maketheir.day

Privacy Policy

Last updated: June 11, 2026

Gifts are personal — that's the whole point. Here is exactly what we store, why, on what legal basis, and for how long. We collect nothing we don't need and sell nothing, ever. This policy is provided under Regulation (EU) 2016/679 ("GDPR").

Who is responsible (data controller)

The controller of your personal data is Beilo s.r.o., Company ID (IČO): 211 36 424, with its registered office at Obětí 6. května 554/4, Krč, 140 00 Prague 4, Czech Republic, registered in the Commercial Register kept by the Municipal Court in Prague, File No. C 396327 ("we", "us"). We operate maketheir.day.

For anything related to your personal data, write to hello@maketheir.day. We have not appointed a data protection officer — for a service this size the law doesn't require one, and this way you reach the people who actually run things faster.

What we process, why, and on what legal basis

  • Account: your email address, used for sign-in codes and the emails listed below. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
  • Drafts before sign-in: an anonymous random token (cookie) that links your browser to drafts you create before signing in. Legal basis: steps taken at your request prior to entering a contract (Art. 6(1)(b) GDPR).
  • Gift content: the texts and photos you add. Photos are re-encoded in your browser before upload, which strips EXIF metadata including GPS location. Legal basis: performance of a contract (Art. 6(1)(b) GDPR); for personal data of other people contained in your content, our legitimate interest in hosting and displaying content at your direction (Art. 6(1)(f) GDPR) — see "Content about other people" below.
  • Payments: handled by Stripe; we store only the payment record (amount, date, Stripe reference) — never card numbers. Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and compliance with legal obligations — tax and accounting records (Art. 6(1)(c) GDPR).
  • Transactional email: sign-in codes, purchase confirmations, and expiry/lifecycle warnings for your gifts. Legal basis: performance of a contract (Art. 6(1)(b) GDPR). We send no marketing emails. If that ever changes, it will be strictly opt-in.
  • Security and abuse prevention: short-lived technical logs and IP-based rate limiting that protect sign-in, checkout, and the secret-word check. Legal basis: our legitimate interest in keeping the service secure (Art. 6(1)(f) GDPR).
  • Secret words: stored only as a bcrypt hash. We cannot read them, and neither can anyone else.

We do not use your data for automated decision-making or profiling, and we run no analytics or advertising trackers.

Content about other people

A gift naturally contains personal data of someone else — the recipient's name, their photos, your memories together. You create and share a gift as a purely personal activity; we host and display that content at your direction. You are responsible for having the right to use what you upload, including the consent of people shown where required. Until the unlock moment, visitors of a locked page see only the first name you chose and a countdown.

If you appear in someone's gift and want content about you removed, email hello@maketheir.day or use the report link on the gift page — we will review and act promptly.

Cookies and local storage

We use strictly necessary cookies only — the kind the law does not require consent for, because the service cannot work without them. That is why our cookie notice is purely informational. Specifically:

  • Sign-in session (cookies prefixed sb-): keep you signed in. Removed on sign-out, otherwise expire automatically.
  • Draft token (mtd_anon): connects your browser to drafts created before signing in. Expires after 60 days.
  • Secret-word pass (mtd_gate_…): remembers that you entered a gift's secret word correctly, scoped to that gift's address only. Expires after 30 days.
  • Cookie-notice dismissal (mtd-cookie-notice-dismissed, local storage): remembers that you closed the notice, so it doesn't nag you.

No analytics cookies, no marketing cookies, no third-party trackers.

Who sees a gift

Only people with the link. Gift pages are excluded from search engines, addresses are not enumerable, and locked pages never contain the gift's content. Until the unlock moment, visitors see only the recipient's name and a countdown.

Processors and recipients

We rely on a small set of providers, each bound by a data processing agreement under Art. 28 GDPR:

  • Supabase — database, file storage, and authentication. Your data is hosted on AWS in Frankfurt, Germany (region eu-central-1), and stays within the EU.
  • Stripe Payments Europe, Ltd. (Ireland) — payment processing. For payments, Stripe also acts as an independent controller under its own privacy policy. Transfers to Stripe, Inc. (USA) are safeguarded by the EU–US Data Privacy Framework and standard contractual clauses.
  • Resend (USA) — delivery of the transactional emails described above. Transfers are safeguarded by standard contractual clauses (Art. 46 GDPR).
  • Vercel Inc. (USA) — web hosting and content delivery. Transfers are safeguarded by the EU–US Data Privacy Framework and standard contractual clauses.

Beyond these, we disclose personal data only where the law requires it (for example to public authorities acting within their powers).

How long we keep things

  • A published gift lives 12 months, plus a 30-day renewable grace period.
  • After the grace period, photos and content are permanently deleted and only a minimal audit record remains, which is itself purged after 90 days.
  • Abandoned drafts (no edits for 60 days) are deleted including photos.
  • Deleting your account removes your gifts, photos, and personal data immediately. Live gifts are deleted too — we warn you first.
  • Payment and invoicing records are kept for up to 10 years where Czech tax and accounting law requires it — that retention is a legal obligation, not a choice.
  • Security logs are short-lived and rotate automatically.

How we protect your data

All traffic is encrypted in transit (TLS). Secret words are stored only as bcrypt hashes. Photos live under non-guessable identifiers. Access to production data is restricted to the minimum necessary, and our database denies access by default.

Your rights (GDPR)

You can request access to your data, rectification, erasure, restriction of processing, and a portable copy, and you can object to processing based on legitimate interests. Account deletion is self-service in the dashboard. For anything else, email hello@maketheir.day — we respond within one month, as the GDPR requires.

You also have the right to lodge a complaint with a supervisory authority. Ours is the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, uoou.gov.cz. If you live elsewhere in the EU, you may complain to your local authority instead.

Age

You must be at least 15 years old to create an account (the age at which Czech law lets you consent to information-society services on your own). Gift recipients, of course, can be any age — the account holder is you, not them.

Changes to this policy

If we change this policy in any material way, we will email account holders before the change takes effect and update the date above.

Contact

Beilo s.r.o., Obětí 6. května 554/4, Krč, 140 00 Prague 4, Czech Republic. hello@maketheir.day