PresentHunter PresentHunter
English Italiano Deutsch Français Español Nederlands
Home How it works FAQ Contact Get started →
GDPR · EU Regulation 2016/679

Privacy Policy

Version 1.0 — Last updated: 5 March 2026

In brief

  • The data controller is Marco Greco, reachable via the contact form (subject "Other").
  • We analyse only publicly accessible social profiles, temporarily and without permanent data storage.
  • No registration is required; we do not collect sensitive data.
  • We use only technically necessary cookies; any analytics tools operate in anonymised form.
  • You have full rights under Arts. 15–22 GDPR, exercisable via the contact form (subject "Other").

1. Identity and contact details of the data controller

The data controller for personal data collected and processed through the PresentHunter website (the "Site") is:

Name: Marco Greco

Tax code / VAT: GRCMRC85R15F205Y

Registered address: Via Primo Maggio 2, Baranzate

Contact: Contact form (subject "Other")

Privacy contact: Marco Greco

No Data Protection Officer (DPO) has been appointed as the conditions under Art. 37 GDPR are not met. [Amend if applicable]

2. Categories of personal data processed

PresentHunter processes two distinct categories of personal data, relating to different individuals:

2.1 Data of Site users (visitors)

  • Browsing data: IP address, browser type, operating system, pages visited, HTTP request timestamps — automatically collected by servers for security and diagnostic purposes.
  • Voluntarily provided data: information entered in the contact form (name, email address, message text) and the URL of the social profile to be analysed.
  • Technical cookies: session identifiers and language preferences; see section 9.

2.2 Data of third parties (subjects of the analysed profiles)

At the user's request, the Site accesses information made publicly available on the Instagram or Facebook profile of the person being celebrated. This may include:

  • Public profile name and profile or post images.
  • Publicly published content: posts, captions, hashtags, public interactions.
  • Interests, hobbies and lifestyle inferred from public activity on the profile.

We never collect: private messages, content visible only to friends/followers, restricted stories, precise geolocation data, health data or other special category data under Art. 9 GDPR.

3. Purposes and legal bases for processing

3.1 Provision of the gift recommendation service

Purpose: processing public social profile information provided by the user to generate personalised gift suggestions.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest of the controller and the user in receiving relevant gift suggestions, balanced against the fundamental rights and freedoms of the analysed subject (see section 4 for the detailed assessment).

3.2 Security and abuse prevention

Purpose: preventing unauthorised access, service abuse, fraudulent activity and protecting system integrity.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest of the controller in IT security and service protection.

3.3 Contact form management

Purpose: responding to enquiries and reports submitted via the contact form.
Legal basis: Art. 6(1)(b) GDPR — pre-contractual measures, or Art. 6(1)(a) GDPR — express consent of the data subject at the time of submission.

3.4 Anonymised statistical analysis

Purpose: improving the performance and usability of the Site through aggregated and anonymised statistical data not traceable to specific individuals.
Legal basis: not applicable (data is anonymised and does not constitute personal data under GDPR). Where tools processing non-anonymised IPs are used, the basis will be Art. 6(1)(f) GDPR.

4. Automated analysis of public social profiles — specific section

⚠️ Section of particular relevance

This section describes the most sensitive processing carried out by PresentHunter, concerning data of individuals who do not interact directly with the Site.

4.1 Description of the processing

PresentHunter offers a service that, at the user's explicit request, accesses publicly available information on the Instagram or Facebook profile of a third party (the "analysed subject") in order to generate personalised gift suggestions. The processing is entirely automated via an artificial intelligence system.

4.2 Legal basis and balancing of interests

The legal basis for this processing is legitimate interest under Art. 6(1)(f) GDPR. The controller has conducted the following balancing assessment:

  • Interest pursued: providing the user with personalised and relevant gift suggestions, improving the shopping experience and strengthening interpersonal relationships.
  • Necessity of processing: access to the public profile data is necessary to achieve the purpose; no less invasive alternative means exist to obtain equivalent results.
  • Reasonable expectations of the analysed subject: a person who publishes information on a public social profile knowingly chooses to make it visible to anyone on the internet. Consultation of such information by third parties falls within the reasonable expectations associated with a public profile.
  • Impact on the analysed subject: limited. Data is processed solely for the time required to complete the request, is not permanently stored, is not disclosed to third parties for their own purposes, and does not produce legal effects or significant decisions concerning the subject.
  • Safeguards adopted: data minimisation (only information relevant to the gift purpose), automatic deletion upon completion of processing, no secondary profiling, no direct marketing targeting the analysed subject.

On the basis of this assessment, the controller considers that the legitimate interest reasonably overrides the fundamental rights and freedoms of the analysed subject, in compliance with the principles of Art. 5 GDPR.

4.3 Limitations and scope of processing

  • The service is accessible exclusively for public profiles. It is technically impossible and not permitted to access private profiles or restricted content.
  • Data is processed solely to generate the gift suggestions requested by the user. It is not used for commercial profiling, behavioural advertising, sale to third parties or any other secondary purpose.
  • Processing is temporary: the analysed profile data is not stored in any permanent database of the controller.
  • The service does not make automated decisions with legal effects concerning the analysed subject within the meaning of Art. 22 GDPR.

4.4 Notice to the analysed subject (Art. 14 GDPR)

The analysed subject does not directly provide their data to the controller. In accordance with Art. 14(5)(b) GDPR, the controller is not required to provide the notice directly to the analysed subject, as doing so would involve disproportionate effort since the controller does not hold direct contact details for the data subject. This policy fulfils the transparency obligation under Art. 14(1)–(4) GDPR through public publication.

An analysed subject who becomes aware of the processing retains the right to exercise all rights under Arts. 15–22 GDPR, including the right to object under Art. 21, by contacting the controller via the contact form (subject "Other").

4.5 Disclaimer

The controller is not responsible for the accuracy, completeness or currency of information published by individuals on their social profiles, nor for the possible accessibility of content that the social platform should have made non-public. The controller processes only information that platforms make publicly accessible through their own interfaces. Any improper use of the service by users to access or disclose information about third parties is the sole responsibility of the user.

5. Recipients and third-party providers (data processors)

Personal data processed may be disclosed to the following third parties, appointed as data processors under Art. 28 GDPR via a data processing agreement:

  • Hosting / cloud provider: [HOSTING PROVIDER NAME] — for the provision of the Site's technical infrastructure.
  • Workflow automation provider (n8n): [n8n PROVIDER NAME/URL] — for orchestrating the request processing pipeline.
  • Artificial intelligence provider: [AI PROVIDER NAME] — for automated processing of profile data and generation of gift suggestions via AI-powered assistants.
  • Public data collection tools (scraping/API): [PROVIDER NAME] — for accessing public social profile information.
  • Analytics provider: [ANALYTICS PROVIDER NAME, e.g. Plausible / Matomo / Google Analytics] — for anonymised statistical analysis of web traffic.

Data is not sold, transferred or disclosed to third parties for their own purposes. An up-to-date list of data processors is available on request via the contact form (subject "Other").

6. Transfers of data to third countries

Some third-party providers listed in section 5 may be based outside the European Economic Area (EEA), in particular in the United States of America. In such cases, transfers are made subject to the following safeguards:

  • EU–US Data Privacy Framework (DPF): for providers certified under the European Commission adequacy decision of 10 July 2023.
  • Standard Contractual Clauses (SCCs): adopted by European Commission Decision of 4 June 2021 (2021/914/EU), for providers not certified under DPF.
  • Supplementary measures: encryption in transit and at rest, data minimisation.

A copy of the safeguards adopted may be requested via the contact form (subject "Other").

7. Retention periods

Data category Retention period
Social profile data (analysed subject) Real-time processing — no permanent storage
Technical system logs (IP, timestamps) Up to 12 months, unless required by law or for legal protection
Contact form data Until the request is handled, and in any case no longer than 24 months
Technical cookies (session and preferences) Session or 12 months (see section 9)
Anonymised analytics data Up to 26 months in aggregate form

At the end of the retention period, data is permanently deleted or irreversibly anonymised.

8. Technical and organisational security measures

The controller implements security measures appropriate to the risk under Art. 32 GDPR, including:

  • Encryption in transit: all communications use TLS/HTTPS.
  • Access control: data access limited to authorised personnel on a need-to-know basis.
  • Data minimisation: only data strictly necessary for the stated purpose is collected.
  • Automatic deletion: analysed profile data is deleted upon completion of processing without being stored in permanent archives.
  • Monitoring and logs: access logging for anomaly detection and abuse prevention.
  • Security updates: regular updates to software, dependencies and security patches.
  • Supplier assessment: data processors are selected after verifying their security measures.

In the event of a personal data breach presenting risks to the rights and freedoms of individuals, the controller will notify the supervisory authority within 72 hours under Art. 33 GDPR and, where necessary, communicate the breach to data subjects under Art. 34 GDPR.

9. Cookies and tracking technologies

The Site uses the following types of cookies:

9.1 Strictly necessary (technical) cookies

Essential for the Site to function and to remember browsing preferences (e.g. selected language). No consent is required under Art. 122 of the Italian Privacy Code and EDPB guidelines. Duration: session or up to 12 months.

9.2 Analytics cookies (if used)

Statistical traffic analysis tools configured in anonymised mode (masked IP, no cross-site fingerprinting). The legal basis is legitimate interest under Art. 6(1)(f) GDPR, having verified the anonymous nature of the processing. Where anonymisation cannot be guaranteed, the user's consent will be obtained via a banner.

9.3 Managing cookies

You can disable or delete cookies at any time through your browser settings. Disabling technical cookies may impair some Site functionality.

10. Data subject rights (Arts. 15–22 GDPR)

Every data subject — whether a Site user or a third party whose profile has been analysed — has the right to exercise the following rights:

  • Right of access (Art. 15): obtain confirmation that processing is taking place and receive a copy of the personal data processed.
  • Right to rectification (Art. 16): obtain correction of inaccurate data or completion of incomplete data.
  • Right to erasure ("right to be forgotten") (Art. 17): obtain deletion of personal data in the cases provided for by law.
  • Right to restriction of processing (Art. 18): obtain restriction of processing in the circumstances provided for.
  • Right to data portability (Art. 20): receive data in a structured, commonly used and machine-readable format, where technically applicable.
  • Right to object (Art. 21): object to processing based on legitimate interest — see section 11.
  • Right not to be subject to automated decision-making (Art. 22): not to be subject to decisions based solely on automated processing that produce significant legal or similarly significant effects.

Requests to exercise rights may be submitted via the contact form (subject "Other").

The controller will respond within 30 days of receipt, extendable by a further 60 days in cases of complexity or a large number of requests, with notification to the data subject within the first month.

Exercising rights is free of charge. Where requests are manifestly unfounded or excessive, the controller may charge a reasonable fee.

11. Right to object (Art. 21 GDPR)

The data subject has the right to object at any time to the processing of their personal data carried out on the basis of legitimate interest (Art. 6(1)(f) GDPR), including the processing described in section 4 relating to the analysis of social profiles.

Upon objection, the controller will cease further processing of the personal data unless it can demonstrate compelling legitimate grounds that override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

The objection may be exercised via the contact form (subject "Other").

12. Complaint to the supervisory authority

Without prejudice to any other administrative or judicial remedy, a data subject who considers that the processing of their data infringes the GDPR has the right to lodge a complaint with the competent supervisory authority. In Italy:

Garante per la protezione dei dati personali

Piazza Venezia, 11 — 00187 Roma, Italy

Tel.: +39 06 696771

Email: garante@gpdp.it

PEC: protocollo@pec.gpdp.it

A data subject residing in another EU member state may also lodge a complaint with the supervisory authority of their country of residence.

13. Updates to this policy

This policy may be amended or updated due to regulatory, legal, technical or service changes. Amendments will be published on this page with an updated date. In the event of material changes, the controller will notify users with appropriate prominence on the Site.

The version in force is the one published on this page. We encourage you to review it periodically.

Policy drafted in compliance with EU Regulation 2016/679 (GDPR), Directive 2002/58/EC (ePrivacy) and applicable EDPB guidelines.

← Back to home