Privacy Policy

Last updated: 27 April 2026

This Privacy Policy explains how Wrapped handles personal information. Wrapped is a gift card and voucher platform operated by Loud Labs Limited, a New Zealand company (referred to in this policy as Wrapped, we, us, or our).

Three groups of people interact with Wrapped, and the way we handle their information differs:

  • Merchants — businesses that subscribe to Wrapped to run a gift card program. We act as a service provider to merchants and process most consumer information on their behalf.
  • Consumers — the customers, recipients, and users of gift cards issued through merchants who use Wrapped. We process consumer information primarily on instructions from the merchant.
  • Website visitors — anyone who visits wrappedgiftcards.com or our marketing pages.

Throughout this policy, personal information means information that identifies you or could reasonably be linked to you — for example, name, email address, phone number, postal address, IP address, or transaction history.

A summary of who controls what

For information about the merchants we contract with directly, Wrapped is the controller (or "agency" under the New Zealand Privacy Act 2020). We decide why and how that information is processed.

For information about consumers — gift card buyers, recipients, and redemption customers — the merchant is the controller and Wrapped acts as a processor on their behalf. The merchant chooses what data to collect, how to use it, and how long to keep it; we follow their instructions, our service agreement, and applicable law.

What we collect, and where it comes from

If you're a merchant

We collect:

  • Identification — business name, contact name, role, email, phone, billing address.
  • Authentication and account — username, hashed password, two-factor settings, API keys, OAuth tokens for connected POS or eCommerce platforms.
  • Billing — payment-method details (handled by our payment processor; we don't store full card numbers), invoicing history, plan and usage data.
  • Operational — your gift card program configuration, branded assets, integration settings, and audit logs of staff actions.
  • Support — the content of conversations and tickets, including any attachments you send us.
  • Technical — browser, device, IP address, language, referral path, and product-usage events when you sign in to the platform.

We collect this directly from you, from your connected platforms (with your authorisation), and from our infrastructure logs.

If you're a consumer of a Wrapped merchant

We process, on the merchant's behalf:

  • Identity and contact — name, email, phone, mailing address (where the merchant captures it).
  • Gift card details — purchase amount, recipient, scheduled delivery date, personalised message, redemption history, balance.
  • Transaction and channel — POS or eCommerce identifier, location, timestamp, items purchased on redemption.
  • Communications — gift card emails sent to you, opens and clicks, balance enquiries.
  • Technical — IP address, device, and approximate location when you interact with a Wrapped-hosted page (storefront, balance check, wallet pass install).

This data comes from the merchant's POS or eCommerce platform, the gift card purchase or redemption interaction, and our infrastructure logs.

If you're a website visitor

We collect:

  • Pages visited, time on page, referrer URL, IP address, device, and approximate location.
  • Aggregated and anonymised analytics about how the marketing site is used.
  • Information you submit through forms — for example, demo bookings or newsletter sign-ups.

How we use the information

For merchants, we use the information to:

  • Set up and operate your account, deliver the platform's features, and let you sign in securely.
  • Bill you, collect payment, and meet our tax and accounting obligations.
  • Provide support, communicate about your account, and respond to your enquiries.
  • Detect and prevent fraud, abuse, security incidents, and breaches of our Terms.
  • Improve the platform — fix bugs, ship features, measure adoption, train internal models on aggregated, de-identified usage data.
  • Comply with applicable law, respond to lawful requests, and enforce our agreements.
  • Send service announcements (which you can't opt out of while you have an account) and marketing emails (which you can opt out of any time).

For consumer information, we follow the merchant's instructions and use the data to:

  • Issue, deliver, and track gift cards, vouchers, and store credit.
  • Sync balances and redemption events across the merchant's connected channels.
  • Send communications the consumer expects from the merchant — gift card receipts, recipient delivery, balance reminders, and any marketing the merchant has obtained consent for.
  • Power security and fraud-prevention features that protect the merchant's program.

For website visitors, we use the information to operate, secure, and improve the marketing site, measure the effectiveness of our content and advertising, and reply when you contact us.

Legal bases for processing

Where the GDPR, UK GDPR, or similar law applies, we rely on these bases:

  • Contract — to deliver the service to merchants and to meet contractual obligations.
  • Legitimate interests — to secure the platform, prevent fraud, improve the product, and run direct marketing within the limits the law allows.
  • Legal obligation — to satisfy tax, accounting, anti-money-laundering, and lawful-request obligations.
  • Consent — for marketing emails, certain cookies, and any processing where you've explicitly opted in. You can withdraw consent any time.

In New Zealand, the Privacy Act 2020 applies; the principles around purpose, accuracy, security, and access are met through the practices set out in this policy.

Who we share information with

We share information only as needed to run the service:

  • Service providers we use to run Wrapped — cloud hosting (Amazon Web Services), email delivery, payment processing, analytics, error tracking, and customer support tooling. These providers are contractually limited to processing data on our instructions.
  • Integration partners you connect — when you connect a POS, eCommerce platform, wallet provider, or marketing tool, we exchange the data needed to make that integration work.
  • The merchant, if you're a consumer — your information is shared back to the merchant whose program issued your gift card, since they're the data controller.
  • Government, courts, and regulators, where the law requires it or where it's necessary to defend legal claims.
  • A successor entity, if Wrapped or its parent is involved in a merger, acquisition, or asset sale — in which case we'll notify you and the new entity will be bound by privacy obligations no less protective than this policy.

We don't sell personal information, and we don't share it for cross-context behavioural advertising.

Where data is stored and processed

Wrapped's primary infrastructure runs on Amazon Web Services in the United States. Some of our service providers may process data in other countries. When personal information moves across borders, we rely on contractual safeguards (such as Standard Contractual Clauses for transfers from the EEA or UK) and apply the same protections set out in this policy.

How long we keep it

We keep merchant account data for as long as you have an account, and for a reasonable period after cancellation to handle billing reconciliation, legal claims, audit, and fraud prevention. Routine retention after cancellation is up to 12 months, with longer retention only where the law requires it (for example, tax records). Aggregated, anonymised analytics may be retained indefinitely.

We hold consumer information for the period the merchant instructs, subject to legal minimums and any retention needed to honour outstanding gift card balances and resolve disputes.

How we secure information

We apply technical, administrative, and physical controls proportionate to the sensitivity of the data we hold. These include encryption in transit and at rest, scoped access controls with two-factor authentication for staff, separated production and testing environments, regular security reviews, vendor due diligence, and breach-response procedures. No platform is invulnerable, and we describe the precautions but do not guarantee absolute security.

If a security incident affects your information in a way that requires notification under applicable law, we'll let you know without undue delay.

Cookies and similar technologies

Wrapped uses cookies and similar technologies for three purposes: to keep you signed in (essential), to remember preferences such as language, and to measure how the platform and marketing site are used. We don't currently set advertising cookies. You can control cookies through your browser settings; turning off essential cookies may break sign-in flows.

Marketing communications

We may send merchants product updates, news, and promotional emails about Wrapped. Every marketing email includes an unsubscribe link, and you can email support@wrappedgiftcards.com to opt out of any non-essential message. We'll still send service emails — receipts, security alerts, breach notices, terms updates — because these are part of operating your account.

Emails sent to consumers from a merchant's program follow the merchant's consent model and Wrapped's anti-spam controls. We don't email a consumer without the merchant's instruction and the consumer's expected relationship with the merchant.

Your rights

Depending on where you live, you may have rights to access the personal information we hold about you, ask us to correct or delete it, object to or restrict certain processing, request portability of your data, and withdraw any consent you've given. To exercise these rights as a merchant, contact us at support@wrappedgiftcards.com. We'll respond within the time limit set by applicable law (typically 30 days).

If you're a consumer of a merchant who uses Wrapped, please contact the merchant directly — they're the controller of your data and we act on their instructions. If you reach out to us, we'll forward your request to the merchant and assist them in responding.

EU and UK residents can also lodge a complaint with their local supervisory authority. New Zealand residents can complain to the Office of the Privacy Commissioner.

Children

Wrapped is a B2B platform for businesses; it isn't directed at children. We don't knowingly collect personal information from anyone under 16 in connection with a merchant account. If you believe a child has submitted information through a merchant's gift card flow, contact the merchant; if you can't reach them, contact us and we'll take reasonable steps to help.

Changes to this policy

We update this policy as our practices evolve. The "Last updated" date at the top reflects the most recent change. Material changes are notified to merchant account contacts by email and surfaced in the product before they take effect.

Contacting us

Questions, requests, or complaints about how we handle personal information can be sent to support@wrappedgiftcards.com. Postal mail can be addressed to Loud Labs Limited, New Zealand.