Gyfts is in early access.Join the waitlist
Skip to main content
Gyfts.
Ask Vidi
Join GyftsVidi

Legal

Privacy Policy

How we collect, use, store, and protect your personal data

Last updated: 1 June 2026

For EU/EEA Residents: Gyfts Inc. acts primarily as a data controller for platform operations and may act as a data processor in limited circumstances. Independent practitioners listed on the Platform act as their own data controllers.

1. Who We Are

Gyfts Inc. is a Delaware corporation operating the holistic health discovery and practitioner connection platform at gyfts.io (the "Platform").

Gyfts provides directory listings, AI-assisted discovery tools, booking tools, messaging functionality, saved preferences, and account management features that allow users to connect with independent practitioners.

Contact: privacy@gyfts.io

2. Data Protection Roles

Gyfts as Controller: We determine the purposes and means of processing personal data related to account registration, platform functionality, AI-assisted features, analytics, security, and communications.

Gyfts as Processor (Limited Circumstances): In certain booking or messaging scenarios, we may process data solely on behalf of independent practitioners.

Practitioners as Independent Controllers: When you book an appointment or communicate with a practitioner, that practitioner independently determines how to process any treatment or professional records. Gyfts does not control or assume responsibility for practitioner data practices.

3. Data We Collect

We collect only information that you provide directly or generate through use of the Platform.

Account Information:

  • Name
  • Email address
  • Phone number (optional)
  • Preferred language

Platform Activity Data:

  • Saved practitioners and favourites
  • Appointment booking details
  • Messages sent via the Platform
  • Search queries and browsing activity within the Platform
  • Feature preferences and settings
  • Wellness map entries and saved interactions (if used)
  • AI interaction history (e.g. Vidi conversations)

Technical Data:

  • IP address (used in-request only; not persisted in raw form — see View-count beacon below)
  • Device and browser type (used in-request only; not persisted in raw form)
  • Country or region-level location
  • Cookie and analytics data

View-count beacon (operational analytics): To prevent the same person inflating a page's view counter on refresh, our beacon at /api/page-view computes a short-lived pseudonymous SHA-256 hash from your IP address, User-Agent, the current UTC date, and a server-only secret. The raw IP and User-Agent are never stored — only the resulting hash, alongside the page identifier and date, is written to a dedup ledger. The ledger entry is deleted after 30 days. The hash cannot be reversed to identify you without the server secret, and rotates every UTC day. This data is used solely for deduplicating view counts and abuse prevention; it is not used for billing, ranking trust, verification, or any claim about a practitioner's quality.

Sensitive Information (User-Provided): Users may voluntarily provide information relating to symptoms, health conditions, wellness goals, or other personal or sensitive topics. Gyfts does not require users to submit health data. However, where users choose to include such information in AI interactions, wellness tools, or communications, this may constitute special category data under GDPR. Gyfts does not create or maintain clinical or medical records.

4. User Controls and Data Minimisation

Users can manage their data through account settings, including:

  • Editing profile information
  • Managing marketing preferences
  • Deleting saved items and search history
  • Managing AI interaction history (where available)
  • Disabling optional features
  • Deleting their account

Upon verified account deletion, personal data is deleted or anonymised except where retention is required by law.

5. How We Use Personal Data

We use personal data to:

  • Operate and improve the Platform
  • Facilitate bookings and practitioner communication
  • Provide AI-assisted discovery and organisational tools
  • Enable wellness map and content exploration features
  • Provide account management services
  • Ensure security and prevent fraud
  • Comply with legal obligations

6. AI, Profiling, and Automated Features

Gyfts uses AI-powered systems, including Vidi, to generate informational responses, recommend practitioners, modalities, or content, organise user inputs into structured formats (e.g. wellness maps), and improve platform usability and relevance.

These systems analyse user-provided inputs, platform activity, and content relationships within Gyfts.

AI outputs are informational in nature, not medical advice, not legally binding, and not used to make decisions with legal or similarly significant effects. Gyfts does not use AI to make automated decisions that replace user choice.

7. Legal Basis (GDPR)

We process personal data under the following legal bases:

  • Contract performance (Art. 6(1)(b)) — to provide platform services
  • Legitimate interests (Art. 6(1)(f)) — to improve functionality, security, and user experience
  • Consent (Art. 6(1)(a)) — for optional features, marketing, and sensitive data processing
  • Legal obligation (Art. 6(1)(c)) — for compliance requirements

Where users voluntarily provide sensitive (health-related) information, processing is based on explicit consent (Art. 9(2)(a)). Users may withdraw consent at any time.

8. Data Sharing

We do not sell, rent, or share personal data for cross-context behavioural advertising.

We may share data:

  • With practitioners selected by you
  • With contracted service providers under data processing agreements
  • When required by law
  • During corporate restructuring transactions

9. International Transfers

Data may be processed in the European Union or the United States. Where transfers occur outside the EU/EEA, appropriate safeguards such as Standard Contractual Clauses or equivalent lawful mechanisms are implemented.

10. Data Retention

  • Account data: during account lifetime plus up to 2 years
  • Booking and messaging data: up to 3 years unless deleted earlier
  • AI interaction data: retained only as necessary for functionality and user access
  • Wellness map data: until user deletion
  • Analytics data: anonymised
  • Legal compliance records: as required by law

11. Your Rights

Depending on your jurisdiction, you may have rights including access, rectification, erasure, restriction, data portability, objection, and withdrawal of consent.

Contact: privacy@gyfts.io

12. Security Measures

We implement technical and organisational safeguards including encryption, access controls, audit logging, and contractual controls with service providers.

13. Children

The Platform is not directed to individuals under 16. We do not knowingly collect personal data from children.

14. Changes to This Policy

This Policy may be updated periodically. Where changes are material, we will notify users as required by applicable law. Continued use of the Platform constitutes acceptance of any updates.

15. Contact

Gyfts Inc. · Delaware, United States

privacy@gyfts.io

Read alongside