Birthly Gifts — Privacy Policy

Effective date: 29 June 2026

App: Birthly Gifts (the “App”)

Provider: Jhiki Corp, 155 rue de la Matinière, 38470 Cognin-les-Gorges, France — SIRET 512 777 053 00020 (“we”, “us”, the “Provider”)

Contact: pro@jhiki.fr · Data protection contact: pro@jhiki.fr

1. Who we are & our role

Birthly Gifts is a gift-registry application that merchants install on their Shopify store. It lets a store’s customers create gift registries (e.g. baby registries), lets other shoppers reserve or purchase registry items, and sends transactional emails about those events.

Our role depends on whose data it is:

Merchants remain responsible for informing their own customers and for having a lawful basis for engaging us.

2. What data we collect, and from whom

2.1 From the merchant. Store identifier (myshopify.com domain), shop name, store currency and locale; merchant-configured settings (registry rules, email toggles, coupon tiers, sender display name and reply-to email, optional custom sending domain, retention windows); Shopify session and authentication tokens, and — for online sessions — the name and email of the staff user who authenticates the App.

2.2 From registry owners. Owner email (required) and name (optional); the owner’s Shopify customer identifier (used as the ownership key); registry content the owner writes (title, optional description, optional illustration image, optional registry password stored only as a hash).

2.3 From gift-givers. Gift-giver email and name; the gift-giver’s Shopify customer identifier (for reservations); an optional free-text gift message (up to 500 characters); for purchases, the associated order and line-item identifiers and amounts used to attribute the gift to the registry.

2.4 From Shopify, on the merchant’s behalf (Protected Customer Data). When a gift-giver completes a purchase, Shopify notifies the App and the App reads a minimised set of order fields — see Section 5. We do not read shipping/billing addresses, phone numbers, or payment details.

2.5 Email delivery metadata. For each transactional email we store the recipient email, recipient name, subject, status, and the email provider’s message ID, plus a suppression list of addresses that hard-bounced or marked our mail as spam.

We do not collect special-category data, do not run marketing or advertising, and never ask gift-givers for marketing consent. All emails the App sends are strictly transactional.

3. How we use the data

We do not sell personal data, and do not use it for advertising or profiling.

4. Legal bases (GDPR)

ProcessingLegal basis
Providing the App to the merchant; merchant account & configuration dataPerformance of a contract (Art. 6(1)(b))
Processing the merchant’s customer data from ShopifyOn the merchant’s instructions as processor; the merchant establishes the lawful basis (Art. 28)
Owner / gift-giver data and gift messages entered on the storefrontProvision of the service requested by the data subject, and legitimate interest in delivering it (Art. 6(1)(b)/(f))
Transactional emails about registry/reservation/purchase eventsLegitimate interest in delivering a service the user is party to; never marketing (Art. 6(1)(f))
Security, fraud prevention, suppression list, service improvementLegitimate interests (Art. 6(1)(f))
Responding to GDPR webhooks and retention/erasureLegal obligation and the merchant’s instructions (Art. 6(1)(c); Art. 28)

5. Protected Customer Data from Shopify (data minimisation)

The App uses the read_orders and read_customers scopes. We read only the fields needed to attribute purchases and deliver transactional confirmations:

Field readWhy we need it
Order emailSend the gift-giver a confirmation; show “purchased by” to the owner.
Customer first & last name (as present on the order)Display “reserved/purchased by [name]” to the registry owner.
Customer numeric identifierIdentify owner/gift-giver, attach the reward coupon, set the Shopify Flow customer reference.
Order line items (id, quantity, price, app-authored properties)Match the purchased line to the registry item and compute the attributed amount.

We do not read or store phone numbers, shipping/billing addresses, or payment data. Where Protected Customer Data is unavailable, the App degrades gracefully (the gift-giver is shown as “Anonymous”).

6. Sharing & subprocessors

We share personal data only with the infrastructure providers needed to run the service. We do not sell data or share it for advertising.

SubprocessorPurposeLocation
ShopifyPlatform; source of merchant & order/customer data; authentication; file/CDN storage for uploaded registry imagesGlobal
RailwayApplication hosting and PostgreSQL database (where the App’s data is stored)European Union (Amsterdam, Netherlands)
ResendTransactional email delivery (recipient email & name, subject, rendered content which may include a gift message and registry title)United States

Transactional emails embed static brand images (hero, logo). Loading a remote image can expose standard request metadata (IP address, user agent) of the recipient to the image host, as with any email image.

We may also disclose data where required by law or to establish, exercise or defend legal claims.

7. Data retention

8. International transfers

The App’s primary hosting and database (Railway) are located in the European Union (Amsterdam, Netherlands). Some processing nevertheless occurs outside the EEA: our email subprocessor (Resend) and parts of the Shopify platform operate in the United States. Where personal data is transferred outside the EEA, the transfer is governed by appropriate safeguards — principally the EU Standard Contractual Clauses — as incorporated into our agreements with those providers.

9. Your rights

Subject to applicable law, data subjects have the right to access, rectify, erase, restrict, and port their personal data, to object to processing based on legitimate interests, and to lodge a complaint with a supervisory authority (in France, the CNIL).

Because the App has no direct end-user interface, end-users (registry owners and gift-givers) should exercise their rights through the merchant whose store they used; the merchant is the controller for that data. When a merchant or Shopify forwards a data-access request, the App compiles the relevant data and returns it to the merchant’s configured support address. Merchants and other contractual customers may contact us directly at pro@jhiki.fr.

We honour Shopify’s mandatory privacy webhooks automatically (see Section 10).

10. Security

No method of transmission or storage is completely secure, but we maintain measures appropriate to the risk.

11. Children’s data

The App is provided to merchants and used by adult shoppers; it is not directed to children and we do not knowingly collect data from children under the age of digital consent. Registries may celebrate an event concerning a child, but the App collects data about the adult registry owners and gift-givers, not children. If you believe a child’s data has been provided, contact us at pro@jhiki.fr and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be reflected by updating the “Effective date” and, where appropriate, notifying merchants. Continued use of the App after an update constitutes acceptance of the revised policy.

13. Contact

Jhiki Corp
155 rue de la Matinière, 38470 Cognin-les-Gorges, France
Email: pro@jhiki.fr