1. Introduction
Welcome to ThingsFor.Me ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our wishlist and gift registry platform.
Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the site.
2. Information We Collect
2.1 Information You Provide Directly
| Data Type | Examples | Purpose |
|---|---|---|
| Account Information | Email address, name, username | Create and manage your account |
| Wishlist Content | Item names, URLs, prices, images | Provide wishlist functionality |
| Reservation Data | Guest name, email, items reserved | Enable gift coordination |
| Communications | Support messages, feedback | Respond to your inquiries |
2.2 Information Collected Automatically
| Data Type | Examples | Purpose |
|---|---|---|
| Usage Data | Pages viewed, features used | Improve our service |
| Device Information | Browser type, device type | Optimize for your device |
| Log Data | Access times, error logs | Security and troubleshooting |
2.3 Information from Third Parties
- OAuth Providers: When you sign in with Google, we receive your email and profile name
- Affiliate Partners: When you click affiliate links, partners may share purchase confirmation (no personal details)
3. How We Use Your Information
3.1 Provide Our Services
- Create and manage your account
- Enable wishlist creation and sharing
- Process gift reservations
- Send reservation notifications and reminders
3.2 Improve Our Services
- Analyze usage patterns to enhance features
- Fix bugs and technical issues
- Develop new features based on user behavior
3.3 Communicate With You
- Send service-related emails (reservation confirmations, reminders)
- Respond to support requests
- Send marketing communications (only with your consent)
3.4 Ensure Security
- Detect and prevent fraud
- Enforce our Terms of Service
- Protect against spam and abuse
4. Legal Bases for Processing (GDPR Article 6)
If you are in the European Economic Area (EEA), we process your data under these legal bases:
| Legal Basis | Data Processed | Examples |
|---|---|---|
| Contract Performance | Account data, wishlist content | Providing the service you signed up for |
| Legitimate Interest | Usage data, security logs | Improving service, preventing fraud |
| Consent | Marketing emails | Promotional communications |
| Legal Obligation | Transaction records | Tax and regulatory compliance |
5. Information Sharing
We do NOT sell your personal information. We share data only in these circumstances:
5.1 Service Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database hosting | All stored data (encrypted) |
| Vercel | Website hosting | Request logs |
| Brevo | Email delivery | Email addresses, notification content |
| Plausible | Analytics | Anonymized, aggregate data only |
| Cloudflare | Image hosting, CDN | Uploaded images |
5.2 Affiliate Partners
When you click an affiliate link, the retailer receives: referral source (ThingsFor.Me), product clicked, and an anonymous tracking ID. They do NOT receive your email, name, or account information.
5.3 Legal Requirements
We may disclose information if required to comply with legal process, enforce our Terms of Service, or protect our rights, privacy, safety, or property.
6. Your Rights (GDPR Articles 15-22)
You have the following rights regarding your personal data:
6.1 Right to Access (Article 15)
You can request a copy of all data we hold about you. Go to Settings → Privacy → Export My Data. We will respond within 30 days.
6.2 Right to Rectification (Article 16)
You can correct inaccurate personal data by editing your profile or contacting support.
6.3 Right to Erasure (Article 17)
You can request deletion of your account and data. Go to Settings → Account → Delete Account. Note: Some data may be retained for legal compliance (e.g., transaction records for tax purposes).
6.4 Right to Data Portability (Article 20)
You can download your data in a machine-readable format (JSON). Go to Settings → Privacy → Export My Data.
6.5 Right to Withdraw Consent (Article 7)
You can withdraw consent for marketing at any time via the unsubscribe link in emails, or in Settings → Notifications.
6.6 Right to Lodge a Complaint
You can file a complaint with your local data protection authority.
7. Data Retention
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Active accounts | Until you delete | Account deletion request |
| Deleted accounts | 30 days | Permanent deletion after grace period |
| Guest reservations | 90 days | Auto-purge after event |
| Error logs | 30 days | Auto-purge |
| Analytics | Aggregated indefinitely | No personal data stored |
8. Cookies and Tracking
8.1 Cookies We Use
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| __session | Essential | Authentication | Session |
| csrf-token | Essential | Security | Session |
8.2 What We Don't Use
- No advertising cookies
- No third-party tracking pixels
- No cross-site tracking
8.3 Analytics
We use Plausible Analytics, which is cookieless (no consent required), privacy-focused (no personal data collected), and GDPR compliant by design.
9. Data Security
We implement appropriate technical and organizational measures:
- Encryption: Data encrypted in transit (TLS 1.3) and at rest
- Access Control: Row-level security on all user data
- Authentication: Secure OAuth and magic link authentication
- Monitoring: Real-time security alerting
- Auditing: Regular security reviews
10. Children's Privacy
Our service is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.
11. International Data Transfers
Your information may be transferred to and processed in the United States, where our servers are located. We ensure appropriate safeguards through Standard Contractual Clauses (SCCs) and service provider data processing agreements.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email notification, prominent notice on our website, and updating the "Last Updated" date.
13. Contact Us
If you have questions about this Privacy Policy or want to exercise your rights:
Email: privacy@thingsfor.me
14. Additional Rights for California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: What personal information we collect
- Right to Delete: Request deletion of your data
- Right to Opt-Out: We do not sell personal information
- Right to Non-Discrimination: Equal service regardless of privacy choices
To exercise these rights, contact privacy@thingsfor.me.