Legal

Privacy Policy.

Last updated: March 2026

This Privacy Policy describes how Wotabox ("we," "our," or "us") collects, uses, discloses, retains, and protects your personal information when you access or use our website (wotabox.com), mobile applications, and related services (collectively, the "Service"). Wotabox is operated from Queensland, Australia.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Definitions

• "Personal Information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
• "Sender" means a user who creates an account and sends gifts through the Service.
• "Recipient" means a person who receives a gift through the Service, whether or not they create an account.
• "Aggregated Data" means data that has been de-identified, anonymised, or aggregated such that it cannot reasonably be used to identify any individual.
• "Gift Data" means data relating to gifting activity including occasion types, gift values, recipient demographics, recommendation interactions, and reveal page engagement metrics.

2. Information We Collect

2.1 Information You Provide Directly

Account Information: When you create an account, we collect your name, email address, password, and optionally your surname and profile photo.

Recipient Information: When you add recipients to your gifting circle, we collect names, relationships, ages, countries, interests, notes, email addresses, and other details you choose to provide about the people you gift.

Occasion and Gift Information: We collect occasion types, dates, budget preferences, gift recommendations selected or rejected, personal greetings written (including AI-suggested greetings you select), gift card amounts, animation variant preferences, and delivery preferences.

Payment Information: Payment transactions are processed by our third-party payment processor (currently Stripe). We do not store your full credit card number, CVV, or bank account details on our servers. We receive and store transaction identifiers, amounts, timestamps, and payment status from our payment processor.

Communications: We collect information you provide when you contact us for support, submit feedback, or otherwise communicate with us.

Imported Data: If you choose to import contacts, calendar data, or other information from your device or third-party services, we collect the data you authorise for import.

2.2 Information We Collect Automatically

Usage Data: We collect information about how you use the Service, including pages visited, features used, actions taken (such as gifts sent, recommendations viewed, refreshed, or approved), frequency and timing of use, and interaction patterns.

Gift Delivery and Engagement Data: We collect data about gift delivery, including whether notification emails were delivered, opened, or bounced; whether recipients visited the reveal page; when and how they interacted with the reveal experience (including unwrapping steps, time spent, and whether they clicked product recommendation links or copied gift card codes); and whether gift cards were redeemed.

Device and Technical Data: We collect device type, operating system, browser type, screen resolution, IP address, approximate location derived from IP address, app version, push notification tokens, and unique device identifiers.

Cookies and Similar Technologies: Our website uses cookies and similar tracking technologies to maintain sessions, remember preferences, and analyse usage. You can manage cookie preferences through your browser settings.

2.3 Information We Receive from Third Parties

Amazon: We receive confirmation of gift card creation and delivery status from Amazon's Incentives API. We receive affiliate click and conversion data from Amazon Associates. We do not receive information about what recipients purchase using their gift cards.

Payment Processors: We receive transaction confirmations, payment status updates, and fraud screening results from Stripe.

Analytics Providers: We may receive aggregated analytics data from third-party services we use to understand platform usage.

3. How We Use Your Information

3.1 To Provide and Operate the Service

We use your information to:

• Create and manage your account
• Generate personalised AI gift recommendations based on recipient profiles, occasion types, budgets, and sender preferences
• Process gift card purchases and deliver gifts to recipients
• Send occasion reminders and gift notifications
• Display sender information (name and photo) to recipients on gift notification emails and reveal pages
• Track gift delivery status and provide sender notifications
• Provide customer support

3.2 To Improve and Develop the Service

We use your information to:

• Train, improve, and refine our AI recommendation engine using gifting patterns, recipient profiles, recommendation acceptance and rejection data, and engagement metrics
• Analyse usage patterns, feature adoption, and user flows to improve the platform
• Conduct A/B testing and product experimentation
• Debug technical issues and improve platform stability and performance
• Develop new features and services

3.3 To Communicate With You

We use your information to:

• Send transactional communications (gift confirmations, delivery notifications, nudge reminders)
• Send service announcements and updates
• Send marketing and promotional communications where you have consented or where permitted by law (you may opt out at any time)

3.4 To Generate and Commercialise Aggregated Data and Insights

We use Aggregated Data derived from user activity, including but not limited to gifting trends by occasion type, relationship type, age demographic, geographic region, budget range, product category, recommendation acceptance rates, reveal page engagement metrics, and seasonal patterns, to:

• Create and sell anonymised market research, analytics reports, trend data, and industry insights to third parties including retailers, brands, marketers, researchers, and business partners
• Develop and licence data products, APIs, and analytics tools based on aggregated gifting trends and consumer behaviour patterns
• Inform partnerships, sponsorships, and commercial arrangements with brands and retailers
• Publish aggregated trend data and insights for marketing, press, and business development purposes

This Aggregated Data will not identify you personally. We implement technical and organisational measures to ensure de-identification and prevent re-identification of individuals from Aggregated Data products.

3.5 For Safety, Security, and Legal Compliance

We use your information to:

• Detect, investigate, and prevent fraud, abuse, and violations of our Terms of Service
• Enforce velocity limits and prevent misuse of the platform
• Comply with applicable laws, regulations, legal processes, and government requests
• Protect the rights, property, and safety of Wotabox, our users, and the public

4. How We Share Your Information

We do not sell your Personal Information to third parties for their direct marketing purposes.

We may share your information with the following categories of recipients:

4.1 Service Providers

We share information with third-party service providers who perform services on our behalf, including:

• Amazon (gift card purchasing and delivery via Incentives API; product data via Creators API; affiliate tracking via Associates programme)
• Stripe (payment processing)
• Resend (email delivery)
• Supabase (database hosting and authentication)
• Expo / EAS (push notifications and app distribution)
• Anthropic (AI recommendation and greeting generation via Claude API — recipient profile data including name, relationship, age, interests, notes, and occasion details are sent to generate recommendations)

These service providers are contractually bound to use your information only for the purposes of providing services to us and in accordance with this Privacy Policy.

4.2 Recipients of Your Gifts

When you send a gift, we share your first name, surname, and profile photo with the gift recipient via email and on the reveal page. We also share your personal greeting message and your selected gift recommendation.

4.3 Aggregated Data Recipients

We may share, sell, or licence Aggregated Data and anonymised insights with third parties including retailers, brands, marketers, researchers, analytics companies, and business partners. This data does not identify any individual.

4.4 Business Transfers

In connection with any merger, acquisition, sale of assets, financing, restructuring, or dissolution of all or a portion of our business, your information may be transferred to the acquiring or successor entity, subject to this Privacy Policy. We will notify you of any such change via email or prominent notice on the Service.

4.5 Legal and Safety Disclosures

We may disclose your information where we believe in good faith that disclosure is necessary to:

• Comply with applicable laws, regulations, legal processes, or enforceable governmental requests
• Enforce our Terms of Service or other agreements
• Detect, prevent, or address fraud, security, or technical issues
• Protect the rights, property, or safety of Wotabox, our users, or the public

5. AI and Automated Processing

5.1 AI Recommendation Engine

Our Service uses artificial intelligence (currently Anthropic's Claude API) to generate gift recommendations and greeting suggestions. When generating recommendations, we send recipient profile data (name, relationship, age, country, interests, notes, occasion type, budget) to the AI service. The AI generates recommendations based on this data.

5.2 No Automated Decision-Making with Legal Effects

We do not use automated processing, including profiling, to make decisions that produce legal or similarly significant effects on you. AI recommendations are suggestions only — you always have the choice to accept, reject, modify, or ignore them.

5.3 AI Training

We may use aggregated and de-identified gifting interaction data (such as which recommendations were accepted vs rejected, by occasion type and demographic) to evaluate and improve the performance of our recommendation systems. We do not provide your Personal Information to third-party AI providers for the purpose of training their general models.

6. Data Retention

We retain your Personal Information for as long as your account is active or as necessary to provide the Service, plus a reasonable period thereafter for backup, archival, audit, and legal compliance purposes.

Specific retention periods:

• Account data: Retained while your account is active and for 12 months after account deletion
• Gift transaction data: Retained for 7 years for tax, accounting, and legal compliance
• Gift delivery and engagement data: Retained for 3 years for analytics and service improvement
• Aggregated Data: Retained indefinitely as it does not identify any individual
• Support communications: Retained for 3 years after resolution

You may request deletion of your account and associated Personal Information at any time (see Section 9).

7. Data Security

We implement appropriate technical and organisational measures to protect your information, including encryption in transit (TLS/SSL), encrypted storage, access controls, and regular security reviews.

Despite our efforts, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your information. You are responsible for maintaining the security of your account credentials.

8. International Data Transfers

Wotabox is operated from Australia. Your information may be processed and stored in countries other than your country of residence, including the United States (where our service providers including Amazon, Stripe, Anthropic, Resend, and Supabase operate). These countries may have data protection laws that differ from your jurisdiction.

By using the Service, you consent to the transfer of your information to Australia and other countries where our service providers operate. We take steps to ensure that your information receives an adequate level of protection in the jurisdictions in which we process it.

9. Your Rights and Choices

9.1 All Users

Regardless of your location, you may:

• Access your Personal Information through your account settings
• Update or correct your Personal Information through your account settings
• Delete your account and request deletion of your Personal Information by contacting support@wotabox.com
• Opt out of marketing communications by using the unsubscribe link in any marketing email or contacting us
• Manage push notifications through your device settings

9.2 Australian Users (Privacy Act 1988)

If you are located in Australia, you have additional rights under the Australian Privacy Act 1988, including the right to:

• Access your Personal Information held by us
• Request correction of inaccurate, out-of-date, incomplete, or misleading information
• Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Australian Privacy Principles

9.3 California Users (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):

• Right to Know: You may request disclosure of the categories and specific pieces of Personal Information we have collected about you, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of your Personal Information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate Personal Information.
• Right to Opt Out of Sale or Sharing: We do not sell your Personal Information. We do share de-identified, aggregated data that does not constitute "Personal Information" under the CCPA.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at support@wotabox.com. We will verify your identity before processing your request. You may also designate an authorised agent to submit a request on your behalf.

9.4 Users in Other Jurisdictions

If you are located in a jurisdiction with applicable data protection laws (including the UK, EU, or other regions), you may have additional rights including data portability, restriction of processing, and objection to processing. Contact us at support@wotabox.com to exercise these rights.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect Personal Information from children under 18. If we become aware that we have collected Personal Information from a child under 18, we will take steps to delete such information promptly. If you believe a child under 18 has provided us with Personal Information, please contact us at support@wotabox.com.

11. Third-Party Links and Services

The Service may contain links to third-party websites and services, including Amazon. This Privacy Policy does not apply to third-party services. We encourage you to read the privacy policies of any third-party services you visit. We are not responsible for the privacy practices of third-party services.

12. Amazon Affiliate Disclosure

Wotabox participates in the Amazon Associates Programme, an affiliate advertising programme designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon. When you click product recommendation links on the gift reveal page, we may earn a commission from qualifying purchases at no additional cost to you or the gift recipient.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of material changes by email or prominent notice on the Service prior to the changes taking effect. The "Last updated" date at the top of this Policy indicates when it was last revised.

Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with any changes, you should discontinue use of the Service and delete your account.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@wotabox.com

For Australian privacy complaints that are not resolved to your satisfaction, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.