Legal

Privacy Policy

Last updated: May 15, 2026

1. Introduction

This Privacy Policy explains how Balloon & Tusk ("we," "us," "our") collects, uses, shares, and protects information when you use balloonandtusk.com and our related services, including the GiftPilot AI platform (collectively, the "Service"). By using the Service, you agree to the practices described in this Policy.

2. Information We Collect

Account Information. When you create an account, we collect your name, email address, and password (stored in hashed form). If you sign in with Google, we receive your name, email address, and profile identifier from Google.

Recipient Information. You may enter names, relationships, important dates, interests, personality notes, budget preferences, and other personal details about gift recipients. You are responsible for ensuring you have a reasonable and lawful basis to provide information about other individuals.

Billing Information. When you subscribe to a paid plan, our payment processor, Stripe, Inc., collects your payment card details, billing address, and related financial information. We do not store full payment card numbers on our servers. We receive from Stripe your subscription status, plan type, and transaction history.

Saved Payment Methods (Concierge). If you save a card for one-tap Concierge approvals, the card itself stays with Stripe under your Stripe Customer record. We store only non-sensitive references (last four digits, brand, expiration, and a Stripe payment method identifier) to display saved cards and charge them when you authorize a Concierge purchase. You can remove a saved payment method at any time from your account settings.

Saved Shipping Addresses (Concierge). If you save shipping addresses for Concierge orders, we store the recipient name, street address, city, state/region, postal code, country, and optional label. We share an address with a third-party retailer only when you approve a Concierge purchase shipping to that address. You can delete any saved address at any time.

Usage Data. We automatically collect log data, including your IP address, device identifiers, browser type and version, operating system, pages viewed, features used, interactions with gift suggestions (including thumbs-up/thumbs-down feedback), referring URLs, and timestamps.

Cookies and Similar Technologies. We use cookies and similar technologies for:

• Essential cookies — required for authentication, session management, and security
• Preference cookies — to remember your settings and display preferences
• Analytics cookies — to understand how users interact with the Service and to improve performance

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using certain features of the Service.

AI Interaction Data. When you generate gift recommendations, we process the recipient details and occasion information you provide through third-party AI services (Google Gemini and OpenAI). We send only the minimum data necessary to generate relevant suggestions.

3. How We Use Information

We use the information we collect to:

• Operate, maintain, and improve the Service
• Generate personalized gift recommendations using AI
• Process payments and manage subscriptions through Stripe
• Send transactional communications (account verification, billing receipts, holiday alerts you have opted into)
• Analyze usage patterns to improve features and user experience
• Prevent fraud, detect abuse, and enforce our Terms of Service
• Comply with legal obligations
• Respond to your support requests

We do not use your personal information for third-party advertising. We do not sell your personal information.

4. Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases:

• Contract performance — to provide and operate the Service as described in our Terms
• Legitimate interests — to improve, secure, and analyze the Service, provided these interests are not overridden by your rights
• Consent — for marketing communications where required by law; you may withdraw consent at any time
• Legal obligations — to comply with applicable laws and regulations

5. Sharing of Information

We share information with the following categories of recipients:

Service Providers. Third parties who help us operate the Service, including:

• Stripe, Inc. — payment processing
• Google — authentication (OAuth), AI services (Gemini)
• OpenAI — AI services (GPT models for Pro tier)
• Hosting and infrastructure providers — database hosting, cloud services
• Email delivery providers — transactional email
• Analytics providers — usage analytics

Affiliate Retail Partners. When you click an affiliate link, you are directed to a third-party retailer (such as Amazon, Etsy, UncommonGoods, 1-800-Flowers, or Goldbelly). We do not transmit your personal data to these retailers; the click-through itself may allow the retailer to collect information about your visit under their own privacy policy.

Legal and Safety. We may disclose information when required by law, subpoena, or court order, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers. In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity. We will notify you of any such transfer and any changes to this Policy.

We do not sell your personal information to any third party.

6. Data Retention

• Account and recipient information — retained for as long as your account is active
• Usage data — retained for up to 24 months, then aggregated or deleted
• Billing records — retained as required for accounting, tax, and legal compliance

After you delete your account, we will remove your personal data within 30 days, except where retention is required for legal, accounting, fraud-prevention, or backup purposes.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate or incomplete data
• Deletion — request deletion of your personal data
• Data portability — request your data in a structured, machine-readable format
• Restriction — request that we restrict processing of your data
• Objection — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at support@balloonandtusk.com. We will respond within 30 days (or sooner where required by law).

California Residents (CCPA/CPRA). If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act, including:

• The right to know what personal information we collect, use, and disclose
• The right to delete your personal information
• The right to correct inaccurate personal information
• The right to opt out of the sale or sharing of personal information (we do not sell or share your personal information as defined by the CCPA)
• The right to non-discrimination for exercising your privacy rights

To submit a request, contact us at support@balloonandtusk.com. We may verify your identity before fulfilling your request.

Categories of personal information collected (for CCPA disclosure): identifiers (name, email, IP address), commercial information (subscription and billing history), internet or electronic network activity (usage data, cookies), and inferences drawn from the above (gift recommendation preferences).

8. Security

We use industry-standard technical and organizational measures to protect your information, including:

• Encryption in transit (TLS/SSL)
• Hashed credentials (passwords are never stored in plain text)
• Row-level access controls in our database
• Regular security reviews

No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a data breach that affects your personal information, we will notify you and any applicable regulatory authorities as required by law.

9. International Transfers

Your information may be processed in the United States or other countries where our service providers operate. If you are located outside the United States, your data may be transferred to and processed in a country with different data protection laws. We rely on appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission, where required.

10. Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, contact us at support@balloonandtusk.com and we will promptly delete it.

11. Do Not Track

Some browsers transmit "Do Not Track" (DNT) signals. There is currently no industry standard for responding to DNT signals. At this time, the Service does not respond to DNT signals. We do not track users across third-party websites for advertising purposes.

12. Third-Party Links

The Service contains links to third-party retailers and websites. These third parties have their own privacy policies, and we are not responsible for their practices. We encourage you to review the privacy policies of any third-party site you visit through the Service.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice at least 15 days before they take effect, with the "Last updated" date revised accordingly. Continued use of the Service after changes take effect constitutes acceptance of the revised Policy.

14. Contact

Questions about this Privacy Policy or your data? Contact us at support@balloonandtusk.com.