Your data, in plain English.

To check a gift card balance, VanillaGift needs three pieces of information from your browser: the card's 16-digit number, the expiry date (month and year), and the CVV security code from the back. You provide these by typing them into the form on our homepage.

The first time you check a particular card, you set a 4 to 6 digit PIN that you choose. The PIN protects future access to that card's balance.

On every request, our server briefly sees your IP address (this is unavoidable for any web service). We do not store your IP address. We compute a one-way SHA-256 hash of it, which we use for rate limiting and abuse detection. The hash cannot be reversed to recover the original IP.

Card number, CVV, and expiry are encrypted with AES-256-GCM before being written to the database. Your PIN is hashed with Argon2id and stored as a one-way hash. See our Security page for the technical details.

We use your card details only to fetch your balance from the gift card issuer's system and to display your balance, status, and recent transactions back to you. We do not use them for any other purpose.

The audit log records the action (e.g. balance viewed, PIN failed), the timestamp, and the hashed IP. We use it to detect abuse and respond to security incidents.

No one. We do not share your card data, your PIN hash, or your audit records with advertisers, analytics providers, marketing services, or any third party. We do not embed third-party scripts on pages that handle card data.

The only exception is the gift card issuer itself: to fetch your balance, we must send your card details to their system. This is the same transmission that happens when you check your balance directly on the issuer's website.

Card records persist until you explicitly request deletion (see “Your rights” below) or until 12 months of inactivity, whichever comes first. After 12 months without a balance check, the encrypted card row is deleted automatically.

Audit log entries are kept for 90 days, then deleted automatically. This window is long enough to investigate abuse and short enough to avoid building a long-term behavioral profile.

The session cookie in your browser expires 15 minutes after it is issued. After that you re-enter your card details to continue.

VanillaGift sets exactly one cookie: vg_card_session. It contains your signed session token. It is httpOnly (JavaScript on the page cannot read it) and sameSite=lax (it is not sent on cross-site POST requests). We do not use analytics cookies, advertising cookies, or any tracking pixels.

You can, at any time:

• End your session immediately by clicking “End session” on the manage-card page. This deletes the session cookie from your browser.
• Request deletion of your card record by emailing privacy@balance.myvanillagift.com with the last 4 digits of the card and the date you last used it. We delete confirmed records within 30 days.
• Request a data export of everything we hold for a given card by emailing the same address. We respond within 30 days with a JSON export.

If you are in the European Union, the United Kingdom, or California, you have additional statutory rights under GDPR, UK GDPR, and CCPA respectively. You can exercise those rights through the same email address.

VanillaGift is not directed at children under 13 and we do not knowingly collect data from anyone under 13. If you are a parent or guardian and believe a child has used the service, contact us at the privacy address above and we will delete the relevant record.

If we materially change how we handle data, we will update this page and update the “Last updated” date at the top. We will not change the policy retroactively for data we already hold.

For any privacy question or request, email privacy@balance.myvanillagift.com. We respond to all inquiries within 30 days, usually within 5 business days.