Last updated: March 24, 2026
1. Who We Are
Wish 2 Goal is a wishlist application that lets you create, manage, and share wishlists with friends and family. This Privacy Policy explains how we collect, use, and protect your personal information when you use our service at wish2goal.app.
2. Data We Collect
We collect the minimum data necessary to provide the service:
Account Information
When you sign in via Google, Facebook, X, Apple, or email, we receive your email address, display name, and profile picture from the authentication provider. We do not receive or store your passwords.
Wishlist Content
The wishlists, items, and images you create. Images are stored securely in cloud storage and are only accessible via time-limited signed URLs.
Guest Interactions
When guests view a shared wishlist and select items, we store an anonymous guest token (a random identifier) in an HttpOnly cookie. No personal information is collected from guests.
Technical Data
Standard server logs may include IP addresses, browser type, and request timestamps. These are used solely for security monitoring and debugging, and are not linked to user accounts.
3. How We Use Your Data
- To authenticate you and maintain your session
- To store and display your wishlists and items
- To enable the "surprise mode" feature where guests can select items without the owner seeing
- To process AI-powered item extraction when you use the Magic Item feature (text is sent to OpenAI and is not stored by us beyond the request)
- To send transactional emails (magic link sign-in)
- To monitor and improve service reliability and security
4. Third-Party Services
We use the following third-party services to operate:
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Authentication, database, image storage | Account info, wishlist data, images |
| OpenAI | AI item extraction (optional) | Text input for item parsing only |
| Fly.io | Backend hosting | Server logs (IP, request data) |
| Vercel | Frontend hosting | Standard web analytics |
We do not sell, rent, or trade your personal data to any third party.
5. Cookies
We use the following cookies:
- Authentication session— Managed by Supabase to keep you signed in. Essential for the service to function.
- Guest token— An anonymous HttpOnly cookie used to track item selections on shared wishlists. Contains no personal information.
- Cookie consent— Remembers your cookie consent choice.
We do not use advertising or tracking cookies.
6. Data Retention
Your account data and wishlists are retained as long as your account is active. If you delete your account, all associated data (wishlists, items, images, selections) will be permanently deleted within 30 days. Server logs are retained for up to 90 days for security purposes.
7. Your Rights
Under GDPR and applicable privacy laws, you have the right to:
- Access your personal data
- Correct inaccurate data
- Delete your account and all associated data
- Export your data in a portable format
- Withdraw consent for data processing at any time
To exercise any of these rights, contact us at privacy@wish2goal.app.
8. Data Security
We protect your data using industry-standard measures: all data is transmitted over HTTPS, passwords are never stored (authentication is delegated to OAuth providers), images are accessible only via time-limited signed URLs, and guest tokens use HttpOnly SameSite cookies to prevent cross-site attacks.
9. Children
Wish 2 Goal is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of significant changes by updating the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.
11. Contact
If you have questions about this Privacy Policy or your data, contact us at privacy@wish2goal.app.