Privacy Policy

Last updated: May 12, 2026

Five Whys LLC (“we”) operates Boon (boon.gifts). This policy describes what personal information we collect, how we use it, who we share it with, and the rights you have. We collect as little as we need to run the service. We do not sell personal information.

1. Information We Collect

From the buyer at purchase

• Email address (used by Stripe to send your receipt and, on self-delivery, by us to send the redemption code)
• Billing details collected by Stripe for payment processing (we do not store your full card number — Stripe does)
• A personal message, if you choose to write one

From the recipient at delivery and redemption

• Recipient email address (used to deliver the gift; you, the buyer, provided this)
• Verification email address entered during redemption
• IP address and browser user-agent at the time of code issuance and session creation (used for fraud detection and audit logging)

Automatically

• Standard server logs (URLs requested, response codes, timestamps)
• A single first-party session cookie after successful redemption, valid for 30 days, that lets the recipient return to their card without re-verifying email
• Anonymous traffic analytics via Google Analytics (page views, referral source, device class). You can opt out via your browser’s do-not-track signal or an analytics-blocking extension.

2. How We Use It

• To process payments and deliver the gift card you purchased
• To authenticate the recipient before revealing the underlying API key
• To send transactional emails (receipt, gift, verification code, replacement notices)
• To detect fraud, abuse, or chargebacks
• To improve the service (aggregate analytics only)

3. Who We Share It With

We share the minimum information needed with the following third-party service providers (“processors”):

• Stripe — payment processing. Stripe sees buyer email, payment method, and amount. See stripe.com/privacy.
• Resend — transactional email delivery. Resend sees the recipient email, subject, and body of each message. See resend.com/legal/privacy-policy.
• OpenRouter — the underlying AI gateway. We provision an API key against your gift; OpenRouter sees usage of that key but not your email. See openrouter.ai/privacy.
• Railway — hosting infrastructure. Server logs and database storage are processed on Railway’s platform.
• Cloudflare — DNS, edge caching, email routing.
• Google Analytics — aggregate traffic analytics (no per-user purchase data).

We do not sell your personal information. We disclose personal information to law enforcement only when required by valid legal process and to enforce these terms in good faith.

4. Security

API keys associated with redeemed gifts are encrypted at rest with AES-256-GCM under a key-encryption key that is rotated on a regular schedule. Lookup of redemption codes uses an HMAC with a pepper kept separate from the database. All traffic to boon.gifts is served over TLS. No system is perfectly secure, however; we cannot guarantee that unauthorized parties will never gain access.

5. Retention

We retain purchase and gift records for as long as necessary to operate the service and meet legal, tax, and dispute-resolution obligations (typically seven years for payment records). After a gift is fully redeemed and exhausted, you may request deletion of your personal details via support@boon.gifts.

6. Your Rights

Depending on where you live, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate personal information
• Request deletion of personal information (subject to legal retention requirements)
• Object to certain processing or withdraw consent for analytics
• Receive a portable copy of your information

To exercise any of these rights, email support@boon.gifts from the address associated with your purchase or redemption. We will respond within 30 days.

7. Children

Boon is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal information, please contact us and we will delete it.

8. International Users

Our services are operated in the United States. If you access Boon from outside the U.S., your information is transferred to and processed in the U.S., which may have different data-protection laws than your jurisdiction.

9. Changes

We may update this policy from time to time. Material changes will be reflected in the “Last updated” date above and, where appropriate, announced via a notice on boon.gifts.

10. Contact

support@boon.gifts
Five Whys LLC
United States