Data Processing Agreement

Help

Get Help

24/7 Help

Cart

Received

How it works

Buy in Bulk

Help

Get Help

24/7 Help

Cart

The Wolfe Companies Data Processing Agreement

Updated February 2026

This Data Processing Agreement (“DPA”) is issued by The Wolfe Companies, LLC (“Wolfe”) and forms part of, and is incorporated by reference into, the applicable Terms of Service and Privacy Policy of Wolfe and each of its current and future subsidiaries, including without limitation PerfectGift.com, GiftYa, Gift Card Granny, and Give InKind (each, a “Subsidiary”) (collectively, the “Agreement”).

This DPA governs Wolfe’s and its Subsidiaries’ processing of Personal Information on behalf of business and consumer customers (each, a “Customer”) when Customer uses Wolfe’s and its Subsidiaries’ websites, applications, APIs, integrations, and other digital services (the “Services”). Customer and Wolfe shall be collectively referred to as the “Parties” and individually as a “Party”.

If any term of this DPA conflicts with the Agreement, the terms of this DPA shall control with respect to processing performed by Wolfe as a Processor/Service Provider.

1. Definitions

Capitalized terms not defined in this DPA have the meanings provided in the Agreement.

"Controller" / "Customer" means the entity that determines the purposes and means of processing; this also means the equivalent concept under applicable Data Protection Laws.
"Customer Data" means Personal Data that Customer provides to, or makes available through the Services to, Processor that Processor processes on behalf of Customer to provide the Services.
"Data Protection Laws" includes all applicable U.S. privacy laws, CCPA/CPRA, GDPR (if applicable), and similar statutes governing data processing.
"Personal Data/Personal Information" means information relating to an identified or identifiable person, as defined under applicable Data Protection Laws.
"Processing / Process" means any operation performed on Personal Information, including collection, storage, access, transmission, analysis, or deletion.
"Processor" / "Service Provider" / "Contractor" means the entity that processes Personal Information on behalf of a Customer; this also means the equivalent concept under applicable Data Protection Laws.
"Sub-processor" means any third party engaged by Wolfe to process Personal Information on its behalf.

2. Roles of the Parties

2.1 Wolfe as Processor

To the extent Customer provides Personal Information to Wolfe or permits Wolfe to collect Personal Information through the Services on Customer’s behalf, Wolfe acts as Customer’s Processor.

2.2 Customer as Controller

Customer is the Controller and determines:

the nature and purpose of processing,
the types of Personal Information provided, and
the end-users or data subjects whose information is processed.

3. Scope and Purpose of Processing

Wolfe will process Personal Information solely:

To provide, maintain, and secure the Service;
To perform order fulfillment, payment processing, and fraud prevention;
To support Customer's account, preferences, and operational needs;
To comply with legal or regulatory obligations (including card-network requirements)
As otherwise documented in Customer instructions

Any analytics or automated tools are used solely for security, fraud prevention, service integrity, and compliance purposes

Wolfe will not:

Sell or share Personal Information;
Use Personal Information for cross‑context behavioral advertising;
Use Personal Information for any purpose other than providing the Services.

4. Customer Instructions

Customer’s configuration of the Services, this DPA, and the Agreement constitute Customer’s complete and final instructions.

Wolfe will process Personal Information only in accordance with Customer’s documented instructions, unless required by law, in which case Wolfe will notify Customer unless legally prohibited.

5. Confidentiality

Wolfe will ensure that:

Personnel authorized to process Personal Information are bound by confidentiality obligations
Access is strictly limited to individuals with a legitimate need (e.g., fraud prevention analysts, security staff, support personnel).

6. Security of Processing

Wolfe uses reasonable and appropriate technical, logical and organizational measures consistent with the Privacy Policy, including:

Device fingerprinting
Behavioral analytics
Identity verification
Encryption where appropriate
Access controls and credential safeguards
Automated (including artificial intelligence) and manual fraud-detection tools
Security monitoring and incident detection
Measures designed to prevent unauthorized access or disclosement

Wolfe may update its security measures over time, provided such updates do not materially reduce the protections in place

7. Sub-Processors

7.1 Authorization

Customer provides a general authorization for Wolfe to use Sub‑processors, including:

Payment processors and card networks
Banks and financial institutions (for account-access services)
Fraud detection / analytics partners
Hosting and infrastructure providers
Delivery and logistics partners

A current list may be made available upon request.

7.2 Sub-Processor Obligations

Wolfe will ensure that each Sub‑processor is bound by contractual terms that impose obligations no less protective than those in this DPA.

Wolfe remains responsible for Sub‑processors’ performance.

8. Data Subject/Consumer Rights

Taking into account the nature of processing, Wolfe will assist Customer by:

Responding to access, correction, deletion, or opt-out requests
Providing tools or information needed for Customer to meet its obligations
Redirecting end-user request to Customer where appropriate

Any such assistance will be limited to what is reasonably practicable and proportionate to the nature of the processing. Wolfe will not respond directly to end‑users unless required by law.

9. Personal Data Breaches

Wolfe will notify Customer without undue delay after becoming aware of a breach involving Customer Personal Information. Wolfe will provide sufficient details to allow Customer to meet its legal obligations.

10. Data Retention and Deletion

Upon Customer’s written request, or upon termination of Services, Wolfe will delete (which may include irreversible anonymization where appropriate) or return Personal Information, including copies, unless retention is required by law, card-network rules, fraud-prevention obligations, or financial reporting requirements. Where required retention applies, Wolfe will keep the data isolated and protected.

11. Audits and Compliance

Upon Customer’s written request, and to the extent required by law, Wolfe will:

Provide documentation sufficient to demonstrate compliance with this DPA and with any applicable laws, including via industry-standard third party audit reports or certifications.
Allow a Customer‑initiated audit or inspection, subject to reasonable limits (e.g., once per year, non‑disruptive). In any event, a third-party auditor shall be subject to confidentiality obligations.

12. U.S. Privacy Law Requirements

To the extent Customer data is subject to U.S. privacy laws (CCPA/CPRA, etc.):

Wolfe will:

Act as a Service Provider/Contractor
Not retain, use, or disclose Personal Information except as required to provide the Services.
Not combine Customer data with data independently collected, except as permitted (fraud prevention, security, and compliance).
Notify Customer if it can no longer meet its obligations.

Customer will not instruct Wolfe in any way that would cause processing to constitute a “sale” or “sharing” of Personal Information under applicable laws.

13. International Data Transfers

If Customer requires processing involving residents of the EEA/UK/Switzerland, then:

The parties agree to Standard Contractual Clauses (SCCs), as applicable
Relevant Schedules or Annexes may be attached upon request.
Wolfe processes data in the United States as disclosed in the Privacy Policy.

14. Termination of Processing
Upon termination or expiration of the Services:

Customer may request deletion or return of Personal Information
If Customer does not provide instructions within 30 days, Wolfe may delete (which may include irreversible anonymization where appropriate) data consistent with its retention obligations

15. Liability

Liability is governed by the Agreement. Nothing in this DPA expands either Party’s liability beyond what is stated in the Agreement.

16. Changes to this DPA

Wolfe may update this DPA to reflect changes in law or practices, in the manner described in the Privacy Policy (posting updates with a revised “Updated” date), provided such changes do not materially reduce Customer’s protections.

17. Contact Information

Questions about this DPA may be directed to:
Email: privacy@perfectgift.com
Phone: (877) 448-4438
Mail: 495 Mansfield Avenue, Pittsburgh, PA 15205

Partner with us

Get to know us

Gifting

Support

Data Processing Agreement

Accessibility Statement

GiftYa, LLC provides its service as an agent of a licensed US bank (our "Financial Institution Partner") and all funds associated with GiftYa purchases are held in one or more pooled accounts at our Financial Institution Partner. Please see our terms of service for more information.