🍪

Privacy Policy


Giveaway Ninja
Effective Date: April 19, 2026
Last Updated: April 19, 2026

Background

Giveaway Ninja (“Giveaway Ninja”, or “we”, or “our”, or “us”) understands that your privacy is important to you and that you care about how your information is used and shared online.

We respect and value the privacy of everyone who visits Our Site and uses our Giveaway App and will only collect and use information in ways that are useful to you and in a manner consistent with your rights and Our obligations under the law.

This Policy applies to Our use of any and all data collected by us in relation to your use of Our Site and Our Giveaway App.

Please read this Privacy Policy carefully and ensure that you understand it. Your acceptance of Our Privacy Policy is deemed to occur upon your first use of Our Site OR You will be required to read and accept this Privacy Policy when signing up for an Account. If you do not accept and agree with this Privacy Policy, you must stop using Our Site immediately.

1. Definitions and Interpretation


In this Policy the following terms shall have the following meanings:

“Account” means an account required to access and/or use certain areas and features of Our Site and Giveaway App;

“Cookie” means a small text file placed on your computer or device by Our Site when you visit certain parts of Our Site and/or when you use certain features of Our Site. Details of the Cookies used by Our Site are set out in section 12, below;

“Our Site” means this website, www.GiveawayNinja.io

“Customer” means website owner’s, merchants and administrators that purchased and/or added our Giveaway App to their website(s) to collect e-mails and deliver discount coupons to their Users.

“End User” or “Entrant” means an individual who interacts with a giveaway, contest or pop-up campaign operated by a Customer through the Giveaway App (for example, by submitting their email address to enter a giveaway).

“User” Anybody accessing Our Site or the Giveaway App provided by Us

“Giveaway App” means the giveaway management features provided by our software

“Giveaway Ninja/We/Us/Our”means GiveawayNinja by Andrea De Santis

“GDPR” means Regulation (EU) 2016/679 (the General Data Protection Regulation), together with the UK GDPR and any applicable national implementing legislation.

“Controller”, “Processor”, “Personal Data”, “Processing”, and “Data Subject” have the meanings given in the GDPR.


2. Information About Us (Data Controller)


2.1 - Our Site and the Giveaway App are operated by Giveaway Ninja, a sole proprietorship owned by Andrea De Santis, based in Italy.

2.2 - For the purposes of applicable data-protection law, the data controller responsible for your Personal Data is:

  • Giveaway Ninja (operated by Andrea De Santis)
  • Country: Italy
  • Support: please contact our support through the channels available on our website
  • Website: www.giveawayninja.io

2.3 - We have not appointed a Data Protection Officer (DPO) as we are not required to do so under Art. 37 GDPR. For any privacy-related question, write to us at the address above and we will respond without undue delay.

2A. Our Role: Controller and Processor


The Giveaway App is a business-to-business (B2B) SaaS product. Our role under the GDPR depends on whose Personal Data is being processed:

  • When we process data about Customers (i.e., the merchants, administrators and account holders who sign up to use the Giveaway App — including account registration data, billing data, and usage data of our Site and Dashboard), we act as data Controller. This Privacy Policy governs that processing.
  • When Customers use the Giveaway App to run campaigns and collect data from their End Users (for example, entrant email addresses, names, social handles, entry actions, or IP addresses captured through a giveaway widget), we act as data Processor on behalf of that Customer, who is the Controller of the End Users' Personal Data. In that capacity we process End-User Personal Data only on the documented instructions of the Customer and in accordance with our Data Processing Agreement (DPA).
  • If you are an End User of a giveaway, please consult the privacy policy of the Customer running that giveaway for information about how your data is controlled. You may also contact us and we will forward your request to the relevant Customer.

3. Scope – What Does This Policy Cover?


This Privacy Policy applies to your use of Our Site and Giveaway App provided by us.

It does not extend to any websites that are linked to from Our Site (whether We provide those links or whether they are shared by other users).

We have no control over how your data is collected, stored or used by other websites and We advise you to check the privacy policies of any such websites before providing any data to them.

4. What Data Do We Collect?


Some data is collected automatically by Our Site and the Giveaway App; other data is only collected if you voluntarily submit it, for example when signing up for an Account, configuring a campaign, or entering a giveaway.

4.1 - Customer data (collected when a merchant signs up for and uses the Giveaway App; we are the Controller):

  • account registration data (username, email, hashed password, profile data);
  • business/company name, VAT/tax ID (where applicable) and billing information (payment-card data is processed by our billing providers Shopify and Paddle — we do not receive or store full card numbers);
  • IP address and approximate location (state, city) — collected automatically;
  • device, web browser type and version, operating system — collected automatically;
  • referring site, UTM parameters and marketing attribution fields;
  • usage and product-interaction data (pages viewed, features used, clicks, timestamps, session identifiers, support/chat messages);
  • aggregate revenue/sale value associated with giveaways you run;
  • communications you send us (support tickets, emails, feedback).

4.2 - End User / Entrant data (collected on behalf of our Customers when End Users interact with a giveaway or pop-up; the Customer is the Controller and we act as Processor):

  • email address and, where collected by the campaign, name, social-media handles, shipping address, phone number, date of birth, or other fields the Customer configures;
  • entry actions performed (e.g., visit a page, follow on social, refer a friend);
  • IP address, approximate geolocation, device/browser information, timestamps;
  • a unique entrant identifier and referral code;
  • win/loss status, prize-fulfillment data and communications sent in relation to a campaign.

4.3 - Sensitive categories. We do not intentionally collect special categories of Personal Data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric or genetic data) within the meaning of Art. 9 GDPR. Customers must not configure campaigns to collect such data through the Giveaway App.

5. How Do We Use Your Data?


5.1 - All personal data is stored securely in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). For more details on security see section 6, below.

5.2 - We use your data to provide our Giveaway App to you. This includes:

  • 5.2.1 - Providing and managing your Account;

  • 5.2.2 - Providing and managing your access to Our Site and Giveaway App;

  • 5.2.3 - Personalising and tailoring your experience on Our Site and Giveaway App;

  • 5.2.4 - Supplying Our Giveaway App services to Customers and his Users

  • 5.2.5 - Responding to communications from you;

  • 5.2.6 - Troubleshooting, detecting and protecting against error, fraud, or other criminal activity;

  • 5.2.7 - Supplying you with newsletters, alerts etc. that you have subscribed to; you may unsubscribe or opt-out at any time by using the opt-out link provided on communications or by contacting our support

  • 5.2.8 - Marketing retargeting campaigns;

  • 5.2.9 - Compute aggregated metrics (such as pages views and total number of visitors) for statistical analysis including without limitation determining trends and patterns about usage and demographics for the purpose of improving the Services, by taking reasonable measures to anonymize private information whenever possible


5.3 - In some cases, the collection of data may be a statutory or contractual requirement, and We will be limited in the services We can provide you without your consent for Us to be able to use such data.

5.4 - With your permission and/or where permitted by law, We may also use your data for marketing purposes which may include contacting you by email with information, news and offers on Our services. We will not, however, send you any unsolicited marketing or spam and will take all reasonable steps to ensure that We fully protect your rights and comply with Our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended in 2004, 2011 and 2015.

5.5 - Advertisers whose content appears on Our Site may engage in what is known as “behavioural advertising” – advertising which is tailored to your preferences, based on your activity. Your activity is monitored using Cookies, as detailed below in section 12. You can control and limit your data used in this way by adjusting your web browser’s privacy settings. Please note that We do not control the activities of such advertisers, nor the information they collect and use. Limiting the use of your data in this way will not remove the advertising, but it will make it less relevant to your interests and activities on Our Site.

5.6 - Under GDPR we will ensure that your personal data is processed lawfully, fairly, and transparently, without adversely affecting your rights. We will only process your personal data if at least one of the following basis applies:

  • a) you have given consent to the processing of your personal data for one or more specific purposes;

  • b) processing is necessary for the performance of a contract to which you are a party or in order to take steps at the request of you prior to entering into a contract;

  • c) processing is necessary for compliance with a legal obligation to which we are subject;

  • d) processing is necessary to protect the vital interests of you or of another natural person;

  • e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and/or

  • f) processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

6. How and Where Do We Store Your Data?


6.1 - Retention. We only keep your data for as long as we need it for the purposes set out in section 5, and/or for as long as we have your consent to keep it. We conduct an annual review to ascertain whether we still need to keep your data. Indicative retention periods are:

  • Account data — retained for the lifetime of the Account, and deleted (or anonymized) within 12 months of account closure, unless a longer period is required by law;
  • Campaign entries and End-User data — retained for the duration of the campaign and for up to 12 months thereafter, or for such shorter/longer period as instructed by the Customer who controls that data;
  • Inactive accounts — accounts with no login or activity for 12 months may be archived and/or deleted after prior notice;
  • Billing records and invoices — retained for as long as required to comply with our tax and accounting obligations under Italian and EU law (typically up to 10 years);
  • Support communications and logs — retained for up to 24 months for service-quality and security purposes;
  • Marketing-consent records — retained for as long as you are subscribed, plus a reasonable period to demonstrate compliance with consent rules.

6.2 - Hosting and data location. The primary databases, file storage and application servers are hosted on Amazon Web Services (AWS) in the United States (US-West region). Some supporting services (e.g., email delivery, analytics, customer-support tools) may process data in other jurisdictions.

6.3 - International data transfers. Because our infrastructure is located in the United States and we use sub-processors established outside the European Economic Area (EEA), your Personal Data may be transferred to, and processed in, countries outside the EEA that may not offer the same level of protection as your country of residence. Where such transfers occur, we rely on one or more of the following lawful transfer mechanisms:

  • the EU-US Data Privacy Framework (DPF) and its UK and Swiss extensions, where the receiving organization is certified;
  • the European Commission's Standard Contractual Clauses (SCCs) (Decision 2021/914) and, where applicable, the UK International Data Transfer Addendum;
  • supplementary technical and organizational measures (encryption in transit and at rest, access controls, logging) where required by our transfer impact assessment.
You can request a copy of the relevant safeguards by contacting our support.

6.4 - Security measures. Information you provide to us is stored on our secure servers. We use encryption in transit (TLS/SSL), encryption at rest for sensitive stores, role-based access controls, least-privilege principles, hashed passwords, audit logging, secrets management, and routine dependency patching. "Privacy by design" and "privacy by default" are baked into our engineering and product-development principles.

6.5 - No service is 100% secure. Despite our use of leading security tools and techniques, no method of transmission over the internet or electronic storage can be guaranteed to be 100% secure. We cannot guarantee absolute security of your Personal Data.

6.6 - Data-breach notification. In the event of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Art. 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected Data Subjects without undue delay in accordance with Art. 34 GDPR. Where we act as Processor for a Customer, we will notify the relevant Customer without undue delay and assist them with their own notification obligations.

7. Do We Share Your Data?


7.1 - Service providers / sub-processors. We contract with third parties ("sub-processors") to supply our services to you on our behalf. Each sub-processor is bound by written contractual terms requiring confidentiality, security, and compliance with applicable data-protection law. The main categories and providers we currently rely on are listed below. This list may change — an up-to-date list is available on request by contacting our support.

  • Cloud infrastructure & hosting: Amazon Web Services (AWS) — servers, S3 object storage, email delivery (US).
  • Database: MongoDB (managed) — application database.
  • Payments & billing: Shopify (subscription billing for customers who install the Giveaway App via the Shopify App Store) and Paddle (Merchant of Record for all other customers — Paddle is responsible, as an independent controller, for payment processing, invoicing, and the collection and remittance of applicable sales taxes, VAT and GST).
  • Transactional email: SendGrid, Postmark — delivery of account, security and campaign-related emails.
  • Product analytics & session tools: Google Analytics, Hotjar (subject to your cookie consent — see section 12).
  • Sales & marketing tooling: Meta (Facebook Pixel), Apollo.io (subject to your cookie consent).
  • Customer integrations triggered by you: when a Customer chooses to connect the Giveaway App to an external service (for example, Klaviyo, MailChimp, ActiveCampaign, Omnisend, Campaign Monitor, Zapier, Twitter/X, Shopify, WooCommerce), relevant campaign and entrant data is transmitted to that service solely on the Customer's instructions and subject to that service's own privacy policy.

7.2 - Aggregated and anonymized data. We may compile aggregated, de-identified, and/or anonymized statistics about the use of Our Site and the Giveaway App — including data on traffic, usage patterns, campaign performance, user numbers, industry benchmarks and similar metrics. Such data does not identify you or any individual and may be used and shared freely, including with prospective investors, affiliates, partners, advertisers, and in public case studies, white papers, blog posts and benchmark reports. See section 13A (Anonymized Data and Case Studies) for details.

7.3 - Legal disclosures. In certain circumstances we may be legally required to share certain data held by us, which may include your Personal Data — for example, where we are involved in legal proceedings, or where we are complying with legislation, a court order, regulatory request, or a binding request from a governmental or law-enforcement authority. We do not require any further consent from you to share your data in such circumstances and will comply as required with any legally binding request made of us. Where legally permitted, we will notify you of such requests.

7.4 - We do not sell your Personal Data to third parties for monetary consideration, and we do not engage in "sharing" of Personal Data for cross-context behavioural advertising within the meaning of the California Consumer Privacy Act (CCPA/CPRA), beyond the advertising cookies that are only set with your consent as described in section 12.

8. What Happens If Our Business Changes Hands?


8.1 - We may, from time to time, expand or reduce Our business and this may involve the sale and/or the transfer of control of all or part of Our business. Data provided by users will, where it is relevant to any part of Our business so transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Policy, be permitted to use the data for the purposes for which it was originally collected by Us.

8.2 - In the event that any of your data is to be transferred in such a manner, you will be contacted in advance and informed of the changes. When contacted you will be given the choice to have your data deleted or withheld from the new owner or controller.

9. How Can You Control Your Data?


9.1 - The platform provides tools for Customers and their Users to manage their Account (remove messages, change password, edit username and location). You may also contact our support to request correction, amendment, deletion or a copy of your personal data.

10. Your Right to Withhold Information and Your Right to Withdraw Information After You Have Given it


  • 10.1 - You may access Our Site without providing any data at all. However, to use all features and functions available on Our Site you may be required to submit or allow for the collection of certain data.
  • 10.2 - You may restrict your internet browser’s use of Cookies.
  • 10.3 - You may withdraw your consent for Us to use your personal data as set out in section 5 at any time by contacting Us using the details set out in section 14, and We will delete Your data from Our systems. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal. You acknowledge that withdrawing consent may limit Our ability to provide the Service to you.

11. How Can You Access Your Data?


You have the legal right to ask for a copy of any of your personal data held by Us (where such data is held). Please contact our support for more details.

12. Cookies


Our Site may place and access certain first party Cookies on your computer or device. First party Cookies are those placed directly by Us and are used only by Us. We use Cookies to facilitate and improve your experience of Our Site and deliver Our Giveaway App. By using Our Site and/or Giveaway App you may also receive certain third party Cookies on your computer or device. Third party Cookies are those placed by websites, services, and/or parties other than Us.

Strictly Necessary Cookies

These cookies are essential for the website to function and cannot be switched off. They are used for authentication, security, session management, and storing your cookie consent preferences.

  • __RequestVerificationToken - CSRF (Cross-Site Request Forgery) protection token. Duration: Session
  • .AspNet.ApplicationCookie - Authentication cookie. Duration: Session
  • ASP.NET_SessionId - Session state management. Duration: Session
  • cc_cookie - Stores your cookie consent preferences. Duration: 12 months
  • giveawayninja_at - Security access token for the Giveaway App. Duration: Session/Long-term
  • giveawayninja_initial_page - Records the first page visited by the user. Duration: Session
  • giveawayninja_user_country - Stores user's country location. Duration: Long-term
  • giveawayninja_tz - Stores user's timezone. Duration: Long-term
  • utm_params - Stores UTM campaign parameters for marketing attribution. Duration: 365 days

Analytics Cookies

These cookies help us understand how visitors interact with our website by collecting information in an aggregated form. They are only enabled with your consent.

  • Google Analytics - We use Google Analytics (Tracking ID: G-31H8SDDXVX) to analyze website usage and traffic patterns. This helps us understand user behavior and improve our website.
    Privacy Policy: https://policies.google.com/privacy
  • Hotjar - We use Hotjar (ID: 1059700) for user experience analytics including heatmaps and session recordings. This helps us understand how users interact with our website.
    Privacy Policy: https://www.hotjar.com/privacy

Marketing Cookies

These cookies are used for advertising measurement, retargeting, and sales engagement. They are only enabled with your consent.

  • Meta (Facebook Pixel) - We use Facebook Pixel (ID: 296554337619368) for conversion tracking, advertising measurement, and retargeting to show you relevant ads based on your visit to our website.
    Privacy Policy: https://www.facebook.com/privacy/explanation
  • Apollo.io - We use Apollo.io for sales engagement and visitor identification to improve our sales and marketing outreach.
    Privacy Policy: https://www.apollo.io/privacy

Cookie Management

You can manage your cookie preferences at any time by clicking the cookie settings button (🍪) at the bottom left of any page on our website. You may also restrict your internet browser's use of Cookies through your browser settings.


13. Summary of Your Rights under GDPR

Under the GDPR (and equivalent UK and EEA data-protection laws), you have the following rights in respect of Personal Data we hold about you:

  • Right of access — to obtain confirmation as to whether we process your Personal Data and a copy of such data;
  • Right to rectification — to have inaccurate or incomplete Personal Data corrected;
  • Right to erasure ("right to be forgotten") — to have your Personal Data deleted in the circumstances set out in Art. 17 GDPR;
  • Right to restriction of processing — to have processing limited in the circumstances set out in Art. 18 GDPR;
  • Right to data portability — to receive your Personal Data in a structured, commonly used, machine-readable format and to transmit it to another controller;
  • Right to object — to object to processing based on legitimate interests or to direct marketing (including profiling for that purpose);
  • Rights relating to automated decision-making and profiling — see section 13B;
  • Right to withdraw consent — at any time, where processing is based on consent, without affecting the lawfulness of prior processing;
  • Right to lodge a complaint with a supervisory authority. If you are based in Italy, the competent authority is the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it). You may also lodge a complaint with the supervisory authority of the EU/EEA member state where you reside, work, or where the alleged infringement took place.
To enforce any of the foregoing rights or if you have any other questions about Our Site or this Privacy Policy, please contact Us using the details set out in section 14 below. We will respond to verified requests within one (1) month, extendable by a further two (2) months where necessary due to the complexity or volume of requests, in accordance with Art. 12(3) GDPR.

13A. Anonymized Data and Case Studies

We may collect, generate, use, and share aggregated, de-identified, anonymized, and/or statistical data derived from the operation of the Service — including campaign performance metrics, entry and conversion rates, engagement patterns, industry benchmarks, and usage trends ("Aggregated Data"). Aggregated Data does not identify any Customer, End User, or individual and is processed so that it cannot reasonably be re-associated with an identified or identifiable natural person.

We use Aggregated Data to operate, analyze, benchmark, improve, develop and market the Service; to train, evaluate and improve machine-learning and algorithmic models; and to publish industry reports, white papers, blog posts, marketing materials and anonymized case studies illustrating typical outcomes, strategies, or results achieved through use of the Service. Because Aggregated Data is not Personal Data, this use does not require your further consent.

Separately, if we wish to reference you, your brand, logo, trademarks, campaigns, or specific results in a named (non-anonymized) case study, testimonial, press release, or marketing material, we will first obtain your prior written consent (email is sufficient) and you may withdraw that consent for future uses at any time. This section mirrors the corresponding clause in our Terms of Service.

13B. Automated Decision-Making, Profiling and AI

We do not currently make decisions about you based solely on automated processing (including profiling) that produce legal effects concerning you or similarly significantly affect you, within the meaning of Art. 22 GDPR. Where we use automated processing for limited internal purposes (such as spam and fraud detection, deliverability scoring, or service-quality monitoring), a human review is available on request and no such decision will be made without meaningful human involvement if it would produce such significant effects. If this ever changes, we will update this Privacy Policy and, where required, obtain your consent.

Where we or our sub-processors use machine-learning or AI models in the operation of the Service, those models are trained only on Aggregated Data or on data processed in accordance with the purposes and legal bases described in this Policy. We do not send your Personal Data to third-party generative-AI providers for model training without a valid legal basis and appropriate safeguards.

13C. Children's Privacy

The Site and the Giveaway App are not directed to children. We do not knowingly collect Personal Data from individuals under the age of 16 (or the applicable digital-consent age in your jurisdiction). Customers running giveaways through our platform must not target children and must not configure campaigns to collect data from minors without verifiable parental consent as required by applicable law (including the GDPR and, where applicable, the US Children's Online Privacy Protection Act — COPPA). If you believe a child has provided us with Personal Data, please contact our support and we will take appropriate steps to delete it.

13D. Notice to California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), including the right to know what Personal Information we collect, use, disclose and (if applicable) sell or share; the right to delete Personal Information; the right to correct inaccurate Personal Information; the right to opt out of the sale or sharing of Personal Information; and the right to limit the use of sensitive Personal Information. We do not sell Personal Information for money and we do not share Personal Information for cross-context behavioural advertising without your consent. To exercise any CCPA/CPRA right, contact our support. We will not discriminate against you for exercising these rights.

14. Contacting Us

If you have any questions about Our Site or this Privacy Policy, or wish to exercise any of your data-protection rights, please contact our support through the channels available on our website. Please ensure that your query is clear, particularly if it is a request for information about the data we hold about you (as described in sections 11 and 13). For security reasons we may ask you to verify your identity before fulfilling a request.

15. Changes to Our Privacy Policy

We may change this Privacy Policy from time to time as we deem necessary, or as may be required by law. Any changes will be posted on Our Site with an updated "Last Updated" date at the top of this Policy. Where changes are material, we will take reasonable steps to notify you in advance (for example, by email or an in-product notice) and, where required by law, obtain your consent.

We recommend that you check this page regularly to keep up-to-date.