Privacy policy

This Privacy Notice informs you about the processing of your personal data by us when you visit our website every-wish.co.uk and when you purchase or redeem a gift card via our website.

1. Name and contact details of the controller

Wishcard UK GmbH
Verena Argauer, Dr. Andreas Betzer, Florian Pauthner & Valentin Schütt
Rosental 6
80331 Munich, Germany
Telephone: +44-2045 773107
E-mail: info@every-wish.co.uk

2. Name and contact details of the data protection officer

Oliver Baldner
bITs GmbH
Detmolder Strasse 204
33100 Paderborn
E-mail: oliver.baldner@bits.gmbh
Phone: +49 (0) 5251-6889480

3. Categories of personal data, purposes of processing and legal bases

The below table identifies which categories of your personal data we process for which purposes and on which legal basis the processing is based on.

Depending on the purpose for which we process your personal data, the following legal basis generally come into consideration:

  • Consent: We have your specific consent to carry out the processing for the purpose in question;
  • Contract: The processing is necessary to perform a contract that we are about to enter into, or have entered into, with you;
  • Legal obligation: The processing is necessary for compliance with a legal obligation;
  • Legitimate interest: The processing is necessary to pursue our legitimate interests or those of a third party and we are confident that your interests are not overridden.
Categories Categories of personal data Purpose of processing Legal basis
Visiting our website
  • Your IP-Address
  • Visited webpages of our website
  • Date and time you visited our website
  • Browser type and version
  • Operating system
  • Name of the search engine or the external link
  • Name of the downloaded files
  • Delivering and optimizing the content of our website
  • Ensuring the long-term functionality of our information technology systems as well as of the technology of our website
  • Providing law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack

Legitimate interest

Our legitimate interest lies in the provision of a functional and user-friendly website.
Purchasing a gift card
  • First and last name
  • Country/Region
  • Address
  • Email address
  • Purchased Gift card(s)
  • Purchase price
  • Shipping address
  • Payment method
  • Gift card code
  • Invoice
  • Handling and performance of the contract (i.e., the purchase contract)
  • Providing invoice
 Contract
Payment processing

Payment details as requested by payment service provider. These can include:

  • First and last name of card owner
  • Payment method
  • Card details
  • Payment-ID
  • Purchase amount
  • Date and time of payment
  • Email address
  • Processing of payments
 Contract
Redeeming a gift card
  • First and last name
  • Email address
  • Gift card code
  • Chosen voucher
  • Handling the redemption of a gift card
 Contract
Contact form
  • Name
  • Email address
  • Phone number
  • Comment (i.e., your message)
  • Handling and answering your query

Contract (if your query is related to contract you have concluded with us (e.g., a purchase agreement of a gift card) or is leading to the conclusion of contract)

Legitimate interest (if your query is not contract-related (e.g., general customer queries regarding product information))

In this case, our legitimate interest lies in answering your query.
Sending the Newsletter
  • Email address
  • Confirmation email
  • Registration for newsletter
  • Sending of the newsletter
 Consent
Newsletter Tracking
  • Email address
  • Tracking of newsletters subscribers with regard to opening emails and clicking on articles
 Consent
Retention of documents

Depending on the document that is being retained, in general

  • Purchase agreement including the data under Purchasing a gift card
  • Payment data
  • Gift card code and voucher chosen
  • Content of query send via content form including the person data mentioned under Contact form
  • Consent to receiving newsletters including confirmation email
  • Compliance with statutory obligations
  • Accountability to due statutory obligations
  • Providing evidence in case of a legal dispute or an administrative request

Legal obligation (if the data is retained due to statutory obligations or for accountability purposes)

Legitimate interest (if data is retained to be able to prove evidence in case of a legal dispute)

Our legitimate interest lies in being able to present evidence in a proceeding.
Assertion of and defense against legal claims

Depending on the individual case, possibly

  • Purchase agreement including the data under Purchasing a gift card
  • Payment data
  • Gift card code and voucher chosen
  • Content of query send via content form including the person data mentioned under Contact form
  • Consent to receiving newsletters including confirmation email
  • Asserting legal claims
  • Defending legal claims

Legitimate interest

In this case, our legitimate interest lies being able to assert and defend legal claims.
Giving feedback (Trustpilot widget)
  • First and last name
  • Email address
  • Reference number
  • Order ID
  • Sending invitations to provide feedback
  • Receiving feedback from customers
  • Linking feedback to the respective customer

Legitimate interest

Our legitimate interest lies in being able to receive your feedback.

Consent (if information is stored in your terminal equipment or information that is already stored in your terminal equipment is accessed)
Participating in a survey and conducting a sweepstake (Survio tool)
  • Email address
  • Order ID
  • Conducting a survey
  • Sending the prizes to the winner(s) of a sweepstake
  • Linking the contestants with a specific order and feedback
 Consent
Fraud prevention
  • First and last name
  • Email address
  • Respective payment details depending on payment method
  • Preventing fraudulent activities
  • Creating a risk score

Legitimate interest

Our legitimate interest lies in preventing fraudulent activities and protecting ourselves against them.
Using the services of Google reCAPTCHA
  • IP address of the website visitor
  • Web page that was visited
  • Screen and window resolution
  • Mouse movements and keyboard inputs
  • Device settings (such as language and location)
  • Cookies
  • Browser plugins installed
  • Checking whether a natural person or a bot is making entries

Legitimate interest

Our legitimate interest lies in preventing fraudulent activities and protecting ourselves against them.
Carrying out evaluations of user behavior with Google Analytics as part of the so-called "server-side tracking" on the website and by cookie for the app
  • Browser- and device information
  • Approximate location data
  • Session statistics
  • Number of users
  • Analyzing your use of our website (web analysis services)

Legitimate interest (for server-side tracking on the purchase page)

Our legitimate interest lies in tracking our website traffic and our marketing strategy.

Consent (for the cookie tracking on the redemption page)
Google Ads
  • Visitor ID: The visitor ID is a unique identifier that is assigned to each visitor to your website. This ID is used to track visitors across multiple pages and sessions.
  • Timestamp: The timestamp is the date and time of the visitor's first interaction with your website.
  • Page views: The number of pages that the visitor has viewed on your website.
  • Sessions: A group of interactions with your website that are separated by a period of inactivity.
  • Bounce rate: The percentage of visitors who leave your website after viewing only one page.
  • Conversion rate: The percentage of visitors who take a desired action on your website, such as making a purchase or signing up for a newsletter.
  • Demographics: Information about the visitor's age, gender, location, and interests.
  • Behavior: Information about the visitor's browsing habits, such as the pages they visit, the links they click, and the products they view.
  • We also use the “Enhanced conversion tracking” in Google Ads. Here, customer data is transferred to Google in anonymised form in order to obtain better tracking results.
  • Conversion tracking to measure user actions
  • Remarketing to follow users behavior among various websites
 Consent
Meta Pixel
  • IP -Address
  • User-ID
  • Facebook Account
  • Automatic advanced matching with the use of the Facebook pixel
  • When using the Facebook pixel tool, we have activated automatic advanced matching. This function allows us to send e.g. e-mail addresses, names, gender, city, state, postcode and date of birth or telephone number of a person as additional information to Meta Platforms, provided that the respective person has provided us with this data.
  • Observing users online behavior on different sites
 Consent
Google Ad Manager
  • Visitor ID
  • Timestamp
  • Page views
  • Sessions
  • Bounce rate
  • Conversion rate
  • Demographics
  • Behavior
  • We also use the “Enhanced conversion tracking” in Google Ads. Here, customer data is transferred to Google in anonymised form in order to obtain better tracking results.
  • Google Ad Manager is an ad management platform for publishers (advertisers) and offers detailed control options and supports multiple ad platforms and ad networks, such as AdSense, Ad Exchange and third-party ad platforms and ad networks.
 Consent
Google Tag Manager
  • IP-Address
  • Device- and browser information
  • Location data
  • Visited page sequence
  • Technical data
  • Integrating various website tags from Google into our website (e.g. website analysis products)
 Consent

4. Recipients

We transfer your personal data to service providers we engage for the provision of our services and our business operations such as

  • IT service providers (e.g., for hosting or fraud prevention),
  • Newsletter/marketing service providers,
  • customer support service providers and
  • payment service providers e.g., Shop Pay by Shopify, Amazon Pay (Amazon.com, Inc.), Stripe, Inc. and PayPal Holdings, Inc.

In case our service providers process your personal data on our behalf, we enter into a data processing agreement with them.

In case required by law, necessary for the assertion or defense of legal claims, or requested in an official order or by court, we transfer your personal to a court or a public authority.

5. Cookies

We use cookies on our website to make our internet presence more user-friendly and functional. Some cookies remain stored on your end device.

These are small text files that are sent from our web server to your browser and stored on your computer's hard disk. Only an individual pseudonym will be stored. This information is used, for example, to recognize you when you navigate our website and to make navigation easier for you.

Cookies are divided into the following categories depending on their purpose and function:

  • Technically necessary cookies to ensure the technical operation and basic functions of our website. This type of cookie is used, for example, to maintain your settings while you navigate the website or they can ensure that important information is retained throughout the session (e.g. login, shopping cart).
  • Performance cookies to understand how users interact with our website by collecting and analyzing information anonymously only. This provides us with valuable insights to optimize both the website and our products and services.
  • Advertising cookies to set targeted advertising activities for users on our website.

The legal basis for the use of technically necessary cookies is based on our legitimate interest in the technically flawless operation and smooth functionality of our website. It is not necessary to obtain consent for these cookies, as the use of these cookies is necessary to provide important functions of the website.

The use of performance and advertising cookies is based on the consent previously obtained from you. You can withdraw your consent to the use of cookies at any time for the future. Consent is voluntary. If you do not consent, there are no disadvantages.

Alternatively, you can also view this website without cookies. You can preset this in your browser. Please note that some functions of the website may no longer be available in whole or in part as a result.

Further information about the cookies we use (in particular about their purpose and storage duration) can be found in our

We also use so-called local storage functions (also known as "local storage") on our website. This involves storing data locally in your browser's cache, which continues to exist and can be read even after you close the browser - unless you delete the cache or it is session storage. Third parties cannot access the data stored in the local storage. If you do not want data to be stored in the local storage, you can control this in the settings of your respective browser. We would like to point out that this may result in functional restrictions.

This cookie table has been created and updated by the Consent Management - CookieFirst.

6. Google reCAPTCHA

We use the Google reCAPTCHA tool, a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"), to detect bots on this site.

Google reCAPTCHA is integrated into this website in order to ensure that entries made in online forms, for example, are actually made by real persons and are not automated by software (or bots). For this purpose, reCAPTCHA will display a clickable checkbox "I am not a robot". In addition, users may have to click on the checkbox to display various images, which must be assigned to a given image theme by clicking on the relevant images (e.g. selection of all images with cars).

Google reCAPTCHA analyses the behaviour of visitors of this website using different characteristics. Google reCAPTCHA processes personal data such as your IP address, your length of stay on our website and further information about your use of this website.

If personal data is transferred to the service provider Google in the USA when using Google reCAPTCHA, the data is transferred on the basis of the adequacy decision of the European Commission EU-U.S. Data Privacy Framework (EU-U.S. DPF) within the meaning of Art. 45 para. 3 GDPR.

The privacy policy with the description of data processing by Google can accessed here.

7. Google Analytics 4

We use the Google Analytics 4 tool, a service provided by Google Ireland Limited, Gordon House Barrow Street, Dublin 4, Ireland ("Google"), to analyse the your engagement with our website (web analysis tool).

The tracking takes place on the server side. This means that user data is processed on one of our servers (on a so-called proxy server) and not in the user's browser. Server-side tracking ensures that user data is not transmitted directly to Google but is first pseudonymized on our own server. The IP address is replaced by a pseudonymous identifier that is sent to the service provider instead of the user's IP address. In this way, Google only receives data that the company itself cannot assign to individual users. On our behalf, Google will use the pseudonymized data to evaluate your use of the website and to compile reports on website activity.

Google is a part of Google LLC, located at 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. If personal data is transferred to the service provider Google LLC in the USA when using Google Analytics 4, the data is transferred on the basis of the adequacy decision of the European Commission EU-U.S. Data Privacy Framework (EU-U.S. DPF) within the meaning of Art. 45 para. 3 GDPR.

8. Google Ads

We use the Google Ads tool, a service provided by Google Ireland Limited, Gordon House Barrow Street, Dublin 4, Ireland ("Google").

Google Ads (formerly known as "Google AdWords") is an advertising system that allows advertisers to place ads on the Internet that are primarily based on the search results when using the company's own services.

We use the conversion tracking service. Google defines conversion as the performance of a desired action by users (recipients of an advertising message) from the advertiser's perspective. Conversions are measured (conversion tracking) to determine whether users have viewed the respective ad or the displayed content as an opportunity to perform the desired action from the advertiser's point of view. This is used to measure the success of the advertisers' respective advertising campaigns.

We also use the remarketing service (also known as retargeting). Google Ads remarketing or retargeting is a technology that allows advertisers to follow their potential customers when users of an advertiser's website visit that website. In this case, a remarketing code is generated and added to a remarketing or retargeting list on the website of the respective advertiser. If users visit another website that belongs to the Google advertising network, the information and/or the ad of the respective advertiser will be displayed to the users on the resources that belong to the Google advertising network.

Google is a part of Google LLC, located at 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. If personal data is transferred to the service provider Google LLC in the USA when using Google Analytics 4, the data is transferred on the basis of the adequacy decision of the European Commission EU-U.S. Data Privacy Framework (EU-U.S. DPF) within the meaning of Art. 45 para. 3 GDPR.

Google informs you about the processing of your personal data in the context of the use of the Google Ads tool and in general in the context of the use of Google services here. The service provider Google informs you about the types of processing that take place and the data processed here. Data processing conditions for Google's advertising products have been concluded between Google and us, which you can access here.

9. Google Ad Manager

We use the Google Ad Manager tool, a service provided by Google Ireland Limited, Gordon House Barrow Street, Dublin 4, Ireland ("Google").

Google Ad Manager is an ad management platform for publishers (advertisers) and offers detailed control options and supports multiple ad platforms and ad networks, such as AdSense, Ad Exchange and third-party ad platforms and ad networks.

We use Google Ad Manager to define, create and manage our advertising campaigns, and Google Ad Manager generates the associated reports for us. In doing so, we define ad inventories or so-called ad units. Ad units are the areas on our website (or app) in which ads are to be presented. In Ad Manager, a tag (a code snippet) is generated for each ad unit. This snippet is inserted on our website (or app, if applicable). When a user visits the website (or app, if applicable), a request is sent to Google Ad Manager via the ad tag.

We create orders and advertising bookings through the Google Ad Manager. An ad for this request can then be delivered via campaigns that refer to or are targeted at the ad unit. The best ad presented at the time of the request is selected in Ad Manager. In the customizable Google Ad Manager reports, we can see which ads are delivered in which inventory (in which project), how much revenue you are likely to generate and much more.

When using the Google Ad Manager tool, we and the service provider Google generally act as independent controllers and only when using individual functions of the tool does Google act in the role of a processor bound by instructions, with whom we have concluded a data processing agreement in accordance with Art. 28 GDPR for this case. See the information provided by Google here.

To find out more about Google's privacy policy in general, you can access this policy here. Google is a part of Google LLC, located at 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. If personal data is transferred to the service provider Google LLC in the USA when using Google Analytics 4, the data is transferred on the basis of the adequacy decision of the European Commission EU-U.S. Data Privacy Framework (EU-U.S. DPF) within the meaning of Art. 45 para. 3 GDPR.

10. Google Tag Manager

We use the Google Tag Manager tool, a service provided by Google Ireland Limited, Gordon House Barrow Street, Dublin 4, Ireland ("Google").

We use the Google Tag Manager service to integrate various website tags from Google into our website (e.g. website analysis products).

In programming language, tags are parts of code that are used to track the activities of visitors to a website. The word "tag" refers to a label or a marker and is used to mark a database with certain (additional) information. Depending on the type of activity tracked and the function of the respective tag, a distinction is made in particular between so-called counter tags, conversion tags, remarketing tags and container tags.

As a processor, Google processes your personal data on our behalf. For this purpose, we have concluded a data processing agreement with Google in accordance with Art. 28 GDPR. Google is authorized to commission subcontractors. You can access a list of approved subcontractors here.

To find out more about Google's privacy policy in general, you can access this policy here. Google is a part of Google LLC, located at 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. If personal data is transferred to the service provider Google LLC in the USA when using Google Analytics 4, the data is transferred on the basis of the adequacy decision of the European Commission EU-U.S. Data Privacy Framework (EU-U.S. DPF) within the meaning of Art. 45 para. 3 GDPR.

11. Meta-Pixel

We use the Meta-Pixel tool on our website, a service by Meta Platforms Limited, based in 4 Grand Canal Place, 2 CO Dublin (Ireland).

The meta pixel tool is used to analyze and measure the success of advertising placed on the online platform of the social network Facebook.

If we place advertisements for our products and services on our Facebook page, we only want to show them to people who are actually interested in our products and services. The meta pixel tool allows us to better tailor our advertising measures to the wishes and interests of potential customers. In this way, Facebook users who have consented to the display of personalized advertising are presented with suitable advertising. Meta Platforms also uses the data collected when using the meta pixel for its own analysis purposes and to display its own advertisements.

If the service provider Meta Platforms uses the data for its own purposes, you will find information on the legal basis, the storage period and the assertion of data subject rights in the service provider's data protection information here.

In order to display our advertising only to interested persons, as explained above, we have implemented the code that ensures the function of the Meta-Pixel tool on our website that you visit. The implemented code provided by Meta Platforms loads functions that enable Meta Platforms to analyze and measure your actions if you reach our site via Facebook ads.

Once the comparison has taken place, the data is deleted by Meta Platforms. The data collected by Meta Platforms is anonymous and cannot be viewed by us as users of Meta-Pixel. This data is only used by Meta Platforms in the context of displaying advertisements. In the context of the data processing that takes place, it makes a difference whether you have a Facebook user account and are logged in to the Facebook page as a user in your browser, or whether you do not have a Facebook user account.

If you have a Facebook user account and are logged in, Meta Platforms will automatically associate your data with your user account when you visit our site. You can adjust your settings for advertisements here if you are logged into your Facebook user account.

If you do not have a Facebook user account, you can click here to manage your usage-based advertising and activate or deactivate individual advertising providers.

Meta Platforms Limited is a part of Meta Platforms, Inc., located at 1601 Willow Road Menlo Park, California 94025-1452, USA. If personal data is transferred to Meta Platforms, Inc. in the US, the data is transferred on the basis of the adequacy decision of the European Commission EU-U.S. Data Privacy Framework (EU-U.S. DPF) within the meaning of Art. 45 para. 3 GDPR.

12. Links to third-party websites

Our website contains links to other websites. We have no influence on whether their operators and controllers comply with data protection regulations. Despite careful checking of the content, we accept no liability for the content of external links. The operators of the linked websites are solely responsible for their content.

13. Duration of processing

We process your personal data for as long as necessary to achieve the purposes of processing and/or if we have an ongoing legitimate business interest in retaining your personal data. For example, an ongoing legitimate interest would be retaining your personal data for the duration of applicable limitation periods which are usually 3 years. In certain instances, we are required to retain your personal data in order to comply with statutory obligations such as with applicable tax and/or commercial retention obligations. Documents subject to a statutory retention obligation are usually stored up to 10 years. Once the retention of your personal data is no longer necessary for the purpose of its processing, there is no ongoing legitimate business interest in and no statutory obligation for retaining your personal data, we will delete your personal data.

14. International data transfers

In case we transfer your personal data to recipients located outside the UK, we will make sure that an appropriate transfer mechanism is in place to safeguard your personal data. Such transfer mechanisms will usually be an adequacy decision adopted by Secretary of State and appropriate safeguards such as standard data protection clauses specified in regulations made by the Secretary of State. In case necessary, we will take additional measures to safeguard your personal data. You can obtain a copy of the appropriate safeguards by sending an email to info@every-wish.co.uk.

15. Your data protection rights

Subject to the statutory requirements, you have the following data protection rights:

  • Right of access: You have the right to obtain from us confirmation as to whether or not we process your personal data, and, where this is the case, to access your personal data;
  • Right to rectification: You have the right to request rectification of inaccurate personal data from us, and the right to have incomplete personal data completed by us;
  • Right to erasure: You have the right to request erasure of your personal data from us.
  • Right to restriction: You have the right to request restriction of processing;
  • Right to data portability: You have the right to receive your personal data in a structured, commonly used and machine-readable format and the right to have your personal data transmitted to another controller without hindrance;
  • Right to object: You have the right object to the processing of your personal data at any time.
  • Right to withdrawal: You have the right to withdrawal your consent at any time, without affecting the lawfulness of processing based on consent before your withdrawal.
  • Right to lodge a complaint: You have the right to lodge a complaint with the Information Commissioners Office ("ICO") about the processing of your personal data by us. Contact details for Information Commissioners Office, the UK's data protection authority, are available here.

16. Provision of your personal data

You are not statutory or contractually required to provide us with your personal data, however, if you refrain from providing your data, we are unable to enter into a contract (i.e., purchasing contract) with you.