← Back to home

Privacy Policy

Effective Date: February 17, 2026
Last Updated: February 17, 2026

Ribbon ("we," "us," or "our") operates the website getribbon.co and the Ribbon application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.

By using Ribbon, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information You Provide

Account Information:

  • Email address
  • Name
  • Password (encrypted)
  • Phone number (optional, for SMS reminders)

Recipient Information:

  • Names of gift recipients
  • Relationships (e.g., mother, friend, partner)
  • Birthdays and important dates
  • Descriptions, interests, and preferences you provide about recipients
  • Gift history and occasion notes

Payment Information:

Payment processing is handled by Stripe. We do not store your full credit card number. We receive and store:

  • Last four digits of your card
  • Card expiration date
  • Billing address
  • Stripe customer ID

Communications:

  • Messages you send through our chat interface
  • Feedback you provide about gifts and recommendations
  • Support inquiries

Guest Session Information:

You can use Ribbon's gift recommendation feature without creating an account. When you use our service as a guest, we collect:

  • Messages you send during the conversation
  • A temporary session identifier (stored in your browser's session storage, cleared when you close the tab)
  • Feedback you provide on recommendations (thumbs up/down)
  • Click-through data when you visit a recommended product

Guest session data is not linked to any account and is used to provide recommendations during your visit and to improve our service. Conversation content from guest sessions may be retained in anonymized form for service improvement.

1.2 Information Collected Automatically

Usage Data:

  • Pages and features you access
  • Recommendations you view, click, or save
  • Time spent in the application
  • Actions taken (e.g., adding recipients, generating recommendations)

Device Information:

  • Browser type and version
  • Operating system
  • Device type (mobile, desktop)
  • IP address (anonymized for analytics)

Cookies and Tracking:

  • Session cookies (required for login and guest sessions)
  • Analytics cookies (Google Analytics, PostHog) to understand usage patterns
  • Advertising cookies (Meta Pixel) to measure the effectiveness of our advertising campaigns
  • A consent preference cookie to remember your cookie choices

You can manage your cookie preferences using the cookie banner that appears on your first visit. Declining non-essential cookies will prevent analytics and advertising cookies from being set. Session cookies required for the service to function cannot be disabled.

1.3 Information from Third Parties

OAuth Providers:

If you sign in with Google, we receive your email address and name from Google. We do not access your Google contacts, calendar, or other data.

Affiliate Partners:

When you purchase a product through our affiliate links, we may receive confirmation of the purchase and commission amount. We do not receive details about what you purchased or your payment information from these partners.

2. How We Use Your Information

2.1 To Provide the Service

  • Create and manage your account
  • Store and display your recipients and occasions
  • Generate personalized gift recommendations using AI
  • Send reminder notifications via email or SMS
  • Process subscription payments

2.2 To Improve the Service

  • Analyze usage patterns to improve features
  • Evaluate recommendation quality based on your feedback
  • Identify and fix bugs and performance issues
  • Develop new features based on user behavior

2.3 To Communicate With You

  • Send transactional emails (account confirmation, password reset)
  • Send occasion reminders you've configured
  • Send product updates and announcements (you can opt out)
  • Respond to support requests

2.4 For Research and Analytics

We use anonymized and aggregated data to:

  • Understand gift-giving patterns and preferences
  • Improve our AI recommendation algorithms
  • Generate insights about gift-giving trends
  • Create anonymized benchmarks and reports

Important: Anonymized data cannot be used to identify you or your recipients. See Section 5 for details.

3. How We Share Your Information

3.1 Service Providers

We share information with third-party services that help us operate Ribbon:

  • Supabase - Database hosting (all account and recipient data, encrypted)
  • Vercel - Application hosting (usage logs, IP addresses)
  • Stripe - Payment processing (email, name, payment details)
  • Resend - Email delivery (email address, notification content)
  • Twilio - SMS delivery (phone number, notification content)
  • PostHog - Analytics (anonymized usage data)
  • Sentry - Error tracking (technical error logs, no personal data)
  • Anthropic - AI recommendations (recipient descriptions)

3.2 AI Processing

To generate gift recommendations, we send recipient information (name, relationship, interests, preferences) to Anthropic's Claude AI. This data is:

  • Used only to generate your recommendations
  • Not used by Anthropic to train their AI models
  • Subject to Anthropic's privacy policy and data processing agreement

3.3 Affiliate Partners

When you click a product recommendation link:

  • You are redirected to the retailer's website (e.g., Amazon)
  • The link contains our affiliate ID for commission tracking
  • We receive confirmation if a purchase is made, but not purchase details

Disclosure: Ribbon earns affiliate commissions when you purchase products through our recommendation links. This does not affect the price you pay.

3.4 Legal Requirements

We may disclose your information if required to:

  • Comply with a legal obligation (subpoena, court order)
  • Protect and defend our rights or property
  • Prevent fraud or illegal activity
  • Protect the safety of users or the public

3.5 Business Transfers

If Ribbon is acquired, merged, or sells assets, your information may be transferred to the new owner. You will be notified via email and/or prominent notice on our website of any change in ownership and your choices regarding your information.

4. Data Retention

We retain your information as follows:

  • Account data - Until you delete your account
  • Recipient data - Until you delete the recipient or account
  • Conversation history - 2 years, then anonymized
  • Recommendation data - 3 years, then anonymized
  • Payment records - 7 years (legal requirement)
  • Analytics data - Anonymized after 90 days

When you delete your account:

  • Personal data is deleted within 30 days
  • Backups are purged within 90 days
  • Anonymized/aggregated data is retained (see Section 5)

5. Anonymized and Aggregated Data

What This Means

We create anonymized datasets by removing all identifying information:

  • Your name, email, and account ID are removed
  • Recipient names are removed or replaced with generic labels
  • Data is combined with thousands of other users

How We Use Anonymized Data

Anonymized data may be used to:

  • Improve our recommendation algorithms
  • Publish research or reports on gift-giving trends
  • Create benchmarks for product performance
  • Support business analytics and planning

Your Rights Regarding Anonymized Data

Because anonymized data cannot be linked back to you, it is not subject to deletion requests. This is standard practice and complies with GDPR and CCPA definitions of anonymization.

Example: If 10,000 users mark "spa gift card" as a hit for "mother + birthday," that aggregated insight remains even if individual users delete their accounts.

6. Your Rights and Choices

6.1 Access and Portability

You can:

  • View all data we have about you in the Settings page
  • Export your data (recipients, occasions, gift history) in JSON format
  • Request a complete data export by emailing privacy@getribbon.co

6.2 Correction

You can update your account information and recipient details at any time through the app.

6.3 Deletion

You can:

  • Delete individual recipients (removes all their data)
  • Delete your account (removes all personal data within 30 days)
  • Request deletion by emailing privacy@getribbon.co

6.4 Communication Preferences

You can:

  • Opt out of marketing emails via unsubscribe link
  • Disable SMS reminders in Settings
  • Adjust email reminder preferences in Settings

Note: You cannot opt out of transactional emails (password reset, payment receipts) while maintaining an account.

6.5 California Residents (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect
  • Request deletion of your personal information
  • Opt out of the sale of personal information

We do not sell your personal information. Sharing anonymized/aggregated data or affiliate commission relationships does not constitute a "sale" under CCPA.

To exercise your rights, email privacy@getribbon.co with "CCPA Request" in the subject line.

6.6 European Residents (GDPR)

If you are in the European Economic Area, you have additional rights:

  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Rights related to automated decision-making

Our legal basis for processing:

  • Contract: Processing necessary to provide the Service
  • Legitimate interest: Analytics, fraud prevention, service improvement
  • Consent: Marketing communications, optional features

To exercise your rights, email privacy@getribbon.co with "GDPR Request" in the subject line.

7. Data Security

We implement appropriate technical and organizational measures to protect your information:

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access control: Employee access is limited and logged
  • Infrastructure: We use industry-leading cloud providers (Supabase, Vercel) with SOC 2 compliance
  • Authentication: Passwords are hashed using bcrypt; we support OAuth for secure sign-in
  • Monitoring: We monitor for security threats and suspicious activity

No system is 100% secure. If you believe your account has been compromised, contact us immediately at security@getribbon.co.

8. Children's Privacy

Ribbon is not intended for users under 16 years of age. We do not knowingly collect information from children under 16. If we learn that we have collected information from a child under 16, we will delete that information promptly.

If you believe a child under 16 has provided us information, please contact privacy@getribbon.co.

9. International Data Transfers

Ribbon is based in the United States. If you are accessing the Service from outside the United States, your information will be transferred to, stored, and processed in the United States.

For users in the European Economic Area, we rely on:

  • Standard Contractual Clauses approved by the European Commission
  • Data processing agreements with our service providers

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

  • Posting a notice on the Service
  • Sending an email to your registered address
  • Updating the "Last Updated" date at the top

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices:

Email: privacy@getribbon.co
Mail: Foxen Canyon Holdings LLC, Arkansas, USA

For data protection inquiries from the EU, you may also contact our representative at the address above.

12. Affiliate Disclosure

Ribbon participates in affiliate programs, including Amazon Associates. When you click product links and make purchases, we may earn a commission at no additional cost to you. This affiliate relationship does not influence which products we recommend—recommendations are generated by AI based solely on recipient preferences and occasion context.

This Privacy Policy was last updated on February 17, 2026.