Last Updated: December 19, 2025
1. Data Controller
Company/Name: [YOUR COMPANY NAME OR FULL NAME]
Address: [YOUR STREET ADDRESS, CITY, POSTAL CODE, COUNTRY]
Email: [YOUR CONTACT EMAIL]
Phone: [YOUR PHONE NUMBER]
Note: You must replace the placeholders above with your actual information before launching.
2. Introduction
We take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Wishlist Platform service. This policy complies with the European Union's General Data Protection Regulation (GDPR) and other applicable data protection laws.
We only collect your email address. No name, no phone number, no address. We believe in data minimization - collecting only what's absolutely necessary to provide our service.
3. Information We Collect
3.1 Information You Provide
When you create an account, we collect:
- Email Address: Used for authentication, account recovery, and communication
- Password: Stored as a secure hash (bcrypt) - we never store plain-text passwords
- Wishlist Data: Names, descriptions, and items you add to your wishlists
- Item Information: Product titles, images (URLs), and purchase links you add
3.2 Automatically Collected Information
When you use our service, we may collect:
- IP Address: Logged for security purposes (rate limiting, fraud prevention)
- Browser Information: User agent, language preference
- Usage Data: Pages visited, features used (stored temporarily in logs)
3.3 Cookies
We use the following cookies:
- Session Cookie (Essential): Required for login and authentication - no consent needed
- Cookie Consent Preference: Remembers your cookie choices
- Language Preference: Stores your preferred language
You can manage cookie preferences in your browser settings or via our Cookie Settings page.
4. Legal Basis for Processing (GDPR Article 6)
We process your data based on:
- Contract Performance (Art. 6(1)(b)): To provide the wishlist service you signed up for
- Legitimate Interest (Art. 6(1)(f)): For security, fraud prevention, and service improvement
- Consent (Art. 6(1)(a)): For marketing communications (if you opt-in)
- Legal Obligation (Art. 6(1)(c)): To comply with applicable laws
5. How We Use Your Information
We use your data to:
- Provide and maintain the wishlist service
- Authenticate your account and secure your data
- Send verification emails and important service updates
- Respond to your requests and provide customer support
- Prevent fraud, abuse, and security issues
- Improve our service and develop new features
- Send marketing communications (only with your consent)
6. Data Sharing and Disclosure
6.1 Third-Party Service Providers
We may share your data with:
- Email Service Provider: [e.g., SendGrid, Mailgun] - For sending verification emails
- Hosting Provider: [Your hosting provider] - Where our servers are located
All third-party processors are bound by Data Processing Agreements (DPAs) and comply with GDPR.
6.2 Public Wishlists
If you set a wishlist to "Public" privacy, the wishlist and its items are accessible to anyone with the direct URL. Your email address is never publicly displayed.
6.3 Legal Requirements
We may disclose your information if required by law, court order, or to protect our rights and safety.
7. Data Retention
We retain your data as follows:
- Active Accounts: Until you delete your account
- Deleted Accounts: 30-day grace period, then permanently erased
- Security Logs: 90 days, then automatically deleted
- Backups: 30 days, then removed
8. Your Rights Under GDPR
You have the following rights:
8.1 Right to Access (Art. 15)
You can download all your personal data at any time from your account settings.
8.2 Right to Rectification (Art. 16)
You can update your email and other information in your account settings.
8.3 Right to Erasure / "Right to be Forgotten" (Art. 17)
You can delete your account completely, which will erase all your data.
8.4 Right to Data Portability (Art. 20)
You can export your data in JSON format from your account settings.
8.5 Right to Object (Art. 21)
You can object to data processing based on legitimate interest.
8.6 Right to Withdraw Consent (Art. 7(3))
You can withdraw marketing consent at any time in your account settings.
9. Data Security
We implement industry-standard security measures:
- HTTPS/SSL encryption for all data transmission
- Bcrypt password hashing (10 rounds)
- Security headers (HSTS, CSP, X-Frame-Options)
- Rate limiting to prevent brute-force attacks
- Regular security updates and monitoring
- Secure session management
10. International Data Transfers
Our servers are located in [YOUR SERVER LOCATION]. If you are accessing from outside this region, your data may be transferred internationally. We ensure adequate protection through standard contractual clauses.
11. Children's Privacy
Our service is not intended for children under 16. We do not knowingly collect data from children. By using our service, you confirm you are 16 years or older.
12. Data Breach Notification
In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Article 33.
13. Changes to This Privacy Policy
We may update this policy from time to time. We will notify you of significant changes via email or a prominent notice on our website. Continued use after changes constitutes acceptance.
14. Contact Us
For privacy-related questions or to exercise your rights, contact us at:
Email: [YOUR CONTACT EMAIL]
Response Time: We aim to respond within 30 days.
15. Supervisory Authority
You have the right to lodge a complaint with your local data protection authority if you believe we have not complied with GDPR. For EU users, find your authority at: https://edpb.europa.eu/about-edpb/board/members_en
Quick Links
- Terms of Service
- Imprint / Legal Notice
- Cookie Settings
- Account Settings (requires login)