GimmieGimmie

Privacy Policy

Covering All Gimmie Products and Services

Effective Date: January 1, 2026 | Last Updated: February 19, 2026

1. Introduction & Scope

Gimmie AI, LLC ("Gimmie," "we," "us," or "our") is an AI-powered gift recommendation platform headquartered in Austin, Texas, United States. This Master Privacy Policy governs the collection, use, retention, sharing, and protection of personal information across all Gimmie products and services, including:

  • The Gimmie mobile application (iOS and Android)
  • The Gimmie web application at www.gimmie.ai
  • The Gimmie Shopify App (used by merchant partners)
  • Gimmie email, SMS, and other communications
  • Any future Gimmie products or services referencing this Policy

This Policy applies to all users worldwide. Where applicable, jurisdiction-specific rights are identified in Section 11. By using any Gimmie service, you acknowledge that you have read and understood this Policy.

2. Our AI-Powered Recommendation System

Gimmie uses artificial intelligence and psychological profiling to generate personalized gift recommendations. Understanding how our AI operates is essential to informed consent under applicable privacy laws.

How Our AI Works

Our system employs a two-stage psychological transformation process:

  • Stage 1 — Color Diagnostic: We present structured color-preference questions based on established color psychology research (Jung/Lüscher methodology). Your color responses are used as diagnostic inputs to infer psychological personality attributes — they are NOT stored as color preference data.
  • Stage 2 — Archetype Matching: Your inferred psychological attributes are classified into one of 56+ psychological archetypes. These archetypes are then matched against products in our catalog that have been independently tagged with psychological attributes.
  • Color Data is Discarded: After the transformation process, no color preference data is retained. Your profile consists solely of derived psychological attributes, not color selections.

AI Profiling & Automated Decision-Making

Our recommendation engine constitutes automated decision-making and profiling under applicable law (including GDPR Article 22 and Canada's PIPEDA). Specifically:

  • We create a psychological archetype profile based on your responses.
  • This profile directly influences which products are recommended to you.
  • No human review occurs at the individual recommendation level.

Your rights regarding this profiling are described in Section 9. You may opt out of profiling-based recommendations at any time by contacting privacy@gimmie.ai, in which case you will receive generic (non-personalized) recommendations.

3. Information We Collect

Information You Provide Directly

  • Account credentials: name, email address, username, and password (hashed)
  • Social login tokens (Google, Apple ID) — we receive only name, email, and profile photo if you use social login
  • Gift recipient information: details you voluntarily share about gift recipients (e.g., age range, relationship, occasion)
  • Color preference responses (used diagnostically — see Section 2)
  • Search queries and product interactions within the Platform
  • Communications you send to Gimmie (support requests, feedback)

Information Collected Automatically

  • Device identifiers: IP address, device type, operating system, browser type and version
  • Usage data: pages visited, features used, search history, clicks, session duration, and interaction patterns
  • Log data: timestamps, error logs, and diagnostic information
  • Cookies and similar tracking technologies (see Section 6)

Information We Do NOT Collect

Gimmie is a recommendation platform, not a payment processor. We expressly do not collect:

  • Payment card numbers, bank account information, or any financial account data
  • Government-issued ID numbers (Social Security, passport, etc.)
  • Precise geolocation data (we may collect country/region from IP)
  • Biometric data
  • Health or medical information

Special Categories of Personal Data

Our psychological profiling may infer personality characteristics, which may be considered sensitive data in certain jurisdictions. We process this data based on your explicit consent (obtained through the color diagnostic flow) and limit its use to gift recommendation purposes only. See Section 5 for the lawful bases for processing.

4. How We Use Your Information

Core Service Delivery

  • Generating personalized AI-driven gift recommendations based on your psychological archetype
  • Operating and maintaining the Gimmie Platform
  • Processing your account registration and managing your profile
  • Facilitating referral links to third-party retailer websites (Amazon, Etsy, Target, Poshmark, and others)

Product Improvement & Analytics

  • Analyzing aggregated and anonymized usage patterns to improve recommendation accuracy
  • Conducting A/B testing and feature experiments
  • Diagnosing technical errors and optimizing Platform performance

Communications

  • Sending transactional emails (account confirmation, password reset)
  • Sending marketing emails and newsletters — with your prior consent, and you may unsubscribe at any time
  • Sending SMS messages — only with your explicit opt-in (see Section 6)

Affiliate Revenue & Attribution

Gimmie earns affiliate commissions when users click through to partner retailers and make purchases. We use limited tracking (referral tokens and affiliate identifiers) to attribute these conversions. We do not share your personal profile with retailers for their own use.

Legal & Safety

  • Complying with applicable laws and regulations
  • Responding to lawful requests from law enforcement or regulators (see Section 8)
  • Detecting and preventing fraud, abuse, and security incidents
  • Enforcing our Terms of Service

5. Lawful Basis for Processing (GDPR & PIPEDA)

For users in the European Economic Area (EEA), United Kingdom, and Canada, we rely on the following lawful bases for processing personal data:

  • Contractual Necessity: Account registration, authentication, and core Platform functionality.
  • Explicit Consent: Psychological profiling (AI archetype classification), marketing communications, and SMS messaging. You may withdraw consent at any time.
  • Legitimate Interests: Platform security, fraud prevention, anonymized analytics, and affiliate attribution — where these interests are not overridden by your rights.
  • Legal Obligation: Compliance with applicable laws, responding to lawful government requests, and record-keeping requirements.

Where we rely on legitimate interests, you may object to that processing under Section 9. For processing based on consent, withdrawal does not affect the lawfulness of processing prior to withdrawal.

6. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

Strictly Necessary Cookies

Required for the Platform to function. These cannot be disabled. Examples: session authentication, CSRF protection.

Analytics Cookies

Help us understand how users interact with the Platform (e.g., Google Analytics, Supabase analytics). These are disabled by default for EEA/UK users and require your consent.

Preference Cookies

Remember your settings and preferences (e.g., language, region). These activate upon your consent.

Managing Cookies

  • You can manage cookie preferences through our in-app cookie consent banner.
  • You can also control cookies through your browser settings.
  • Disabling analytics cookies will not prevent you from using the Platform's core features.
  • We do not use advertising or behavioral retargeting cookies.

7. Data Sharing and Disclosure

Gimmie does not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

Service Providers (Data Processors)

We share data with vetted third-party processors who act under our instruction and are bound by data processing agreements. These include:

  • Supabase — database and authentication infrastructure (data residency: US)
  • Vercel — web hosting and serverless functions (US)
  • OpenAI — AI inference for recommendation enhancement (data is not used for OpenAI model training under our enterprise agreement)
  • Email and SMS communication providers
  • Analytics providers (aggregated and anonymized data only)

Affiliate & Retail Partners

When you click a recommendation link, you are redirected to a third-party retailer's website. We pass only a referral identifier for commission attribution. We do not share your name, email, psychological profile, or personal data with retailers.

Legal Compliance and Law Enforcement

We will only disclose personal data to law enforcement, government agencies, or regulators where:

  • We are compelled by a valid, binding legal order (subpoena, court order, or equivalent);
  • We have conducted an internal legal review and confirmed the request is lawful;
  • We have disclosed only the minimum data necessary to comply;
  • We have notified the affected user prior to disclosure, unless legally prohibited from doing so.

We will challenge any request we believe to be overbroad, unlawful, or contrary to your rights.

Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of all or substantially all assets, personal data may be transferred to the successor entity. We will notify affected users in advance and provide the opportunity to delete their accounts before transfer.

8. International Data Transfers

Gimmie is headquartered in the United States. When we process data from users in the EEA, UK, or Canada, data may be transferred to and processed in the United States or other countries that may not offer the same level of data protection as your home country.

For transfers from the EEA/UK, we rely on the following safeguards:

  • Standard Contractual Clauses (SCCs) — incorporated into our data processing agreements with service providers.
  • Adequacy Decisions — where the European Commission has recognized the destination country as providing adequate protection.

For Canadian users, transfers occur in compliance with PIPEDA's transfer accountability principle, and we require contractual protections equivalent to Canadian standards.

You may request a copy of the applicable transfer mechanisms by contacting privacy@gimmie.ai.

9. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy:

  • Active Account Data: Retained for the duration of your account and deleted within 30 days of account deletion request.
  • Psychological Archetype Data: Retained while your account is active. Deleted immediately upon account deletion or upon opt-out from profiling.
  • Usage Logs: Retained for up to 12 months for security and analytics purposes, then anonymized or deleted.
  • Marketing Consent Records: Retained for 3 years after you unsubscribe, as required by anti-spam regulations.
  • Legal Hold Data: Retained for the duration of any legal obligation, dispute, or investigation, then deleted.
  • Affiliate Attribution Data: Retained for 90 days following a referral click, then anonymized.

You may request early deletion of your data at any time (subject to legal hold obligations) by contacting privacy@gimmie.ai.

10. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data. Gimmie extends these rights to all users globally to the extent operationally feasible.

Rights Available to All Users

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal data.
  • Deletion: Request deletion of your personal data (subject to legal retention obligations).
  • Portability: Receive your personal data in a structured, machine-readable format.
  • Opt-Out of Marketing: Unsubscribe from marketing emails at any time via the unsubscribe link or by contacting us.
  • Opt-Out of SMS: Reply STOP to any SMS message.
  • Account Deletion: Delete your account through the app or by emailing support@gimmie.ai.

Additional Rights — EEA / UK Users (GDPR / UK GDPR)

  • Right to Restrict Processing: Request that we limit processing of your data under certain circumstances.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Rights Related to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. You may request human review of any AI-generated recommendation decision. To exercise this right, contact privacy@gimmie.ai.
  • Right to Withdraw Consent: Withdraw consent at any time for consent-based processing (profiling, marketing).
  • Right to Lodge a Complaint: You may lodge a complaint with your national data protection authority (DPA). A list of EU DPAs is available at edpb.europa.eu.

Additional Rights — California Residents (CCPA/CPRA)

  • Right to Know: Request disclosure of the categories and specific pieces of personal information collected, used, disclosed, or sold.
  • Right to Delete: Request deletion of personal information (with certain exceptions).
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell personal information. If this changes, we will provide a prominent "Do Not Sell or Share My Personal Information" link.
  • Right to Limit Use of Sensitive Personal Information: You may direct us to limit the use of sensitive personal information (including inferred psychological attributes) to core service delivery only.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA rights.

Additional Rights — Canadian Users (PIPEDA / Law 25)

  • Right to Access and Correction: Access and correct your personal information in our custody.
  • Right to Withdraw Consent: Withdraw consent at any time, subject to legal and contractual restrictions.
  • Right to Challenge Compliance: Challenge our compliance with PIPEDA by contacting the Office of the Privacy Commissioner of Canada at priv.gc.ca.

How to Exercise Your Rights

Submit requests to: privacy@gimmie.ai or through your account settings. We will respond within 30 days (or 45 days where extensions are permitted by law). We may request identity verification before processing your request. Requests are free of charge (subject to reasonable limits for manifestly unfounded or excessive requests).

11. Children's Privacy

Gimmie is intended for users who are 13 years of age or older (or 16 years of age for users in the EEA/UK, consistent with GDPR Article 8). We do not knowingly collect personal data from children below the applicable age threshold.

If we become aware that we have collected personal data from a child below the applicable age without verifiable parental consent, we will take prompt steps to delete that information. If you believe we may have collected data from a child, please contact privacy@gimmie.ai.

Note: Our previous policy stated an age minimum of 11 years. This Policy updates that threshold to age 13 (or 16 for EEA/UK users) to align with COPPA (US), GDPR Article 8 (EU), and PIPEDA (Canada).

12. SMS Messaging Consent

By opting in to receive SMS messages from Gimmie (via a checkbox, form, or reply), you expressly consent to receive periodic text messages from Gimmie AI, LLC, including:

  • Product updates and feature announcements
  • Gift recommendation reminders
  • Promotional offers (no more than 4 per month)

Message frequency may vary. Standard message and data rates may apply depending on your mobile carrier. Your consent to SMS is not a condition of using our service.

Opting Out

  • Reply STOP to any message to opt out immediately.
  • Reply HELP for assistance or contact support@gimmie.ai.
  • You may also manage SMS preferences in your account settings.

We comply with the Telephone Consumer Protection Act (TCPA, US), Canada's Anti-Spam Legislation (CASL), and applicable EU member state rules for electronic communications.

13. Data Security

We implement and maintain industry-standard security measures proportionate to the sensitivity of the data we process:

  • Encryption in Transit: All data transmitted between users and our Platform is encrypted using TLS 1.2 or higher.
  • Encryption at Rest: Personal data stored in our databases (Supabase/PostgreSQL) is encrypted at rest using AES-256.
  • Access Controls: Access to personal data is limited to personnel who require it to perform their job functions, governed by role-based access controls and confidentiality obligations.
  • Audit Logging: We maintain logs of access to personal data systems for security monitoring and incident response.
  • Vulnerability Management: We conduct regular security reviews and promptly patch identified vulnerabilities.
  • Incident Response: In the event of a data breach, we will notify affected users and applicable regulators within 72 hours (GDPR), or as required by applicable law.

No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact support@gimmie.ai immediately.

14. Third-Party Websites and Retailers

The Gimmie Platform contains links and referral links to third-party websites, including but not limited to Amazon, Etsy, Target, and Poshmark. Once you leave our Platform, your activity is governed by the privacy policies of those third parties. Gimmie is not responsible for the data practices of any third-party website.

We encourage you to review the privacy policies of any retailer before making a purchase.

15. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

  • Post the updated Policy on our website with a new "Last Updated" date;
  • Notify registered users by email at least 30 days before the changes take effect (for material changes);
  • For changes that affect how we process your psychological profile data, we will seek fresh consent where required by law.

Continued use of Gimmie after the effective date of any update constitutes acceptance of the revised Policy. If you do not agree with the revised Policy, you may delete your account.

16. How to Contact Us

For privacy-related requests, questions, or complaints, contact us at:

EU/UK Data Protection Representative: If you are located in the EEA or UK, you may also contact your local data protection authority. Gimmie will designate an EU/UK representative upon reaching applicable user thresholds under GDPR Article 27.

At Gimmie, your privacy is foundational, not an afterthought. We are committed to being transparent about how we use AI, protecting your data with industry-leading security, and giving you meaningful control over your information. Thank you for choosing Gimmie.

View our Terms of Service