This policy explains what information wish.mv (the “Service”) collects, how we use it, and the choices you have.
Information we collect
- Account information.We use Google sign-in. When you sign in, we receive your Google account's email, name, and profile picture. We never see or store your Google password.
- Wishlist and group data. The wishlists, items, Secret Friends groups, claims, and draw assignments you create.
- Images you upload. Item photos, share-card images, and the payment receipts you upload for a Plus upgrade. These are stored in private cloud storage and served through time-limited links.
- Payment details. If you upgrade to Plus, we store the amount, a reference code, your uploaded bank-transfer receipt, and the verification status. Payment is by bank transfer, so we do not collect or store card numbers.
- Wishlist views. For Plus wishlists we count page views over time. We store a hashed, non-reversible value rather than a raw IP, and we never show viewer identities.
- Feedback you submit. Any message you send via the feedback form, plus the optional email address you provide.
- Basic technical data. Standard server logs (IP, user-agent, paths) for security and debugging.
How we use it
- To operate the Service: render wishlists, route invites, run draws.
- To authenticate you and keep your account secure.
- To process Plus upgrades and verify your bank transfer before enabling Plus.
- To respond to feedback and support requests you send us.
- To detect and prevent abuse.
Anonymity and who can see claims
Keeping the surprise is the whole point, so we're specific about this:
- Before the event date,claims are hidden from everyone. The wishlist owner sees only that an item is “claimed” or “available”, never by whom.
- After the event date, a wishlist owner can see who gave which gift, so they know who to thank.
- Secret Friends stays anonymous forever. You see who you were matched to give to, but no one ever finds out who gifted them — not even after the exchange date.
- Other gifters never see each other's claims at any point.
What we don't do
- We don't sell your data.
- We don't send marketing email unless you opt in.
- We don't reveal a gifter's identity to other gifters, or to the owner before the event date.
Service providers
We rely on a few third parties to run wish.mv. They process limited data on our behalf:
- Google for OAuth sign-in.
- Neon hosts the Postgres database.
- Cloudflare R2 stores uploaded images and receipts.
- Our hosting provider serves the web app.
Affiliate links
Some outbound product links (for example, Amazon) may include an affiliate tag. If you buy through one, we may earn a small commission at no extra cost to you. Affiliate tagging never changes what you see or the price you pay.
Your choices
- You can edit or delete your wishlists, items, and groups at any time.
- You can delete your account by contacting us at hello@wish.mv. Deletion cascades to your wishlists, items, claims, group memberships, and assignments.
- If you're in a jurisdiction that grants additional data rights (GDPR, CCPA, etc.), you can exercise them by emailing us.
Security
Sign-in is handled by Google OAuth, so we never see or store your password. Connections to the Service use TLS, and uploaded files live in private storage served through time-limited links. No system is perfectly secure, so if you spot a security issue, please let us know.
Children
wish.mv is not directed at children under 13. We don't knowingly collect data from them. If you believe we have, contact us and we'll delete it.
Changes
We may update this policy from time to time. Material changes will be announced via a notice in the app or by email.
Contact
Questions about this policy? Email hello@wish.mv or send feedback.