Privacy Policy

Information We Collect

• You provide: account identifiers and profile details you choose to share (e.g., email, display name), redemption and gift details (recipient handle, product, notes), and shipping information for recipients.
• Identity graph data: minimal identifiers needed to deliver gifts to the right person (wallet addresses, ENS names, Farcaster/Twitter/X usernames, OAuth provider IDs).
• Authentication data: OAuth access/refresh tokens, session identifiers (e.g., httpOnly cookies). Authentication is facilitated by Privy, which may collect and process additional data as described in their privacy policy.
• Payment and fulfillment data: gift metadata, price, timestamps, and status. We do not store card numbers. First-party card payments are processed by Stripe; third-party merchant purchases may use crypto rails (e.g., USDC on Base via the x402 protocol or MoonPay Commerce).
• Automatically collected: device and usage information (IP address, browser, OS), log data, coarse geolocation, and cookies or similar technologies for essential functionality and analytics.
• From third parties: information from authentication providers (Google, Twitter/X), payment processors and vendors (e.g., Stripe, Shopify merchants), and public blockchain networks when you interact on-chain.

How We Use Information

• Provide, maintain, and improve the Services, including gift flows and order fulfillment
• Authenticate users, maintain our identity graph, and keep accounts secure
• Process payments and combat fraud, abuse, and violations of our Terms
• Perform content safety checks and compliance screening before purchases are completed
• Communicate with you about orders, support, updates, and policy changes
• Comply with legal obligations and enforce our agreements

Content Moderation

To comply with processor policies and maintain platform safety, we use OpenAI's Moderation API to screen product names and descriptions for prohibited content before processing gifts. This helps prevent purchases of violent, sexual, hateful, or illegal items.

Product information sent for moderation is processed by OpenAI under their Privacy Policy. We do not retain moderation results beyond the transaction lifecycle.

AI-Powered Features

Our conversational shopping agent is powered by Google Gemini (via the Vercel AI SDK). When you use the chat feature, your messages, product queries, and related conversational context are sent to Google for processing. Google processes this data under their Gemini API Terms of Service. We do not use your conversations to train AI models. Chat history is retained only for the duration of your session unless otherwise required for order fulfillment or support.

Payment Processing

First-party products (e.g., Bea's Bazaar) use Stripe. Stripe processes your payment information under its Privacy Policy. We do not store card details on our servers.

Some third-party merchant purchases use cryptocurrency payment rails (e.g., USDC on Base via the x402 protocol and Coinbase Developer Platform). On-chain transactions are public and may be permanently viewable. We also integrate MoonPay Commerce for certain crypto payments. Please review the applicable payment provider's privacy policies before use: Coinbase, MoonPay.

Legal Bases (EEA/UK Users)

Where applicable, we process personal data under the following legal bases:

• Performance of a contract (to provide the Services and fulfill orders)
• Legitimate interests (e.g., securing our Services, preventing fraud, improving features)
• Consent (e.g., certain cookies/analytics where required by law)
• Legal obligations (e.g., tax, accounting, compliance)

How We Share Information

• Vendors/Processors: infrastructure, hosting, analytics, monitoring, anti-abuse, moderation, and payment/fulfillment partners (e.g., Vercel, Stripe, Google, OpenAI, Privy, Coinbase, MoonPay, Sentry). These parties access data only to perform services for us under appropriate data processing agreements or equivalent safeguards.
• Merchants and logistics providers: to fulfill orders and deliveries you initiate.
• Public blockchains: on-chain activity (e.g., wallet address, transaction metadata) is public by design and may be read by anyone.
• Legal and compliance: to comply with law, respond to lawful requests, or protect rights, safety, and integrity.
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets.

Gift Recipients (Non-Users)

When a user sends a gift to a recipient via a username or handle (e.g., ENS name, Farcaster, Twitter/X), we store the recipient's public handle and associated identity data in our identity graph before the recipient creates an account. This data is used solely to match and deliver the gift to the intended person. Recipients who have not created an account may request deletion of their data by contacting support@buyit.bot.

Data Retention

Recipient shipping information is encrypted at rest and purged approximately 30 days after redemption. We retain other data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Blockchain data may persist indefinitely on public networks.

Security

We use technical and organizational measures to protect personal information (e.g., encryption at rest/in transit, access controls). No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

Automated Decision-Making

We use automated content moderation (via OpenAI's Moderation API) to screen gift purchases for prohibited content. This process may automatically reject a transaction without human review. If you believe a transaction was incorrectly rejected, you may contact support@buyit.bot to request a manual review.

International Data Transfers

We may process and store information in the United States and other countries. Where required, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) for cross-border data transfers.

Your Rights

Depending on your location, you may have rights to access, correct, delete, or port your personal information, to object to or restrict certain processing, and to withdraw consent where processing is based on consent.

California residents may have rights under the CCPA/CPRA, including to know, delete, and opt out of certain disclosures. We do not sell personal information as defined by the CCPA/CPRA.

To exercise rights, please email support@buyit.bot. We may need information (e.g., gift ID, account email) to verify your request.

Cookies & Tracking

We use essential cookies to operate the Services and may use analytics or functional cookies to improve performance and features. You can control cookies through your browser settings. Some features may not function properly without certain cookies.

Do Not Track

Some browsers transmit "Do Not Track" (DNT) signals. We do not currently respond to DNT signals because no uniform standard for handling them has been adopted. We will update this policy if a standard is established.

Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users in accordance with applicable law. Where required, we will provide notice via email or through our Services within the timeframes mandated by applicable data protection regulations.

Children's Privacy

The Services are not directed to anyone under 18. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact us and we will take appropriate action.

Third-Party Links

Our Services may link to third-party sites or services. Their privacy practices are governed by their own policies, and we are not responsible for them.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with a new "Last Updated" date. Your continued use of the Services after changes become effective constitutes your acceptance of the revised policy.

Contact

Questions or requests: support@buyit.bot