legal obligation (Art. 6(1)(c) GDPR): Tax and financial record-keeping requirements

5. Data Sharing

We share data only with the following categories of service providers, all of whom are contractually obligated to protect your data:

RevenueCat / Stripe: Payment processing (processes your payment data directly; we never see your full card number)
Cloudflare: Website hosting and content delivery (processes technical request data)

We do not sell, rent, or share your personal data with advertisers, data brokers, or any other third parties.

6. International Data Transfers

Our service infrastructure is hosted on Cloudflare's global network. Payment processing may involve data transfer to the United States. Where data is transferred outside the EEA, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable

7. Data Retention

Gift card data: Retained for 12 months after the card balance reaches zero, then deleted
Purchase records: Retained for the period required by applicable tax law (typically 7-10 years for financial records in Germany)
Server logs: Automatically deleted after 30 days
Email addresses: Retained until you request deletion, or 24 months after last purchase, whichever comes first

8. Your Rights Under GDPR (EEA/UK Users)

If you are located in the EEA, UK, or Switzerland, you have the following rights:

Right of access: Request a copy of the personal data we hold about you
Right to rectification: Request correction of inaccurate data
Right to erasure: Request deletion of your data (subject to legal retention requirements)
Right to restrict processing: Request that we limit how we use your data
Right to data portability: Receive your data in a structured, machine-readable format
Right to object: Object to processing based on legitimate interests
Right to withdraw consent: Where processing is based on consent, withdraw at any time

To exercise any of these rights, contact us at support@aipicks.gift. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In Germany, this is the Berliner Beauftragte fur Datenschutz und Informationsfreiheit (BlnBDI).

9. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to know: Request what personal information we collect, use, and disclose
Right to delete: Request deletion of your personal information
Right to correct: Request correction of inaccurate personal information
Right to opt-out: We do not sell or share your personal information for cross-context behavioral advertising, so there is nothing to opt out of
Right to non-discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at support@aipicks.gift. We will verify your identity and respond within 45 days.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA.

10. Cookies

We use only strictly necessary cookies required for the website to function (such as session management during checkout). We do not use analytics cookies, advertising cookies, or third-party tracking cookies.

11. Children's Privacy

Our service is not directed at children under 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, contact us immediately and we will delete it.

12. Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS), encryption at rest for stored data, and access controls limiting who can access personal data within our organization.

13. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by posting a notice on our website. Your continued use of the service after changes take effect constitutes acceptance of the updated policy.

14. Contact

For any privacy-related questions or concerns, contact us at support@aipicks.gift.