Privacy Policy

Last updated: May 6th, 2026

This privacy notice for On Me Gifting Inc. and Secure Gift Holdings LLC (collectively, "we," "us," or "our"), describes how and why we might collect, store, use, and/or share ("process") your information when you use our services ("Services"), such as when you:

• Visit our website at onme.com, business.onme.com, or any website of ours that links to this privacy notice;
• Download or use our mobile application ("On Me App"), or any application of ours that links to this privacy notice;
• Engage with us in other related ways, including any sales, marketing, or events;
• Send, receive, view, or interact with gifts through our Services, including gifts displayed on public gift feeds (consumer Services only);
• Access or use the On Me Business Portal as an Organization or as an Authorized User (Org Admin or Gift Sender) of an Organization;
• Receive a gift sent through the Business Portal as a designated Recipient.

Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. For general questions, contact us at info@onme.com. For Business Portal privacy matters, including DPA requests and controller/processor questions, contact us at privacy@onme.com.

SUMMARY OF KEY POINTS

This summary provides key points from our privacy notice; details follow each topic below.

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use.

Do we process any sensitive personal information? We may process sensitive personal information when necessary with your consent or as otherwise permitted by applicable law.

Do we receive any information from third parties? We may receive information from public databases, marketing partners, social media platforms, Organizations using our Business Portal, and other outside sources.

How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

In what situations and with which types of parties do we share personal information? We may share information in specific situations and with specific categories of third parties.

How do we keep your information safe? We have organizational and technical processes and procedures in place to protect your personal information, but cannot guarantee 100% security.

What are your rights? Depending on where you are located, applicable privacy law may give you certain rights regarding your personal information.

How do you exercise your rights? Submit a data subject access request, or contact us. We will consider and act on any request in accordance with applicable data protection laws.

• Are you an Organization or Authorized User using the Business Portal? A specific set of practices applies — including a controller/processor framework, a no-public-gifts carve-out, and an available Data Processing Addendum. See §13.
• Are you a Recipient of a Business Portal gift? Your contact information was provided to us by the Organization that sent you the gift. We process it on the Organization's behalf to deliver the gift to you. See §13.

Want to learn more about what we do with any information we collect? Review the privacy notice in full.

TABLE OF CONTENTS

1. WHAT INFORMATION DO WE COLLECT?
2. HOW DO WE PROCESS YOUR INFORMATION?
3. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
4. WHAT IS OUR STANCE ON THIRD-PARTY WEBSITES?
5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
6. HOW DO WE HANDLE YOUR SOCIAL LOGINS?
7. HOW LONG DO WE KEEP YOUR INFORMATION?
8. HOW DO WE KEEP YOUR INFORMATION SAFE?
9. DO WE COLLECT INFORMATION FROM MINORS?
10. WHAT ARE YOUR PRIVACY RIGHTS?
11. CONTROLS FOR DO-NOT-TRACK FEATURES AND UNIVERSAL OPT-OUT SIGNALS
12. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
13. BUSINESS PORTAL: ORGANIZATIONS, AUTHORIZED USERS, AND RECIPIENT DATA
14. INTERNATIONAL DATA TRANSFERS
15. DO WE MAKE UPDATES TO THIS NOTICE?
16. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
17. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us. We collect personal information that you voluntarily provide when you register on the Services, express interest in our products, participate in activities on the Services, or contact us.

The personal information we collect may include:

• names
• phone numbers
• email addresses
• mailing addresses
• usernames
• passwords
• contact preferences
• contact or authentication data
• billing addresses
• debit/credit card numbers
• Sensitive Information
• Profile Photos
• Usernames / Handles
• Gift visibility preferences (public, private)
• Gift content and associated media (text messages, photos, GIFs, voice notes, videos) included in gifts you send or receive
• Social feed interactions (likes, content flags, feed browsing activity)
• Account-level default privacy settings for gift visibility
• Community and category following preferences
• Organization name, business address, and tax identification information (including EIN and Form W-9 or equivalent) provided by Org Admins on behalf of an Organization
• Authorized User work email, role (Org Admin or Gift Sender), department or team designation (where provided), and account-acceptance metadata (timestamp, ToS / Privacy version hash)
• Business billing and invoice metadata, including invoice line items, payment-method last-4, and Stripe customer/charge identifiers
• Recipient Data submitted by an Organization in connection with a Business Order — including Recipient name, email address, phone number (if provided), mailing address (if provided), employment or affiliation information, custom message content, and any custom fields the Organization chooses to upload (e.g., department, employee ID)

Profile Data Provided by You. When you create an account, we may collect information relating to you such as your name, a profile photo you choose to upload, and an automatically generated username (handle) that you can later customize. Note: Authorized User accounts on the Business Portal do not have public profiles, public usernames, or public discoverability — Authorized User profile data is visible only to other members of the same Organization.

Social Gifting Data (consumer Services only — does not apply to Business Portal gifts). When you send or receive gifts through our consumer Services, we collect information related to your gifting activity, including:

• Gift content you create or receive, including text messages, media attachments, gift card amounts, merchant selections, and any personalization or customization;
• Your gift visibility selections ("Public" or "Private") at the time of sending;
• As a gift receiver, your decision to remain tagged or to untag yourself from a public gift;
• Your account-level default visibility preference;
• Your interactions with public gift feeds (gifts viewed, liked, flagged);
• Community or category feeds you choose to follow (e.g., #Art, #Baking);
• Purchase-sharing content you voluntarily post;
• Thank-you notes, media responses, and other user-generated content shared within gift threads.

This data is collected to operate and display social gifting features, personalize your feed experience, and enable the visibility controls described in this notice. We do not use social gifting data for third-party advertising purposes. Gifts sent through the Business Portal are never eligible for public feeds, social discovery, or curated/community surfaces, regardless of any default or user setting. See §13.

AI and Automated Processing of Gift Content (consumer Services only). When you send a gift through our consumer Services, we may process the gift content using artificial intelligence and large language model technologies to: (a) anonymize gift notes before public display; (b) score quality/social value for public-feed eligibility; and (c) classify content by occasion, category, or sentiment. The original, unmodified gift content remains visible only to the sender and receiver. These AI systems do not make decisions that produce legal or similarly significant effects on you. Gifts sent through the Business Portal are not subject to anonymization, social-quality scoring, or public-feed eligibility processing, because Business Portal gifts are never publicly displayed. We may still apply automated content-safety scanning to Business Portal gift content to detect prohibited material; we do not use Business Portal gift content to train general-purpose AI models.

When necessary, with your consent or as otherwise permitted by applicable law, we process the following categories of sensitive information.

• financial data
• Payment Data. We may collect data necessary to process your payment if you make purchases, such as your payment instrument number and the security code associated with your payment instrument. All payment data is stored by Stripe. See https://stripe.com/privacy.
• Tax identification data submitted by Organizations on the Business Portal (e.g., EIN on a Form W-9 substitute), used solely for invoice generation, tax reporting, and our own legal compliance.

Social Media Login Data. We may provide you with the option to register using your existing social media account details. If you choose to register this way, we collect the information described in §6. Social login is not available for Business Portal accounts; Authorized Users must register with email + password or Google Workspace OAuth.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes.

Information automatically collected

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity but may include device and usage information, such as IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services and for our internal analytics and reporting.

Log and Usage Data. Service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files.

Device Data. Information about your computer, phone, tablet, or other device used to access the Services.

Location Data. Limited location data derived from your device's IP address or voluntarily shared GPS information, used to enable region-specific content or detect potential fraudulent activity. We do not continuously track your precise location, and we do not sell or share location information with third parties.

Information collected from other sources

We may obtain information about you from other sources, such as public databases, affiliate programs, data providers, social media platforms, and other third parties — for example, mailing addresses, job titles, email addresses, phone numbers, intent data, IP addresses, and social media URLs.

Information collected from Organizations using the Business Portal. When an Organization uses the Business Portal to send a gift to a Recipient, we receive Recipient Data from the Organization (or from an Authorized User of the Organization). The legal basis for our processing of Recipient Data is set out in §13. We rely on the Organization's representation and warranty that it has all necessary consents and lawful bases to provide that Recipient Data to us under applicable anti-spam, telemarketing, and privacy laws (including CAN-SPAM, TCPA, CASL, GDPR/UK GDPR, and applicable U.S. state privacy laws).

2. HOW DO WE PROCESS YOUR INFORMATION?

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

• To facilitate account creation and authentication and otherwise manage user accounts.
• To deliver and facilitate delivery of services to the user.
• To respond to user inquiries / offer support to users.
• To send administrative information to you.
• To fulfill and manage your orders, payments, returns, and exchanges.
• To enable user-to-user communications.
• To request feedback.
• To send you marketing and promotional communications, in accordance with your marketing preferences. You can opt out at any time.
• To deliver relevant content within our Services based on your activity, without sharing or selling your personal information to any third parties.
• To post testimonials.
• To protect our Services (fraud monitoring and prevention).
• To administer prize draws and competitions.
• To evaluate and improve our Services, products, marketing, and your experience.
• To identify usage trends.
• To determine the effectiveness of our marketing and promotional campaigns.
• To comply with our legal obligations.
• To operate and display Social Gifting features (consumer Services only).
• To personalize your gift feed experience (consumer Services only).
• To moderate content on public gift feeds (consumer Services only).
• To anonymize gift content using AI (consumer Services only).
• To score and rank gift content using AI (consumer Services only).
• To send gift-related notifications and nudges.
• To backfill and populate public gift feeds (consumer Services only).
• To facilitate community engagement features (consumer Services only).
• To operate the Business Portal on behalf of Organizations. We process Organization Data and Authorized User information to provision Business Accounts, authenticate Authorized Users, manage roles and permissions, store invitation and acceptance records, generate invoices and tax documents, and provide reporting to Org Admins.
• To deliver Business Orders to Recipients. We process Recipient Data on behalf of, and only as instructed by, the Organization that submitted it — including to send gift-delivery and gift-related transactional communications to the Recipient by email and (where the Organization has provided a phone number and represented that consent exists) by SMS.
• To enforce Business Portal rules. We process Organization, Authorized User, and Recipient Data to detect and prevent fraud, sanctions/export-control violations, anti-bribery violations, and other Acceptable Use violations described in the Business Portal Terms of Service.
• To generate aggregated, de-identified analytics about Business Portal use (volume, regions, redemption rates) for benchmarking, product improvement, and reporting that cannot reasonably be associated with any specific Organization or Recipient.

3. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

Vendors, Consultants, and Other Third-Party Service Providers. We may share personal information only with trusted service providers who perform operational functions on our behalf and require access to such information. These include:

• Payment processors (Stripe)
• Cloud hosting and data storage providers (Google Cloud / Firebase)
• Customer support tools
• Security and fraud prevention providers
• Communication and authentication services (email, SMS, push)
• Analytics providers used strictly to maintain and improve our Services (not for advertising or marketing purposes)
• Card-issuing partners (Sutton Bank) and program managers (Highnote) for the issuance, management, and processing of our gift card program
• Tax and accounting service providers used to generate Business Portal invoices, tax forms, and 1099 reporting on the Organization's behalf

We do not share, sell, rent, or disclose personal information to third parties for marketing or promotional purposes. We do not sell or "share" (as defined under CCPA/CPRA) Recipient Data submitted through the Business Portal under any circumstances.

We also may need to share your personal information in the following situations:

• We may share personal information with Sutton Bank and other third-party service providers involved in the issuance, management, and processing of our gift card program.
• Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
• Affiliate Marketing Programs (non-PII data only). We may participate in affiliate programs to track referral performance. These programs use aggregated or anonymized tracking data and do not involve the sharing, selling, or disclosure of personal information such as phone numbers, names, or email addresses. Affiliate-program tracking is not applied to Recipient Data or to traffic originating from business.onme.com.
• Business Partners. We may work with certain business partners solely to facilitate features or fulfill Services you request. We do not share personal information with business partners for their independent marketing or promotional use.
• Regulatory Compliance. We adhere to all applicable banking regulations and requirements as mandated by Banking partners for the issuance and management of our gift card program.
• Other Users and Public Features. When you share personal information in publicly viewable areas of our consumer Services (including your name, profile photo, username, comments, contributions, or media), you expressly acknowledge and agree that such information may be viewed by all users and may be publicly made available outside the Services, in perpetuity. This subsection does not apply to anything you do inside the Business Portal. No campaign content, gift messages, recipient lists, or Authorized User profiles are ever made publicly viewable on our consumer Services. The Organization's name, logo, marks, and the existence of the customer relationship may, however, be used by On Me in external Marketing Materials in accordance with the Business Portal Terms of Service §11.4 (Publicity and Logo License).
• Additionally, when you choose to create a public gift through the consumer Services (or make an existing gift public), all gift details and any associated media will be publicly displayed to all users and may be accessible outside our Services indefinitely. The visibility of the receiver's identity on a public gift is subject to the two-sided consent model below.
• Two-Sided Visibility Consent Model (consumer Services only). Public gift visibility on our consumer Services operates under a two-sided consent framework:
  • (a) Sender Control — sender selects "Public" or "Private" at the time of sending.
  • (b) Receiver Control — receivers may untag themselves at any time.
  • (c) Account-Level Defaults — users may set a default visibility preference; new accounts default to public for received gifts.
  • (d) Precedence — the most privacy-protective choice between sender and receiver always prevails.
• Public Gift Feed Display, Interactions, Purchase Sharing, Content Standards, Automated Content Moderation, and Backfilled Gift Data — all as described in our existing consumer Privacy Policy, applicable to consumer Services only.
• Sharing of Recipient Data with Organizations. When an Organization submits Recipient Data to us through the Business Portal, that Recipient Data remains accessible to the Organization and to its Authorized Users (subject to role-based access controls — Org Admins see organization-wide reporting; Gift Senders see only what they themselves send). We share gift-redemption and engagement metadata (e.g., "Delivered," "Opened," "Redeemed" status) with the submitting Organization. We do not share Recipient Data with any other Organization.
• Marketing use of Organization name, logo, and customer relationship. Subject to the Business Portal Terms of Service §11.4 (Publicity and Logo License), On Me may use the Organization's name, logo, trademarks, and the fact of the customer relationship in marketing, sales, investor, public-relations, and product communications — including customer lists, "trusted by" walls, case studies, social-media posts, public forums, conference talks, podcasts, and advertising. The Organization may opt out of named case studies, named testimonials, and named press releases under that section, but inclusion in customer lists and aggregate "trusted by" surfaces is not opt-out. We will not, however, publicly disclose individual gift-message contents, individual Recipient Data, or any Recipient's identity in external Marketing Materials without the Organization's prior written consent or a separate lawful basis. Aggregated, de-identified, and Organization-level data may be used for any lawful business purpose.

All above exclusions apply to text messaging originator opt-in data and consent; this information will not be shared with any third parties. We do not sell, share, or disclose mobile numbers or opt-in data to any third party for marketing or other purposes.

4. WHAT IS OUR STANCE ON THIRD-PARTY WEBSITES?

The Services may link to third-party websites, online services, or mobile applications and/or contain advertisements from third parties that are not affiliated with us. We do not make any guarantee regarding any such third parties and will not be liable for any loss or damage caused by their use. The inclusion of a link does not imply our endorsement. We are not responsible for the content or privacy and security practices of any third parties.

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

We may use cookies and similar tracking technologies (web beacons, pixels) to access or store information. Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Notice. Cookies on business.onme.com are limited to those strictly necessary for authentication, session management, security, and operation of the Business Portal. We do not run advertising or analytics-for-marketing pixels on Business Portal pages.

6. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

Our consumer Services offer you the ability to register and log in using third-party social media account details. Where you choose to do this, we will receive certain profile information about you from your social media provider — typically your name, email address, friends list, and profile picture. We will use such information only for the purposes described in this privacy notice. We do not control, and are not responsible for, other uses of your personal information by your third-party social media provider. Social logins are not available on the Business Portal; Authorized Users register with email + password or Google Workspace OAuth.

7. HOW LONG DO WE KEEP YOUR INFORMATION?

We will only keep your personal information for as long as necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).

Retention of Social Gifting Data (consumer Services only). Public gift content may be retained for as long as the gift remains publicly visible. If a sender changes a public gift to private, or if both parties remove their association, we will remove the gift from public feeds within a commercially reasonable timeframe but may retain anonymized or aggregated data for analytics. When a receiver untags themselves, identifying information is removed from the public display promptly. Backfilled gifts follow the same retention rules as new gifts.

Retention of Business Portal Data.

• Organization Data and Authorized User Data — retained for as long as the Business Account is active, plus a commercially reasonable period after termination for tax, accounting, audit, fraud-prevention, and legal-compliance purposes (typically 7 years for invoice and tax-reporting data, consistent with U.S. tax recordkeeping requirements).
• Recipient Data — retained for as long as required to deliver the Business Order and to provide reporting to the submitting Organization, plus the period required for tax/accounting reconciliation. Upon Organization request (or at the end of an applicable DPA term), Recipient Data will be deleted or de-identified within ninety (90) days, except for data required to be retained by law.
• Gift content delivered to a Recipient — once a Recipient redeems Gift Card Value, redemption data is retained under the Cardholder Agreement and applicable banking-regulatory retention rules, even after Organization termination.

8. HOW DO WE KEEP YOUR INFORMATION SAFE?

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure.

Security of Social Gifting Data (consumer Services only): access controls enforcing the two-sided visibility consent model; automated content safety scanning; rate limiting and abuse detection; audit logging of visibility changes; secure deletion processes.

Security of Business Portal Data. In addition to general security measures, we implement the following safeguards specific to the Business Portal:

• Tenant isolation. The Business Portal runs on a dedicated Firebase Auth tenant separate from consumer accounts; there is no shared session, token, or credential surface between consumer and business identities.
• Role-based access controls enforcing the Org Admin / Gift Sender model — Gift Senders cannot access Organization-wide billing, payment methods, or Authorized User management.
• Encryption of personal data in transit (TLS 1.2+) and at rest.
• Audit logging of Authorized User invitations, role changes, payment-method changes, exports of Recipient Data, and access to invoice/tax records.
• Sub-processor governance — written contracts with each sub-processor requiring confidentiality and security obligations at least as protective as those in this notice.
• Incident response. We will notify the Org Admin without undue delay (and in any event within the timeframe required by applicable law) of any confirmed security incident affecting Recipient Data or other Organization data.

9. DO WE COLLECT INFORMATION FROM MINORS?

We do not knowingly solicit data from or market to children under 18. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent's use of the Services. If we learn that personal information from users less than 18 has been collected, we will deactivate the account and take reasonable measures to promptly delete such data.

Minors and Social Gifting Features (consumer Services only). Our social gifting features, including public gift feeds, are not intended for use by individuals under 18. Minors may not send public gifts, interact with the public gift feed, or have their information displayed on public feeds. Parents or guardians who believe their child's information has been displayed on a public gift feed should contact us immediately at info@onme.com.

Minors and the Business Portal. The Business Portal is intended only for use by individuals 18 or older acting on behalf of an Organization for legitimate business purposes. Organizations represent and warrant that they will not submit Recipient Data for individuals under 18. If we become aware that we have received Recipient Data for a minor, we will delete that Recipient Data and notify the submitting Organization.

10. WHAT ARE YOUR PRIVACY RIGHTS?

Withdrawing your consent. Where we rely on your consent, you have the right to withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.

Opting out of marketing and promotional communications. Click the unsubscribe link in our marketing emails, or contact us using the details below. You will be removed from the marketing lists. Service-related messages necessary for administration of your account will continue.

Account Information. You may log in to your account settings to update or terminate your account. Upon a termination request, we will deactivate or delete your account, subject to limited retention to prevent fraud, troubleshoot, assist investigations, enforce legal terms, or comply with law. Remaining funds on gift cards or other stored value are forfeited and non-refundable on termination — use them before terminating.

Cookies and similar technologies. Most browsers accept cookies by default; you can usually choose to remove or reject cookies. You may also opt out of interest-based advertising on our Services.

Social Gifting Visibility Rights (consumer Services only): right to control gift visibility as a sender; right to untag yourself as a receiver; right to set account-level visibility defaults; right to flag content; right to request removal of public gift content; right to opt out of gift-related notifications and nudges; impact of account deletion on public gift data — all as described in our existing consumer Privacy Policy.

Business Portal Authorized User Rights. As an Authorized User, you have the rights described above in your individual capacity. Additionally:

• Right to leave an Organization. You may remove your own Authorized User account from an Organization at any time through your account settings. The Organization will retain the historical orders you placed.
• Right to opt out of Business Portal marketing. Marketing communications about the Business Portal are sent to Org Admins by default. You may opt out at any time without affecting transactional or service-related communications.
• Right to disable transactional notifications — to the extent legally permissible (some, like delivery confirmations, may be necessary for Service delivery and cannot be disabled).

Recipient Rights. If you are a Recipient of a Business Portal gift, you may have privacy rights under the laws of your state or country. For most Recipient Data submitted to us by an Organization, the Organization is the controller (or business / data fiduciary) of that data, not On Me. This means:

• You may direct privacy-rights requests to the submitting Organization in the first instance — we will assist that Organization in honoring your request as required under our DPA.
• You may also contact us directly at privacy@onme.com, and we will route your request to the Organization (and, where required by law, respond directly).
• You always have the right to opt out of further gift-related communications from us by following the unsubscribe link in any email or by contacting us. Opting out will not retroactively prevent the redemption of any gift already sent to you.

If you have questions or comments about your privacy rights, you may email us at info@onme.com or, for Business Portal matters, at privacy@onme.com.

11. CONTROLS FOR DO-NOT-TRACK FEATURES AND UNIVERSAL OPT-OUT SIGNALS

Global Privacy Control (GPC) and Universal Opt-Out Mechanisms. We recognize and honor GPC signals and other universal opt-out preference signals as valid requests to opt out of the "sale" or "sharing" of personal information, as well as targeted advertising, where required by applicable state privacy laws (including CCPA, CPA, CTDPA, MCDPA, OCPA, and TDPSA). When we detect a GPC signal we will: (a) cease any sale or sharing of your personal information with third parties for advertising purposes; and (b) cease processing for targeted advertising. To enable GPC, visit globalprivacycontrol.org. Because we do not sell personal information for marketing or advertising, the practical effect of a GPC signal on our Services is limited; we honor the signal as required by law.

Do-Not-Track (DNT) Signals. No uniform DNT standard has been finalized; we do not currently respond to DNT browser signals separately from the GPC signal above.

12. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

If you are a resident of California, Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Indiana, Iowa, Tennessee, Minnesota, Maryland, Delaware, New Hampshire, New Jersey, Nebraska, Kentucky, or Rhode Island, you have specific privacy rights — preserved in full from our prior version. (See state-by-state subsections below.)

Categories of personal information collected (last 12 months):

• A. Identifiers — names, addresses, phones, emails, IP addresses, account names — YES
• B. Personal information under California Customer Records statute — name, contact information, employment information, financial information — YES
• C. Protected classification characteristics — gender, date of birth — YES
• D. Commercial information — transaction information, purchase history, financial details, payment information — YES
• F. Internet or other similar network activity — browsing/search history, online behavior, interest data, interactions with our site/app and ads. Includes interactions with public gift feeds (consumer only). — YES
• G. Geolocation data — device location — YES
• I. Professional or employment-related information — business contact details, job title, work history, professional qualifications. Includes information provided by Organizations and Authorized Users on the Business Portal. — YES
• K. Inferences — preferences and characteristics inferred from collected information — YES
• L. Sensitive personal information — account login info, contents of email/text, debit/credit card numbers — YES

We will use and retain the collected personal information as needed to provide the Services or as described in §7.

California Residents

California Civil Code Section 1798.83, also known as the "Shine The Light" law permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below.

If you are under 18 years of age, reside in California, and have a registered account with the Services, you have the right to request removal of unwanted data that you publicly post on the Services. To request removal of such data, please contact us using the contact information provided below and include the email address associated with your account and a statement that you reside in California. We will make sure the data is not publicly displayed on the Services, but please be aware that the data may not be completely or comprehensively removed from all our systems (e.g., backups, etc.).

CCPA Privacy Notice

This section applies only to California residents. Under the California Consumer Privacy Act (CCPA), you have the rights listed below.

The California Code of Regulations defines a "residents" as: (1) every individual who is in the State of California for other than a temporary or transitory purpose and (2) every individual who is domiciled in the State of California who is outside the State of California for a temporary or transitory purpose. All other individuals are defined as "non-residents."

Your rights with respect to your personal data: Right to request deletion of the data; Right to be informed — Request to know; Right to Non-Discrimination for the Exercise of a Consumer's Privacy Rights; Right to Limit Use and Disclosure of Sensitive Personal Information.

To exercise these rights, you can contact us by submitting a data subject access request, by email at info@onme.com, or by referring to the contact details at the bottom of this document.

Colorado Residents

This section applies only to Colorado residents. Under the Colorado Privacy Act (CPA), you have the rights listed below. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law. Right to be informed whether or not we are processing your personal data; Right to access your personal data; Right to correct inaccuracies in your personal data; Right to request deletion of your personal data; Right to obtain a copy of the personal data you previously shared with us; Right to opt out of the processing of your personal data if it is used for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects ("profiling").

To submit a request to exercise any of the rights described above, please email info@onme.com or submit a data subject access request. If we decline to take action regarding your request and you wish to appeal our decision, please email us at info@onme.com. Within forty-five (45) days of receipt of an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.

Connecticut Residents

This section applies only to Connecticut residents. Under the Connecticut Data Privacy Act (CTDPA), you have the rights listed below. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law:

• Right to be informed whether or not we are processing your personal data
• Right to access your personal data
• Right to correct inaccuracies in your personal data
• Right to request deletion of your personal data
• Right to obtain a copy of the personal data you previously shared with us
• Right to opt out of the processing of your personal data if it is used for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects ("profiling")

To submit a request to exercise any of the other rights described above, please email info@onme.com or submit a data subject access request. If we decline to take action regarding your request and you wish to appeal our decision, please email us at info@onme.com. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.

Virginia Residents

Under the Virginia Consumer Data Protection Act (VCDPA): "Consumer" means a natural person who is a resident of the Commonwealth acting only in an individual or household context. "Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. "Sale of personal data" means the exchange of personal data for monetary consideration.

Your rights with respect to your personal data:

• Right to be informed whether or not we are processing your personal data
• Right to access your personal data
• Right to correct inaccuracies in your personal data
• Right to request deletion of your personal data
• Right to obtain a copy of the personal data you previously shared with us
• Right to opt out of the processing of your personal data if it is used for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects ("profiling")

You may contact us by email at info@onme.com or submit a data subject access request. If you are using an authorized agent to exercise your rights, we may deny a request if the authorized agent does not submit proof that they have been validly authorized to act on your behalf. Upon receiving your request, we will respond without undue delay, but in all cases, within forty-five (45) days of receipt. The response period may be extended once by forty-five (45) additional days when reasonably necessary. If we decline to take action regarding your request, we will inform you of our decision and reasoning behind it. If you wish to appeal our decision, please email us at info@onme.com. Within sixty (60) days of receipt of an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If your appeal is denied, you may contact the Attorney General to submit a complaint.

Texas Residents

This section applies only to Texas residents. Under the Texas Data Privacy and Security Act (TDPSA), you have the following rights:

• Right to confirm whether we are processing your personal data and to access that data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to obtain a copy of your personal data in a portable, readily usable format
• Right to opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects

We also recognize Global Privacy Control (GPC) signals as a valid opt-out mechanism under the TDPSA. To exercise your rights, please email info@onme.com or submit a data subject access request. If we decline your request, you may appeal by emailing us at info@onme.com. We will respond to your appeal within sixty (60) days. If the appeal is denied, you may contact the Texas Attorney General to file a complaint.

Oregon Residents

This section applies only to Oregon residents. Under the Oregon Consumer Privacy Act (OCPA), you have the following rights:

• Right to confirm whether we are processing your personal data and to access that data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to obtain a copy of your personal data in a portable format
• Right to opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling
• Right to obtain a list of specific third parties to whom we have disclosed your personal data (or, if not possible, the categories of third-party recipients)

We honor Global Privacy Control (GPC) signals as a valid opt-out under the OCPA. To exercise your rights, please email info@onme.com or submit a data subject access request. If we decline your request, you may appeal by emailing us at info@onme.com. We will respond within forty-five (45) days. If the appeal is denied, you may contact the Oregon Attorney General.

Montana Residents

This section applies only to Montana residents. Under the Montana Consumer Data Privacy Act (MCDPA), you have the following rights:

• Right to confirm whether we are processing your personal data and to access that data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to obtain a copy of your personal data in a portable format
• Right to opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling

We honor Global Privacy Control (GPC) signals as a valid opt-out under the MCDPA. To exercise your rights, please email info@onme.com or submit a data subject access request. If we decline your request, you may appeal by emailing us at info@onme.com. We will respond within sixty (60) days. If the appeal is denied, you may contact the Montana Attorney General.

Indiana Residents

This section applies only to Indiana residents. Under the Indiana Consumer Data Protection Act (INCDPA, effective January 1, 2026), you have the following rights:

• Right to confirm whether we are processing your personal data
• Right to access your personal data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to obtain a copy of your personal data in a portable format
• Right to opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling

To exercise your rights, please email info@onme.com or submit a data subject access request. If we decline your request, you may appeal by emailing us at info@onme.com. We will respond within sixty (60) days. If the appeal is denied, you may contact the Indiana Attorney General.

Iowa Residents

This section applies only to Iowa residents. Under the Iowa Consumer Data Protection Act (ICDPA, effective January 1, 2025), you have the following rights:

• Right to confirm whether we are processing your personal data
• Right to access your personal data
• Right to delete your personal data
• Right to obtain a copy of your personal data in a portable format
• Right to opt out of the sale of your personal data or the processing of your personal data for targeted advertising

To exercise your rights, please email info@onme.com or submit a data subject access request. We will respond within ninety (90) days of receipt of your request.

Tennessee Residents

This section applies only to Tennessee residents. Under the Tennessee Information Protection Act (TIPA, effective July 1, 2025), you have the following rights:

• Right to confirm whether we are processing your personal data
• Right to access your personal data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to obtain a copy of your personal data in a portable format
• Right to opt out of the sale of personal data, targeted advertising, or profiling

To exercise your rights, please email info@onme.com or submit a data subject access request. If we decline your request, you may appeal by emailing us at info@onme.com. We will respond within sixty (60) days. If the appeal is denied, you may contact the Tennessee Attorney General.

Minnesota Residents

This section applies only to Minnesota residents. Under the Minnesota Consumer Data Privacy Act (MNCDPA, effective July 31, 2025), you have the following rights:

• Right to confirm whether we are processing your personal data and to access that data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to obtain a copy of your personal data in a portable format
• Right to opt out of targeted advertising, the sale of personal data, or profiling
• Right to question the result of profiling decisions and be informed of the reasons behind those decisions

To exercise your rights, please email info@onme.com or submit a data subject access request. If we decline your request, you may appeal by emailing us at info@onme.com. We will respond within forty-five (45) days. If the appeal is denied, you may contact the Minnesota Attorney General.

Maryland Residents

This section applies only to Maryland residents. Under the Maryland Online Data Privacy Act (MODPA, effective October 1, 2025), you have the following rights:

• Right to confirm whether we are processing your personal data and to access that data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to obtain a copy of your personal data in a portable format
• Right to opt out of the processing of your personal data for targeted advertising or the sale of personal data

The MODPA prohibits the sale of sensitive data and the use of personal data for targeted advertising without consent. To exercise your rights, please email info@onme.com or submit a data subject access request. If we decline your request, you may appeal by emailing us at info@onme.com. We will respond within sixty (60) days. If the appeal is denied, you may contact the Maryland Attorney General.

Delaware Residents

This section applies only to Delaware residents. Under the Delaware Personal Data Privacy Act (DPDPA, effective January 1, 2025), you have the following rights:

• Right to confirm whether we are processing your personal data and to access that data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to obtain a copy of your personal data in a portable format
• Right to opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling

To exercise your rights, please email info@onme.com or submit a data subject access request. If we decline your request, you may appeal by emailing us at info@onme.com. We will respond within sixty (60) days. If the appeal is denied, you may contact the Delaware Department of Justice.

New Hampshire Residents

This section applies only to New Hampshire residents. Under the New Hampshire Privacy Act (NHPA, effective January 1, 2025), you have the following rights:

• Right to confirm whether we are processing your personal data
• Right to access your personal data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to obtain a copy of your personal data in a portable format
• Right to opt out of targeted advertising, the sale of personal data, or profiling

To exercise your rights, please email info@onme.com or submit a data subject access request. If we decline your request, you may appeal by emailing us at info@onme.com. We will respond within sixty (60) days. If the appeal is denied, you may contact the New Hampshire Attorney General.

New Jersey Residents

This section applies only to New Jersey residents. Under the New Jersey Data Privacy Act (NJDPA, effective January 15, 2025), you have the following rights:

• Right to confirm whether we are processing your personal data and to access that data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to obtain a copy of your personal data in a portable format
• Right to opt out of the sale of personal data, targeted advertising, or profiling

To exercise your rights, please email info@onme.com or submit a data subject access request. If we decline your request, you may appeal by emailing us at info@onme.com. We will respond within forty-five (45) days. If the appeal is denied, you may contact the New Jersey Division of Consumer Affairs.

Nebraska Residents

This section applies only to Nebraska residents. Under the Nebraska Data Privacy Act (NDPA, effective January 1, 2025), you have the following rights:

• Right to confirm whether we are processing your personal data
• Right to access your personal data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to obtain a copy of your personal data in a portable format
• Right to opt out of the sale of personal data, targeted advertising, or profiling

To exercise your rights, please email info@onme.com or submit a data subject access request. If we decline your request, you may appeal by emailing us at info@onme.com. We will respond within sixty (60) days. If the appeal is denied, you may contact the Nebraska Attorney General.

Kentucky Residents

This section applies only to Kentucky residents. Under the Kentucky Consumer Data Protection Act (KCDPA, effective January 1, 2026), you have the following rights:

• Right to confirm whether we are processing your personal data
• Right to access your personal data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to obtain a copy of your personal data in a portable format
• Right to opt out of the sale of personal data, targeted advertising, or profiling

To exercise your rights, please email info@onme.com or submit a data subject access request. If we decline your request, you may appeal by emailing us at info@onme.com. We will respond within sixty (60) days. If the appeal is denied, you may contact the Kentucky Attorney General.

Rhode Island Residents

This section applies only to Rhode Island residents. Under the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA, effective January 1, 2026), you have the following rights:

• Right to confirm whether we are processing your personal data
• Right to access your personal data
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to obtain a copy of your personal data in a portable format
• Right to opt out of the sale of personal data, targeted advertising, or profiling

To exercise your rights, please email info@onme.com or submit a data subject access request. If we decline your request, you may appeal by emailing us at info@onme.com. We will respond within forty-five (45) days. If the appeal is denied, you may contact the Rhode Island Attorney General.

Special note for Recipients of Business Portal gifts. When a Recipient submits a state-law privacy-rights request about data that an Organization uploaded to us, On Me acts as a service provider / processor and will route the request to the Organization (the business / controller). We will assist the Organization in honoring the request within the timeframes required under each applicable state law, and we will respond directly to the Recipient where the law requires us to do so. This routing does not delay the rights granted to the Recipient.

13. BUSINESS PORTAL: ORGANIZATIONS, AUTHORIZED USERS, AND RECIPIENT DATA

This Section 13 applies whenever an Organization or its Authorized Users access or use the On Me Business Portal at business.onme.com. It also applies to Recipients whose information is provided to us by an Organization through the Business Portal. In the event of conflict between this Section 13 and any other provision of this notice with respect to Business Portal data, this Section 13 controls.

13.1 Definitions

• "Business Portal" — the On Me product at business.onme.com.
• "Organization" — a legal entity that maintains a Business Account.
• "Authorized User" — an individual whom an Organization has invited and authorized to access its Business Account, including Org Admins and Gift Senders.
• "Recipient" — an individual designated by an Authorized User to receive a gift through the Business Portal.
• "Recipient Data" — personal information about a Recipient that an Organization or Authorized User provides to On Me, including name, email address, phone number (if provided), mailing address (if provided), employment or affiliation information, and any custom message or field directed to or about the Recipient.
• "DPA" — a Data Processing Addendum executed (or, in V1, made available on request) between On Me and the Organization.

Additional capitalized terms have the meanings given in the Business Portal Terms of Service.

13.2 Controller / Processor framework

As between the Organization and On Me, with respect to Recipient Data:

• The Organization is the controller (or "business" or "data fiduciary" under applicable U.S. state laws).
• On Me is the processor (or "service provider" under CCPA/CPRA), processing Recipient Data only on the documented instructions of the Organization, except where required to do otherwise by law.

With respect to Authorized User accounts and the operational data we generate about them, On Me is the controller.

13.3 Permitted processing of Recipient Data

On Me will process Recipient Data only:

• to deliver the Business Order to the Recipient and provide related transactional communications;
• to operate, secure, and improve the Services (including fraud detection, abuse prevention, automated content-safety scanning, and aggregated/de-identified analytics);
• to comply with applicable law, including tax, accounting, sanctions, anti-money-laundering, and financial-regulatory obligations applicable to On Me, Secure Gift Holdings LLC, and Sutton Bank;
• as instructed by the Organization through the Business Portal or in writing.

On Me will not:

• sell or "share" Recipient Data with third parties for cross-context behavioral advertising;
• use Recipient Data to send marketing communications on On Me's own behalf without a separate lawful basis;
• use Recipient Data to train general-purpose AI models;
• publicly disclose individual gift-message contents, individual Recipient Data, or any Recipient's identity in external Marketing Materials without the Organization's prior written consent or a separate lawful basis (note: pursuant to the Business Portal Terms of Service §11.4, On Me may use the Organization's name, logo, marks, and the existence of the customer relationship in external Marketing Materials).

13.4 Authorized User data

When an individual is invited to or signs up for a Business Account, we collect:

• name, work email, password (or Google OAuth identity), role within the Organization (Org Admin or Gift Sender), and acceptance metadata (timestamp, ToS / Privacy version hash);
• account activity, including campaigns created, orders placed, recipients added, and feature usage;
• billing actions taken (where the Authorized User is an Org Admin).

Authorized User accounts are technically and legally distinct from consumer accounts on onme.com. The same individual may hold both a personal consumer account and an Authorized User account using the same email; however, gift card balances and order history do not transfer between the two.

13.5 Organization-level data

We collect and process information that an Organization provides about itself, including:

• Organization name, business address, and Org Admin contact details;
• tax identification information (EIN, Form W-9 or equivalent);
• payment-method information (processed by Stripe);
• invoice and order history at the Organization level;
• support and operational communications.

13.6 Sub-processors

We use sub-processors to operate the Business Portal. As of the last-updated date above, our material sub-processors include:

• Stripe — payment processing for Business Orders
• Sutton Bank — issuing bank for the underlying gift card product
• Highnote — card program management
• Google Cloud / Firebase — hosting, authentication, and data storage
• Email and SMS providers — used for gift delivery and transactional notifications
• Customer support, security, and analytics tooling

We maintain written contracts with each sub-processor requiring confidentiality and security obligations at least as protective as those in this notice. A current sub-processor list and notification mechanism for changes will be made available under the DPA.

13.7 Data Processing Addendum (DPA)

Where processing of Recipient Data is subject to GDPR, UK GDPR, CCPA/CPRA, or similar laws, the DPA governs and is incorporated by reference into this notice and the Business Portal Terms of Service. Until a separate DPA is executed, the Organization may request the then-current standard DPA at privacy@onme.com. In the event of conflict, the DPA controls with respect to Recipient Data.

13.8 No-public-gifts carve-out

Gifts sent through a Business Account are always Private Gifts. They are never:

• displayed on Public Gift Feeds;
• displayed on community / category feeds;
• displayed on user profile pages;
• displayed in curated, trending, or product-detail surfaces;
• subject to sender-or-receiver "public" toggling, untagging, retagging, or visibility-default settings;
• subject to the AI anonymization or social-quality-scoring pipelines used for consumer public gifts;
• used as Recipient-identifying material in case studies, press releases, or testimonials without the Organization's prior written consent or a separate lawful basis (Organization-level marketing use of the Organization's name, logo, and customer relationship is governed by the Business Portal Terms of Service §11.4).

Sections 26 (Social Gifting Features and Public Gifts) and 27 (User Content License) of the consumer Terms of Service do not apply to Business Orders or to any User Content created or uploaded through a Business Account.

13.9 Recipient privacy rights routing

Where a Recipient submits a privacy-rights request to On Me regarding data uploaded by an Organization, On Me will:

1. acknowledge the request directly to the Recipient;
2. route the request to the submitting Organization (the controller / business) within a commercially reasonable timeframe;
3. assist the Organization in honoring the request within the timeframes required under applicable law;
4. respond directly to the Recipient where the applicable law requires us to do so or where the Organization has authorized us to do so.

Recipients may always opt out of further gift-related communications from On Me by clicking the unsubscribe link in any email or by contacting us at privacy@onme.com.

13.10 Acceptance and authority to bind

By creating or accessing a Business Account, the individual doing so accepts this notice on behalf of the Organization and represents that they have authority to bind the Organization. By submitting Recipient Data to us, the Organization represents and warrants that it has provided all required notices and obtained all required consents under applicable law (including CAN-SPAM, TCPA, CASL, GDPR / UK GDPR, and applicable U.S. state privacy laws) to permit On Me to process the Recipient Data for the purposes described in this notice.

14. INTERNATIONAL DATA TRANSFERS

On Me is based in the United States, and our Services are operated from and primarily directed to the United States. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States and other countries where our service providers are located. We rely on appropriate transfer mechanisms (such as the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and the Swiss FADP equivalents) where applicable. For Business Portal customers established outside the United States, the DPA describes the specific transfer mechanisms applicable to Recipient Data.

15. DO WE MAKE UPDATES TO THIS NOTICE?

We may update this privacy notice from time to time. The updated version will be indicated by an updated "Last updated" date and will be effective as soon as it is accessible. If we make material changes, we may notify you either by prominently posting a notice or by directly sending you a notification. For Business Portal customers, we will notify Org Admins of material changes through in-portal notification or email.

16. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may email us at info@onme.com, or for Business Portal privacy matters at privacy@onme.com, or contact us by post at:

On Me Gifting, 44 Montgomery St, 3rd Floor, San Francisco, CA 94104.

17. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on the applicable laws of your country or state, you may have the right to request access to the personal information we collect from you, change that information, or delete it. To request to review, update, or delete your personal information, please contact info@onme.com or, for Business Portal data, privacy@onme.com for more information.