Last updated: May 22, 2026
This Privacy Policy describes how Owens Enterprises LLC (“Giin”, “we”, “us”, or “our”) collects, uses, shares, and protects your personal data when you use the Giin loyalty platform (the “Service”). It applies to customers who sign in to the Service at participating venues, and explains your rights regarding your personal data.
Please read this policy carefully. By using the Service, you confirm that you have read and understood this policy. Where the law requires your specific consent for certain uses of your data, we ask for that consent at the point of sign-in and you may withdraw it at any time.
Depending on the country in which you use the Service, additional terms may apply. The jurisdiction-specific provisions in Section 16 describe those additional terms where they apply to you.
Giin is a digital loyalty platform used by bars, restaurants, and other venues. When you scan a QR code at a participating venue, you can sign in to Giin, complete simple tasks the venue has set, and earn rewards that are redeemable on a return visit.
To deliver this service, we need to know who you are across visits -- that is what your phone number and/or email address is used for. Your phone number and/or email address is your identity within Giin. It allows you to sign back in, see your active rewards across all venues, and redeem them when you return.
Separately, each time you visit a participating venue for the first time, we ask you whether you agree to that specific venue receiving your phone number and/or email address so they can send you promotions and updates. Your choice is per-venue: you can accept for some venues and decline for others, and you can change your mind at any time from within the Service.
We do not collect your name, payment information, government identification, biometric data, health data, or any other category of sensitive personal data. The Service is intentionally designed to operate using only your phone number and/or email address as an identifier.
We do not track your location outside of moments when you actively scan a venue's QR code. We do not access your contacts, your camera (other than for QR scanning, when you initiate it), your photos, or any other data on your device.
We use your personal data for the following purposes:
Giin does not currently make any automated decisions about individual customers that produce legal or similarly significant effects. The benchmarking and analytics described above use only aggregated, de-identified data and do not result in decisions specific to you. If this changes in the future, we will update this policy and, where required, ask for your consent before applying any such processing.
We do not sell your personal data. We do not share your personal data with advertisers, data brokers, or any third party except as described in this policy.
We process your personal data on the following bases:
We rely on consent for two specific things, and we ask for these separately:
(a) Accepting this Privacy Policy and our Terms of Service. When you first sign in to the Service, you confirm that you have read and agreed to this Privacy Policy and the Terms of Service. This acceptance is a one-time confirmation. If we make material changes to either document, we will ask for your renewed acceptance before those changes apply to your account.
(b) Receiving marketing messages from a specific venue. Each time you visit a participating venue for the first time, we ask you separately whether you consent to that venue receiving your phone number and/or email address for the purpose of sending you promotions and updates. Your choice is per-venue: you can accept for some venues and decline for others, and your choice for one venue does not affect any other. You can change your marketing preferences for any venue at any time within the Service.
You may withdraw any consent at any time. Withdrawing your consent to a venue's marketing means that venue will be required to stop contacting you and to remove your phone number and/or email from its list. Withdrawing your acceptance of this Privacy Policy and the Terms of Service means you can no longer use the Service.
Some processing is necessary to deliver the Service you have asked us to provide -- for example, recording your task completions so you can earn your reward. This processing is necessary to perform our contract with you.
We rely on legitimate interest for limited purposes such as fraud prevention, network security, aggregated analytics that improve the Service, and benchmarking insights for venues using only de-identified data. We have assessed these uses to ensure they do not override your rights and freedoms.
Where we are required by law to retain or disclose data -- for example, in response to a lawful order from a regulatory authority -- we will do so.
This section explains the most important data-sharing relationship in the Service.
When you visit a venue and complete a task, the venue's staff app receives only the minimum information needed to verify your activity -- that you completed the task and that your reward should be activated. The staff app does not display your phone number and/or email address.
Whether your phone number and/or email is accessible by the venue depends on the consent you provide for that specific venue. The first time you visit a venue, we ask whether you consent to that venue having access to your phone number and/or email for marketing. If you consent, the venue may use it to send you promotions and updates. If you decline, your phone number and/or email is not accessible by that venue. You can change your marketing preferences for any venue at any time within the Service, including muting a venue you previously consented to or opting in to a venue you previously declined.
Giin is the controller of the data we collect at sign-in. When we share your phone number and/or email address with a venue you have agreed to share with, that venue becomes an independent controller of that data for its own marketing purposes. Each controller is independently responsible for complying with applicable data protection law in its handling of the data.
If you withdraw your consent to a venue's marketing, the venue is required to stop contacting you and to remove your phone number and/or email from its list. Withdrawing consent does not affect data lawfully shared before the withdrawal, but the venue's continuing obligation to honor your opt-out is unaffected.
We require every participating venue to agree, in their contract with Giin, to handle your phone number and/or email address lawfully. Specifically, venues are required to:
If a venue misuses your data, you can report it to us at the contact details below. Venues that fail to honor their obligations may have their access to the Service suspended or terminated.
If a venue stops using the Service, the venue retains the phone numbers and/or email addresses customers have agreed to share with them, and remains bound by the obligations described above. Your right to opt out of that venue's communications, and to ask the venue to delete your phone number and/or email address from their list, continues to apply.
If you wish to remove your phone number and/or email address from a venue's list after that venue has left Giin, you may contact the venue directly, or contact us and we will assist you in reaching them.
Apart from sharing with venues as described above, we share your data only in the following limited circumstances:
We do not share your data with advertisers. We do not sell your data. We do not engage in cross-platform tracking or behavioral advertising.
Your data is stored on cloud servers operated by Amazon Web Services (AWS) in the Asia Pacific (Tokyo) region (ap-northeast-1), a reputable cloud infrastructure provider. We have selected this provider for its strong security practices and compliance with applicable data protection standards.
Although Giin operates as a brand of Owens Enterprises LLC, a Wyoming-registered limited liability company with its registered address at 312 W. 2nd St., #2514, Casper, WY 82601, USA, we do not transfer customer data to the United States in the ordinary course of operating the Service. The cloud servers described above are located in Tokyo, Japan, and customer data remains within that region. However, because Giin's contracting entity is incorporated in the United States, that entity may in principle be subject to US legal process (such as a court order or subpoena) requiring production of data it controls. We commit to challenging any such request to the maximum extent permitted by law, and to notifying affected customers wherever we are not legally prohibited from doing so.
Where our service providers (such as cloud hosting or SMS delivery) process data outside the region in which it was collected, we ensure they have committed to appropriate data protection safeguards under contracts that comply with applicable cross-border transfer requirements. Jurisdiction-specific commitments regarding data residency and cross-border transfers are set out in Section 16.
We retain your personal data only for as long as it is necessary for the purposes described in this policy:
If you ask a specific venue to delete your phone number and/or email address from their records, the venue is required to do so within a reasonable period. The venue's own retention practices apply to data they hold separately from Giin.
Giin honors the following rights regarding your personal data, as a matter of company policy and in accordance with applicable law. We will respond to any request you make under these rights within 30 days, in accordance with applicable law.
You can request a copy of the personal data we hold about you. We will provide it in a clear, accessible format.
If any of your personal data is inaccurate or out of date, you can ask us to correct it. The most common case here is updating your phone number and/or email address -- for example, if you change your mobile number.
You can ask us to delete your personal data. We will do so unless we have an overriding legal obligation to retain it (for example, transaction records required for tax purposes). When we delete your data, we also notify any venues you had shared your phone number and/or email address with so they can remove you from their lists.
You can withdraw any consent you have given at any time. You can do this within the Service (preferred) or by contacting us. Withdrawing consent does not affect the lawfulness of processing before the withdrawal.
You can object to certain types of processing -- particularly any processing based on legitimate interest. We will reassess and either stop the processing or explain why we believe it should continue.
In certain circumstances, you can ask us to limit how we use your data while we resolve a dispute or check the accuracy of data.
You can ask for a copy of the data you have provided to us in a structured, commonly used, machine-readable format.
If you believe we have not handled your data properly, you can complain to the relevant data protection authority in your country. See the jurisdiction-specific section in Section 16 for the contact details of the regulator in your country, where one applies. We would always prefer to address your concern directly first -- please contact us using the details below -- but you have the right to go directly to the regulator at any time.
In some jurisdictions, additional rights apply beyond those listed above. Where additional rights apply to you, they are set out in the relevant jurisdiction-specific section in Section 16.
We take reasonable and appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, or disclosure. These measures include:
If we ever experience a data breach that affects your personal data, we will notify you and the relevant data protection authorities within 72 hours of becoming aware of the breach, as required by applicable law.
No system is perfectly secure, and we cannot guarantee absolute security. We commit to working diligently to protect your data and to being transparent if anything goes wrong.
The Service is intended for adults (18 years and older). We do not knowingly collect personal data from anyone under 18. If you believe a child under 18 has provided us with personal data, please contact us and we will delete that data promptly.
Participating venues might offer alcohol, tobacco, gaming, gambling, or other products or services subject to local age restrictions. The 18+ requirement above applies to use of the Service itself; venues are independently responsible for verifying customer age for any age-restricted activity at their location.
Some tasks within the Service may involve third-party platforms -- for example, a venue may set a task asking you to share a story on a social media platform. When you interact with those platforms, their own privacy policies apply, and Giin has no control over how those platforms handle your data.
We do not pass your Giin account data to third-party platforms. Anything you share on a third-party platform is shared by you, on your own account, under that platform's terms.
We may update this Privacy Policy from time to time. When we do, we will:
We will not use your data in materially new ways without your consent. If you do not agree to a change, you can stop using the Service and request deletion of your data at that time.
If you have questions, requests, or complaints about how we handle your personal data, please contact us:
Email: dpo@giin.ai
Address: 312 W. 2nd St., #2514, Casper, WY 82601, USA
Company: Owens Enterprises LLC, a Wyoming-registered limited liability company
We will respond to your inquiry as promptly as we can, and within the timeframes required by applicable law.
If you would like to escalate a privacy matter, you can request that your inquiry be directed to our Data Protection Officer, at the same email address above.
If you are in a country where Giin operates and you wish to file a formal complaint with that country's data protection regulator, contact details for the relevant regulator are set out in the corresponding jurisdiction-specific section in Section 16. We encourage you to reach out to us first so we can try to resolve any concerns directly.
The following sections supplement this Privacy Policy with information specific to certain jurisdictions where Giin operates. Where you are a resident of or located in one of these jurisdictions, the relevant section applies to you in addition to the rest of this Privacy Policy. Where any provision in a jurisdiction-specific section conflicts with the main body of this Privacy Policy, the jurisdiction-specific provision controls for residents of and customers located in that jurisdiction.
Currently published jurisdiction-specific sections:
Last updated: May 22, 2026
This document supplements Giin's Privacy Policy for customers in Thailand. It must be read together with the main Privacy Policy. Where any provision of this addendum conflicts with the main Privacy Policy, this addendum controls for customers in Thailand.
This addendum applies to customers in Thailand. The processing of personal data described in the main Privacy Policy, as it relates to customers in Thailand, is subject to Thailand's Personal Data Protection Act B.E. 2562 (2019) (the “PDPA”).
Giin is committed to complying with PDPA in its processing of personal data of customers in Thailand, whether collected by Giin directly through the Service or shared with participating venues with the customer's consent.
Where you have consented to a venue receiving your phone number and/or email address, the venue is contractually required not to transfer that data outside Thailand without an appropriate legal basis under PDPA.
For purposes of PDPA, Giin is the controller of the data Giin collects at sign-in. When Giin shares your phone number and/or email address with a venue you have agreed to share with, that venue becomes an independent controller of that data for its own marketing purposes. Each controller is independently responsible for complying with PDPA in its handling of the data, in addition to the contractual obligations Giin imposes on participating venues.
Section 11 of the main Privacy Policy commits Giin to notifying relevant data protection authorities of a breach within 72 hours. For customers in Thailand, this means that, in the event of a data breach affecting Thailand customers' personal data, Giin will notify Thailand's Personal Data Protection Committee (the “PDPC”) within 72 hours of becoming aware of the breach, in accordance with PDPA's requirements, and will notify affected customers as required by law.
If you are a customer in Thailand and wish to file a formal complaint about how Giin handles your personal data, you may complain to Thailand's Personal Data Protection Committee:
Office of the Personal Data Protection Committee
120 Moo 3, Chaeng Watthana Road, Lak Si, Bangkok 10210, Thailand
Website: https://www.pdpc.or.th
We would always prefer to address your concern directly first -- please contact us using the details in Section 15 of the main Privacy Policy -- but you have the right to go directly to the regulator at any time.
Giin and participating venues are required to comply with Thailand's anti-spam regulations in any communications sent to customers in Thailand. This applies to both Giin service messages and venue marketing messages.
All other provisions of the main Privacy Policy apply to customers in Thailand. This addendum does not replace the main Privacy Policy; it supplements it. To understand how Giin handles your personal data overall -- including what data is collected, how it is used, how to exercise your rights, and how to contact Giin -- please read this addendum together with the main Privacy Policy.
Powered by Giin