Privacy Policy
Last updated:
1. Data Controller
Company: Craftbox
Address: 2 Davit Kipiani St, Tbilisi 0119, Georgia
Email: info@craftboxgifts.com
Phone: +995 557 234 222
CraftBox Gifts is the Data Controller under GDPR Article 4(7) for all data we collect through this website.
2. What Data We Collect
2.1 Order Data
When you place an order, we collect the following personal data:
- •First and last name — for delivery and confirmation
- •Phone number — to notify you of your order status
- •Email address — for order confirmation and receipt
- •Delivery address — to provide the courier service
- •Order contents — personalization requests and photo files
2.2 Analytics Data
When you use the site (with your consent), we collect:
- •Hashed IP address — for geographic statistics (not stored in directly identifiable form)
- •Device type and browser — for technical optimization
- •Pages viewed and clicks — to improve our content
- •Referral source — to measure advertising effectiveness
3. Lawful Basis for Processing
Order Data
We process your name, phone, address and order details to perform the contract between you and CraftBox Gifts (GDPR Art. 6(1)(b)).
Analytics and Marketing
We load Google Analytics and Facebook Pixel only after you give consent through the cookie banner (GDPR Art. 6(1)(a)).
4. Third Parties and Data Transfers
Your data may be shared with the following third parties solely to provide our service:
| Service | Purpose | Basis | Policy |
|---|---|---|---|
| Railway (PostgreSQL) | Storing orders and data | Contract | View |
| Google Analytics 4 | Site analytics | Consent | View |
| Facebook Pixel | Ad optimization | Consent | View |
| Telegram Bot API | Order notifications | Contract | View |
Analytics services (Google, Facebook) may transfer data outside the European Economic Area. Such transfers are made on the basis of Standard Contractual Clauses (SCCs) (GDPR Art. 46).
5. Data Retention Periods
Hashed IP, device info and session data are automatically deleted after 90 days.
Name, address and order history — to meet our statutory accounting obligations.
6. Your Rights
Under Chapter III of the GDPR, you have the following rights:
Exercising Your Rights
Send your request to info@craftboxgifts.com. We will respond within 30 calendar days (GDPR Art. 12).
Data Deletion
If you signed in with Facebook (or Google), you can delete your account and the personal data linked to it at any time:
- Go to your account → settings → “Delete account”, and confirm.
- Or email us at info@craftboxgifts.com — we process the request within 30 calendar days.
We delete: your account, wishlist, coupons, gift-assistant chat history and marketing data. Transactional records (orders) are anonymised — personal fields are erased but the record is retained to meet our statutory accounting obligations (GDPR Art. 6(1)(c)).
7. Cookies
craftboxgifts.com uses cookies and localStorage. Analytics and marketing cookies activate only after your consent. For full details see:
Cookie Policy8. Data Breach Notification
In the event of a data security breach that is likely to result in a risk to your rights, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with GDPR Art. 33-34. Notification will be made by email.
9. Policy Changes
If we make material changes to this policy, we will notify you by email or with a prominent banner on the site. The current version is always available on this page. Continued use after a change constitutes acceptance.
10. Sub-processors
CraftBox Gifts uses the following trusted sub-processors under GDPR Art. 28. Each has a Data Processing Agreement (DPA) or Standard Contractual Clauses (SCCs) covering transfers outside the European Economic Area (EEA).
| Service | Purpose | Location | Transfer basis |
|---|---|---|---|
| Vercel Inc. | Web hosting, CDN, edge functions | US | SCC (Art. 46) |
| Railway Corp. | PostgreSQL database (orders, accounts) | US | SCC (Art. 46) |
| Cloudinary Ltd. | Product image storage & optimisation | US / EU | SCC (Art. 46) |
| Resend Inc. | Transactional email (order confirmation) | US | SCC (Art. 46) |
| Sentry (Functional Software, Inc.) | Error monitoring and crash reporting | US / EU | SCC (Art. 46) |
| Upstash Inc. | Redis cache — rate-limiting, session state | US / EU | SCC (Art. 46) |
| Google LLC | Google Analytics 4 (analytics) + Google OAuth (sign-in) | US | SCC (Art. 46) |
| Meta Platforms Ireland Ltd. | Facebook Pixel + Conversions API (CAPI) — ad optimisation | IE / US | SCC (Art. 46) |
| PayPal (Europe) S.à r.l. et Cie, S.C.A. | Payment processing (card / PayPal balance) | LU / US | SCC (Art. 46) |
Transfers to sub-processors outside the EEA (US) are made under Standard Contractual Clauses (SCCs) pursuant to GDPR Art. 46. We publish an updated sub-processor list on this page whenever a material change is made.