Data Protection & GDPR

Last Updated: November 11, 2025

Your Data Protection Rights

At getaway gift card, we are committed to protecting your personal data and respecting your privacy rights. This page explains your data protection rights under the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

Your Rights at a Glance

You have the right to access, correct, delete, or restrict the processing of your personal data. You also have the right to data portability and to object to certain types of processing.

Data Controller Information

For the purposes of data protection law, the data controller is:

getaway gift card

Online hotel gift card platform

For privacy inquiries: Visit our Customer Service page

Website: getawaygiftcard.com

Legal Basis for Data Processing

We process your personal data based on the following legal grounds under GDPR:

1. Contractual Necessity

Processing necessary to fulfill our contract with you when you purchase gift cards or book hotels:

  • Payment processing and transaction completion
  • Gift card issuance and redemption
  • Hotel booking confirmation and management
  • Customer support and order fulfillment
  • Delivery of purchase confirmations and receipts

2. Consent

Processing based on your explicit consent, which you can withdraw at any time:

  • Analytics cookies (Google Analytics) for website improvement
  • Marketing communications and promotional emails
  • Location detection for personalized hotel recommendations
  • Chat history storage for support quality

3. Legitimate Interests

Processing necessary for our legitimate business interests, balanced against your rights:

  • Fraud prevention and payment security (device fingerprinting)
  • Website functionality and user experience optimization
  • Customer service quality improvement
  • Business analytics and operational improvements
  • Security and integrity of our systems

4. Legal Obligation

Processing necessary to comply with legal and regulatory requirements:

  • Tax and accounting records (financial regulations)
  • Anti-money laundering and fraud detection
  • Consumer protection law compliance
  • Responding to lawful requests from authorities

Your GDPR Rights (EU/EEA Users)

If you are located in the European Union (EU) or European Economic Area (EEA), you have the following rights under the GDPR:

1. Right to Access

You have the right to request a copy of the personal data we hold about you. This is commonly known as a "data subject access request."

2. Right to Rectification

You have the right to request that we correct any personal data that you believe is inaccurate. You also have the right to request that we complete information you believe is incomplete.

3. Right to Erasure (Right to be Forgotten)

You have the right to request that we erase your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, or when you withdraw your consent.

4. Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to the processing.

5. Right to Data Portability

You have the right to request that we transfer your personal data to another organization, or directly to you, in a structured, commonly used, and machine-readable format.

6. Right to Object

You have the right to object to the processing of your personal data in certain circumstances, including processing for direct marketing purposes or processing based on legitimate interests.

7. Rights Related to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

8. Right to Withdraw Consent

Where we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

Your CCPA Rights (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

1. Right to Know

You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you.

2. Right to Delete

You have the right to request that we delete your personal information, subject to certain exceptions (e.g., to complete transactions, comply with legal obligations, or exercise free speech rights).

3. Right to Opt-Out ("Do Not Sell My Personal Information")

You have the right to opt out of the "sale" or "sharing" of your personal information. We do not sell your personal information in the traditional sense (i.e., we don't sell customer lists to data brokers).

However, we may share data with third-party analytics providers (Google Analytics), which could be considered a "share" under CCPA. You can opt out of this data sharing by:

  • Clicking "Cookie Settings" in the website footer and rejecting analytics cookies
  • Clicking "Reject All" or "Customize" in the cookie consent banner when you first visit
  • Visiting our Cookie Policy page and using the "Open Cookie Settings" link

Current Status: Current Status: If you have rejected analytics cookies, you have effectively opted out of data sharing under CCPA. Your preference is respected across our entire platform.

4. Right to Non-Discrimination

You have the right not to receive discriminatory treatment for exercising your CCPA rights. We will not deny you goods or services, charge different prices, or provide a different level of quality for exercising your privacy rights.

How We Protect Your Personal Data

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption: All payment transactions are encrypted using SSL/TLS technology. Sensitive data is encrypted both in transit and at rest.
  • Access Controls: We implement strict access controls to ensure that only authorized personnel can access personal data, and only when necessary for legitimate business purposes.
  • Security Monitoring: We continuously monitor our systems for security vulnerabilities and suspicious activity.
  • CSRF Protection: We use Cross-Site Request Forgery (CSRF) tokens to protect against unauthorized actions on behalf of authenticated users.
  • Session Management: We use secure session cookies with httpOnly and secure flags to prevent unauthorized access to user sessions.
  • Payment Security: We use Mollie, a PCI DSS Level 1 compliant payment processor, to handle all payment transactions. We do not store credit card information on our servers.
  • Regular Audits: We conduct regular security audits and assessments to ensure our security measures remain effective.

While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we strive to use commercially acceptable means to protect your personal data.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

Account Data: Account Data: Retained for the duration of your account plus 3 years after account closure for legal compliance.

Transaction Data: Transaction Data: Retained for 7 years to comply with financial regulations and tax laws.

Gift Card Data: Gift Card Data: Retained for 2 years after expiration or full redemption.

Marketing Data: Marketing Data: Retained until you withdraw consent or opt out of marketing communications.

Cookies & Analytics: Cookies & Analytics: See our Cookie Policy for specific retention periods.

How to Exercise Your Rights

To exercise any of your data protection rights, please visit our Customer Service page to submit a data protection request. We will respond to your request within one month (or two months for complex requests).

Verification Process

To protect your privacy and security, we may need to verify your identity before processing your request. We may ask you to provide additional information to confirm your identity.

Information to Include in Your Request

When submitting a data protection request via our Customer Service page, please include the following information:

  • Your full name and email address
  • Description of the request (access, delete, correct, etc.)
  • Any relevant account information or order numbers
  • Proof of identity (if requested by our team)

International Data Transfers

Your personal data may be transferred to, and processed in, countries other than the country in which you reside. These countries may have data protection laws that are different from the laws of your country.

When we transfer personal data from the EU/EEA to countries that do not provide an adequate level of data protection, we implement appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission, to ensure your data receives the same level of protection as in the EU/EEA.

Right to Lodge a Complaint

If you are an EU/EEA resident and believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with your local data protection authority.

You can find your local data protection authority here: European Data Protection Board - Members

Related Policies

Privacy PolicyCookie Policy

We are committed to protecting your privacy and handling your personal data responsibly. If you have any questions or concerns about our data protection practices, please visit our Customer Service page to submit a request.