Privacy Policy
Last updated: 12 July 2026
1. Who we are
GWP ("GWP", "we", "us") is a gift-with-purchase marketplace operated by [LEGAL ENTITY]. We provide an on-page unit ("the widget") that participating online retailers ("hosts") embed on their basket and order-confirmation pages, offering shoppers advertiser-funded free gifts. Our website is gwpingenuity.com.
You can contact us about anything in this policy at [PRIVACY EMAIL]. We are registered with the UK Information Commissioner's Office under registration number [ICO REG NO].
[LEGAL REVIEW: confirm registered address, company number and whether GWP acts as controller, joint controller or processor for each processing activity below.]
2. What this policy covers
We process personal data about four groups of people, and what we hold differs sharply between them:
- Shoppers who see or use the widget on a host retailer's site;
- Shoppers who opt in to a gift-reminder email;
- Demo leads who submit our "book a demo" form;
- Dashboard users at our host and advertiser partners.
3. Data we process
3.1 Shoppers (via the widget)
The widget is deliberately built around a minimal, pseudonymous footprint. When it runs on a host's page it processes:
- an opaque click-identifier ("clid") generated when you interact with an offer — a random reference that is not derived from your name, email or device fingerprint;
- a session reference used for frequency capping and attribution;
- your gift selection (which offer you chose);
- a basket snapshot — the basket's total value, currency and item lines — used to decide whether and which offers to show;
- your resolved consent state as reported by the retailer's consent management platform (see our Cookie Policy);
- telemetry events (for example: the unit rendered, an offer was viewed or clicked) used for reporting and billing;
- your IP address, transiently, for rate limiting and abuse prevention — it is not stored with attribution records;
- truncated error diagnostics if the widget encounters a fault, so we can fix it.
What the widget never collects: it does not read or receive your name, email address, postal address, payment card details, or any other checkout form data. It reads only the basket contents described above, and it never modifies the retailer's cart or order.
3.2 Shoppers who opt in to a gift reminder
If — and only if — you explicitly tick the opt-in when claiming a gift, we store the email address you provide, together with an unsubscribe token, so we can send you a single reminder about the gift you selected. Every email carries a one-click unsubscribe link, and unsubscribed addresses are placed on a global suppression list so we do not email them again.
3.3 Demo leads
When you submit the form on our demo page we store the six fields you enter — first name, last name, company, role, store URL and monthly order range — together with a record of the consent you give on the form. We use these details to contact you about your demo and our services.
3.4 Dashboard users (host and advertiser teams)
For people who use the GWP partner dashboard we store your name, email address and role, invitation tokens used to set up your account, and an audit trail of significant actions taken in the dashboard (for security and accountability). Bank details entered for payouts are stored masked in the interface.
4. Lawful bases
[LEGAL REVIEW: lawful-basis mapping below to be confirmed by counsel.]
- Consent — for the gift-reminder email (explicit opt-in) and for any storage on a shopper's device that is not strictly necessary, as reported through the retailer's consent platform;
- Legitimate interests — for the pseudonymous attribution, fraud prevention, telemetry, demo-lead follow-up and dashboard administration described above, balanced against the minimal footprint involved;
- Contract — for providing the dashboard and paying our partners.
5. Who we share data with
We use a small number of subprocessors to run the service:
| Provider | Role | Location | Data involved |
|---|---|---|---|
| Convex | Application database and backend hosting | United States | All service data described in section 3 |
| Cloudflare | Content delivery network serving the widget script | Global edge network | Visitor IP address and request metadata (transient) |
| Resend | Transactional email delivery | United States | Opted-in shopper emails; demo-lead notifications |
| Google Fonts | Web font delivery for this marketing site | Global (Google infrastructure) | Visitor IP address and browser metadata when fonts load |
We also share attribution data with the relevant host retailer and advertiser so that conversions can be validated and commission paid — this is limited to the pseudonymous identifiers and event data in section 3.1, never opted-in email addresses. We may disclose data where required by law.
6. International transfers
Some of the providers above process data in the United States. Where personal data is transferred outside the UK or EEA, we rely on the UK International Data Transfer Agreement and/or the EU Standard Contractual Clauses with the relevant provider. [LEGAL REVIEW: confirm transfer mechanism and transfer risk assessments for each subprocessor.]
7. How long we keep data
[LEGAL REVIEW: retention periods below to be confirmed by counsel.]
| Data | Retention period |
|---|---|
| Widget events and telemetry | 90 days |
| Click-identifiers and order associations | 13 months |
| Postback logs | 14 days |
| Gift-reminder email records | Until unsubscribed or sent, plus 12 months |
| Demo leads | 24 months |
| Dashboard audit logs | 6 years |
8. Your rights
Under UK and EU data protection law you can ask us to: access the personal data we hold about you; correct it; erase it; restrict or object to our processing of it; and receive a portable copy. Where processing is based on consent, you can withdraw that consent at any time (for reminder emails, the one-click unsubscribe link does this immediately).
To exercise any of these rights, email [PRIVACY EMAIL]. Because most shopper data we hold is pseudonymous, we may need to work with you (and the retailer whose site you used) to locate records tied to your click-identifier.
9. Complaints
If you are unhappy with how we have handled your personal data, please contact us first at [PRIVACY EMAIL] so we can try to put it right. You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint or by phone on 0303 123 1113, or to your local EU supervisory authority.
10. Changes to this policy
We will post any changes to this policy on this page and update the "Last updated" date above. Material changes affecting opted-in shoppers or partners will be notified directly where we are able to.