•

Email address (required for sign-in via email/password and for receiving sign-up confirmation codes; optional via Sign in with Apple if you choose private relay).

•

Password hash (never the cleartext password — we use Supabase Auth's PBKDF2 hashing).

•

Display name, bio text, birthday, avatar image, locale, timezone, and account privacy preference that you enter on the profile screen.

•

Wishlists (titles, privacy level, ordering).

•

Wishes (text, optional image, optional link with auto-fetched preview metadata, tags, completion / reservation state).

•

Gift ideas you save for friends.

•

Friend graph data — pending and accepted friendship requests between you and other users.

•

Activity events generated by your actions (reservations, completions, friend events) for the in-app activity feed.

•

Block list and abuse reports you submit through the moderation flow.

•

Authentication tokens (access and refresh tokens) stored on your device only, in the platform secure store (iOS Keychain / Android Keystore). They never leave the device.

•

Crash reports through Sentry — stack traces, device model, OS version, app version. Personally identifiable strings (email, password, authentication tokens, free-form text fields named name, note, content, message, body, title, description) are stripped on the client before they are sent.

•

Product analytics through PostHog — anonymous event names and shape-only properties (e.g. "wish_added" with wish_id and wishlist_id but never with the wish title or body). Strict schemas enforced at the client reject any unknown property, including PII.

•

Authentication identifiers from third parties when you choose to sign in with them (see "Third-party sign-in" below).

•

We do not collect your contacts, calendar, photos library outside what you explicitly attach, microphone, camera (the App does not use it), precise location, or advertising identifiers (IDFA / GAID).

•

To provide the core features: creating an account, storing your wishlists, sharing them with friends, sending and accepting friend requests, reserving gift ideas.

•

To send you sign-up confirmation, password-reset, and friend-request emails (transactional).

•

To diagnose crashes and improve reliability.

•

To understand which features are used and where users drop off.

•

To enforce our Terms of Service and respond to abuse reports.

•

Performance of a contract — for everything required to run the account and the wishlist features.

•

Legitimate interest — for crash reporting and aggregated product analytics, balanced against the opt-out controls described below.

•

Consent — for any feature you must explicitly enable (none in the current version, but reserved for future features).

•

Legal obligation — to retain abuse reports as long as required for moderation review.

•

Supabase (hosted Postgres + Storage + Auth + Edge Functions). Your account data, content, friend graph, and uploaded images live here. Region: European Union (eu-west-2, London).

•

Sentry (sentry.io) — crash data only. PII is stripped on the client before transmission.

•

PostHog (eu.i.posthog.com — EU instance) — product-analytics events.

•

Apple and Google when you sign in with their respective providers — they receive only the identifiers needed to confirm your identity. Apple's Hide-My-Email private relay is supported.

•

Microlink.io (free tier) — when you paste a URL into a wish, the link is sent to microlink.io to fetch a preview (title, description, image). Only the URL leaves the App; nothing tied to your account is attached.

•

Account data and content — until you delete your account.

•

Crash reports — Sentry default retention (90 days).

•

Analytics events — PostHog default retention (1 year for events, indefinitely for derived aggregates).

•

Abuse reports — kept as long as required for moderation review and any follow-up enforcement.

•

Access the data we hold about you — request a copy at support@wish-scape.com.

•

Correct profile fields directly from the Edit Profile screen.

•

Delete your account and all associated data from inside the App (Profile → Danger zone → Delete account). The action wipes your wishlists, gift ideas, friendships, blocks, reports, and uploaded images, then removes your authentication record.

•

Object to analytics processing — turn off "Help improve WishScape" in Profile, which puts the analytics SDK into opt-out mode.

•

Port your data — request an export at support@wish-scape.com.

•

Lodge a complaint with your local data-protection authority.