overthought.gift

This Privacy Policy explains how BINDA'S FOODS, LLC ("overthought," "we," "us," or "our") collects, uses, shares, and protects personal information when you use overthought.gift and related services (the "Service"). By using the Service, you agree to this Policy and to our Terms of Service.

For the purposes of data-protection laws, the controller of your personal information is BINDA'S FOODS, LLC, 26 Sherwood Dr., New Providence, NJ. You can reach us at hello@overthought.gift.

1. Information We Collect

Information you give us directly:

• Account information: your email address, and optionally your first and last name. We do not store passwords — sign-in uses a one-time emailed code.
• Gift request content: the free-text description of the person and occasion, your discovery answers (recipient age range, gender, relationship, occasion, shared interests, hobbies, budget, and any additional context you provide), and follow-up refinements.
• Information about gift recipients: because gift requests describe another person, you may submit personal information about that Recipient (for example, their name, relationship to you, age, interests, or event dates). See Section 9 below for how we treat this.
• Calendar events: event names, person names, dates, types (birthday, anniversary, holiday, graduation, other), recurrence, reminder preferences, and notes you add.
• Orders and selections: order history, options curated for you, options you select, admin notes we attach internally, and request status.
• Communications: messages you send us by email or the feedback tools, and content of support correspondence.

Information collected automatically:

• Device and usage data: IP address, browser type, device type, operating system, referrer URL, pages viewed, features used, timestamps, and session identifiers.
• Product analytics events: events such as "order_created," "discovery_started," "brainstorm_triggered," "find_products_clicked," and similar, associated with your user ID (if signed in) or your email address (if submitting as a guest), collected via PostHog.
• Cookies and similar technologies: authentication session cookies (set by Supabase), analytics identifiers (PostHog), and performance metrics (Vercel Analytics). See Section 6.
• Error data: exception traces and error context captured for debugging.

Information from third parties: if you click an affiliate link and purchase, affiliate networks may share limited, aggregated conversion data with us (for example, that a sale occurred). We do not receive your payment card or retailer account credentials.

2. How We Use Personal Information

We use personal information to:

• Provide the Service — accept your gift request, generate AI brainstorms and product suggestions, route requests to our curator, and deliver results.
• Authenticate you via email one-time codes and protect your account.
• Send transactional emails (request confirmations, curated options, reminders set from the calendar).
• Notify our admin team of new requests so they can be curated.
• Understand how the Service is used, debug issues, and improve features.
• Detect, prevent, and address abuse, fraud, and security incidents.
• Comply with legal obligations and enforce our Terms.

We do not currently sell your personal information, and we do not use your personal information or User Content to train general-purpose AI models. We do not authorize our AI subprocessors to train their models on your content (subject to their standard enterprise-grade terms — see Section 5). If this ever changes, we will update this Policy, give you advance notice, and provide you with the ability to opt out where required by law.

3. Legal Bases for Processing (EEA / UK / Swiss Users)

If GDPR, UK GDPR, or Swiss FADP applies to you, we process personal information on the following legal bases:

• Contract (Art. 6(1)(b)): to create your account, process your gift request, deliver curated options, and operate reminders.
• Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent abuse, measure product usage, debug errors, and improve our features. We balance these interests against your rights and preferences.
• Consent (Art. 6(1)(a)): where we rely on consent — for example, optional analytics cookies in regions that require consent. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): to respond to lawful requests and comply with applicable law.

4. How We Share Personal Information

We share personal information only with the categories of recipients described below. We do not currently sell personal information and do not share it for cross-context behavioral advertising.

Service providers (subprocessors). We use the following vendors to operate the Service. Each is bound by a data-processing agreement and processes personal information only on our instructions:

• Supabase — database hosting and authentication (stores accounts, orders, gift options, calendar events, auth sessions).
• OpenAI — generative-AI processing (receives your gift request text and discovery answers to generate brainstorms, follow-up questions, and product suggestions; may use web search to find products). Content is processed via the API under enterprise-grade API terms, which do not use submitted content to train general-purpose models. We may change AI providers over time; if we do, we will update this list.
• Resend — transactional email delivery (request confirmations, curated options, admin notifications).
• PostHog — product analytics, feature events, and exception capture.
• Vercel Analytics — lightweight page-view and performance metrics (the rest of the Service is hosted on our own infrastructure).
• Affiliate networks — when you click a retailer link, the destination retailer and any intermediary affiliate network receive standard web-tracking data (referrer, click identifier) so the transaction can be attributed. Those parties are independent controllers and handle your data under their own privacy policies.

Legal, safety, and business transfers. We may disclose personal information: (a) to comply with a subpoena, court order, or other legal process; (b) to enforce our Terms or protect the rights, property, or safety of overthought, our users, or others; or (c) in connection with a merger, acquisition, financing, reorganization, or sale of assets, in which case we will require the recipient to honor this Policy or notify you of material changes.

With your direction. If you click a link, submit a form, or otherwise direct us to share information with a third party, we will share it.

5. AI Processing

The Service sends your gift request text, discovery answers, and contextual information to a third-party generative-AI provider in order to produce brainstorms and product suggestions. That provider acts as our subprocessor (see the list in Section 4 for the current vendor). We do not send your email address or account identifiers to the AI provider as part of request content. Do not include sensitive information (government IDs, financial account numbers, precise location, health information, biometric data) in your requests.

6. Cookies and Tracking Technologies

We use:

• Strictly necessary cookies — Supabase authentication session cookies, required to keep you signed in. Disabling these will break sign-in.
• Analytics cookies and identifiers — used to understand how the Service is used and to monitor performance and errors (see the analytics providers listed in Section 4).

We do not use advertising cookies. You can control cookies through your browser settings. If you are in the EEA, UK, or another region that requires consent for non-essential cookies, we will request your consent before setting those cookies.

7. International Data Transfers

We operate in the United States, and several of our subprocessors are U.S.-based. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States and other countries whose data-protection laws may differ from those in your country.

For transfers from the EEA, UK, or Switzerland, we rely on the data-processing terms published by our subprocessors, which incorporate the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable) by reference. You may request more information about these safeguards by emailing us.

8. Data Retention

We retain personal information for as long as needed to provide the Service and for the purposes described in this Policy, unless a longer period is required or permitted by law. Typical retention periods:

• Account information: until you request deletion, then removed within 30 days (subject to backup retention described below).
• Gift request content, orders, and gift options: retained while your account is active and for up to 24 months after your last activity, for customer support and auditing.
• Calendar events: retained until you delete them or close your account.
• Analytics events: retained for up to 7 years.
• Email logs: retained by our email provider per its standard retention window.
• Backups: residual copies in encrypted backups may persist for up to 30 days after deletion, then are overwritten in the normal course of business.

9. Information About Gift Recipients

When you submit a gift request, you may share personal information about another person (the Recipient). Because you are the one submitting this information, we rely on you to have the right to share it. Please avoid submitting sensitive categories of information (as defined in our Terms of Service), and only share what is reasonably necessary to help us recommend a gift.

If you are a Recipient and believe information about you has been shared with us without your authorization, contact hello@overthought.gift and we will review and, where appropriate, delete the information.

10. Your Privacy Rights

U.S. state privacy rights (California, Colorado, Connecticut, Delaware, Montana, Oregon, Texas, Utah, Virginia, and others). Depending on your state, you may have the right to:

• Know or access the personal information we have collected about you;
• Request correction of inaccurate personal information;
• Request deletion of your personal information;
• Obtain a copy of your personal information in a portable format;
• Opt out of the "sale" or "sharing" of personal information and of targeted advertising (we do not engage in these activities);
• Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (we do not engage in this);
• Not be discriminated against for exercising your rights.

California residents: we do not sell personal information and do not have actual knowledge of selling or sharing the personal information of consumers under 16.

EEA, UK, and Swiss rights. You have the right to access, rectify, delete, and receive a portable copy of your personal information; to restrict or object to processing; to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal); and to lodge a complaint with your local data-protection authority.

How to exercise your rights. Send a request to hello@overthought.gift from the email associated with your account, or contact us at 26 Sherwood Dr., New Providence, NJ. We will verify your request by confirming access to your account email. We will respond within the time frame required by applicable law (generally 45 days in the U.S., one month under GDPR, extendable where permitted).

You may also authorize an agent to act on your behalf, subject to our verification process.

11. Children's Privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from them. Users between 13 and the age of majority in their jurisdiction may use the Service only with the consent and involvement of a parent or legal guardian, as described in our Terms of Service. If we learn that we have collected personal information from a child under 13, we will delete it promptly. If you believe a child has provided us with personal information, contact us at hello@overthought.gift.

12. Security

We use reasonable administrative, technical, and physical safeguards to protect personal information, including industry-standard encryption when your data is transmitted between your device and our servers, encryption at rest through our database provider, row-level access controls that scope each user's data to that user, passwordless sign-in (no stored passwords), and restricted administrative access. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. If a breach materially affecting your personal information occurs, we will notify you in accordance with applicable law.

13. Do Not Track and Global Privacy Control

Because there is no common industry understanding of "Do Not Track" browser signals, the Service does not respond to DNT signals. Where required by applicable law, we will honor recognized opt-out preference signals such as Global Privacy Control (GPC).

14. Changes to This Policy

We may update this Policy. If we make material changes, we will post the updated Policy here and update the "Last updated" date. If required by law, we will also notify you by email or through the Service. Your continued use of the Service after the effective date of an updated Policy constitutes acceptance.

15. Contact Us

Questions or privacy requests? Contact us at hello@overthought.gift or by mail at 26 Sherwood Dr., New Providence, NJ.

EEA/UK users: we are not currently required to appoint an EU or UK representative under Article 27. If this changes as our operations expand, we will update this Policy with contact details for the representative.

Draft notice: This document is a draft prepared for internal review. It is not legal advice. Please have a licensed attorney review and customize before launch — particularly Sections 8 (Retention), 10 (Rights), and 11 (Children), which should be tailored to your actual data-handling practices and the jurisdictions you serve.