Privacy Policy

Effective date: February 2, 2026

Last updated: February 2, 2026

This Privacy Policy describes how Wishlistme.app ("Service", "we", "us") collects, uses, and protects personal data when you use our website or mobile applications.

The data controller is a sole proprietor (Einzelunternehmer) established in the Federal Republic of Germany.

Contact email: [email protected]

1. Information We Collect

We collect only information necessary to operate and improve the Service.

1.1 Information You Provide

  • Email address
  • Name or nickname
  • Profile avatar
  • Wishlist content and other user-generated content

1.2 Information Collected Automatically

  • IP address
  • Device and browser information
  • Log and usage data
  • Cookies (technical and analytical)

1.3 Group Gift Payment Links

The Service does not process payments and does not integrate any payment processor. We never receive, hold, or transfer money.

For a group gift collection, the organiser may voluntarily provide their own payment link or identifier (for example a PayPal.me link or a Revolut handle) so that contributors can pay the organiser directly, outside of our Service.

Such payment links are:

  • stored in encrypted form (AES-256-GCM),
  • never publicly visible,
  • accessible only to participants of the specific gift collection.

We do not store payment card details or banking credentials. Any actual payment happens directly between the contributor and the organiser through the third-party service the organiser chose, under that service's own privacy policy.

2. How We Use Information

We use personal data to:

  • Create and manage user accounts
  • Authenticate users (email/password, Google OAuth)
  • Enable creation and sharing of wishlists
  • Enable group gift collections
  • Send transactional emails (e.g. verification, reservations)
  • Ensure security and prevent fraud or abuse
  • Analyze usage and improve the Service

3. Legal Bases for Processing (GDPR)

Where applicable, we process personal data based on:

  • Performance of a contract
  • User consent
  • Legal obligations
  • Legitimate interests, including security and service improvement

4. Cookies and Tracking Technologies

We use strictly necessary cookies for website functionality and analytical cookies to understand how the Service is used.

Analytical cookies are used only with user consent.

  • Strictly necessary cookies for authentication and core functionality
  • Analytical cookies (Google Analytics, Umami)

5. Analytics

We use the following analytics and measurement tools:

  • Umami — self-hosted, cookieless web analytics running on our own server (no data shared with a third party).
  • Google Analytics (Google Ireland/LLC) — loaded only after you accept analytics cookies.
  • Meta Pixel (Meta Platforms Ireland/Inc.) — measures visits and ad performance.

Analytics data is processed in aggregated or pseudonymized form where possible. Google and Meta are US-headquartered; see section 7 on international transfers.

6. Sub-processors and Data Sharing

We rely on the following sub-processors. We share only the data each one needs to perform its function:

  • Google (Google Ireland Ltd / Google LLC, US) — "Sign in with Google" login and Google Analytics; receives name, email and avatar on login, and pseudonymous usage data for analytics.
  • Meta Platforms (Meta Platforms Ireland Ltd / Meta Platforms Inc., US) — Meta Pixel measurement; receives pseudonymous browsing/event data.

Country detection from your IP address is performed locally on our own server using a self-hosted MaxMind GeoLite2 database; your IP address is not sent to a third party for this purpose.

We do not sell or rent personal data.

7. International Data Transfers

Some of our sub-processors (Google and Meta) are headquartered in the United States, so personal data may be transferred to and processed there.

Where data is transferred outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework as the legal safeguard for the transfer.

8. Data Retention

We retain personal data only as long as necessary to:

  • Provide the Service
  • Comply with legal and accounting obligations

Users may request deletion of their account and associated data.

9. Account and Data Deletion

Users can request deletion of their account and personal data by contacting:

[email protected]

Requests are processed within a reasonable timeframe and in accordance with applicable law.

10. Children's Privacy

The Service is not directed to children under 16. By creating an account you confirm that you are at least 16 years old, or that you have the consent of a parent or legal guardian (GDPR Art. 8).

We do not knowingly collect personal data from children under 16 without such consent.

If a parent or legal guardian believes that a child has provided personal data without appropriate consent, they may contact us to request deletion.

11. Your Privacy Rights

Depending on your location, you may have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of data
  • Restrict or object to processing
  • Request data portability
  • Withdraw consent at any time

You can exercise your right to data portability at any time by downloading a machine-readable copy of your data (profile, lists, items, reservations and contributions) while logged in: Download my data (JSON)

California residents may also have rights under CCPA/CPRA, including the right to know, delete, and opt out of data sharing.

Requests can be sent to: [email protected]

12. Data Security

We use appropriate technical and organizational measures, including encryption and access controls, to protect personal data against unauthorized access, loss, or misuse.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

Changes will be published on this page with an updated effective date.

14. Contact Information

For privacy-related questions or requests:

Email: [email protected]