Privacy Policy

WishVendor Ltd operates the WishVendor website and services. If you have questions about this policy or want to exercise your rights, contact privacy@wishvendor.com.

Account data

• Email address
• Password (stored as a one-way bcrypt hash — we can never see your plain-text password)
• Display name and handle (if you set them)
• Profile image you upload
• Display currency preference

Creator data (if you receive gifts)

• Wishlist items, descriptions, and images you upload
• Shop item listings (if you sell physical goods)
• Stripe Connect account identifier (we never see your bank details — Stripe holds those directly)
• Balance and payout records in our ledger
• Thank-you notes you write to gifters, including any photo you attach

Gifter / buyer data

• Email address (to deliver receipts and thank-you notes)
• Optional name ("from") and message you provide
• For Shop orders: shipping address and phone number collected by Stripe Checkout and passed to us so the seller can post the item

We never see or store full card numbers, CVV, or bank details. Payment is handled entirely by Stripe.

Technical data

• IP address and approximate country (used to infer your display currency and for fraud/abuse protection)
• Browser type, device type, and timestamps of your requests
• A session cookie (authjs.session-token) so we can keep you signed in
• A currency preference stored in your browser (localStorage key wishvendor:displayCurrency)

Under UK GDPR, we rely on the following lawful bases:

• Contract — to create your account, process gifts and purchases, deliver emails, and run payouts.
• Legitimate interests — fraud prevention, securing the platform, improving the service, processing chargebacks or disputes.
• Legal obligation — tax and accounting records, responding to lawful requests from authorities.
• Consent — where you explicitly opt in, such as marketing emails. We do not currently send marketing; if we start to, you will be asked first and can withdraw at any time.

We share personal data only with the following categories of recipients:

• Stripe— our payment processor. Handles checkout, card storage, payouts, and KYC for creators. See Stripe's privacy policy.
• Resend — our transactional-email provider, used to deliver receipts, thank-you notes, password-reset links, and similar.
• Ship24 — our tracking-validation provider, used only to check seller-supplied tracking numbers for Shop orders.
• Our hosting providers — Vercel (app and cron) and the underlying cloud infrastructure.
• Recipients of gifts and purchases— creators see the email address, optional name/message, and (for Shop orders) shipping address of the buyer. Gifters see the creator's display name and thank-you reply.
• Law enforcement or regulators — where we are legally required to disclose data in response to a valid request.

We do not sell personal data, and we do not share it with advertisers.

Some of our processors (Stripe, Resend, Ship24, Vercel) are based outside the UK. Where personal data is transferred outside the UK, we rely on UK-approved transfer mechanisms such as the UK International Data Transfer Agreement or the EU Standard Contractual Clauses with UK addendum, and we require the recipient to apply safeguards at least equivalent to those required by UK GDPR.

• Account data — for as long as your account is open. On deletion we remove personally identifying fields; we retain a hashed tombstone and the financial records required by law (see below).
• Orders, payouts, and ledger entries — retained for at least six years to comply with HMRC record-keeping requirements.
• Email logs — retained by our email provider for up to 90 days.
• Access logs — retained for up to 90 days for fraud and abuse investigation.

Under UK GDPR you have the following rights in respect of your personal data:

• the right to be informed (this policy)
• the right of access (to a copy of your data)
• the right to rectification (correction of inaccurate data)
• the right to erasure (“right to be forgotten”), subject to our legal retention obligations
• the right to restrict processing
• the right to data portability
• the right to object to processing based on legitimate interests
• the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have mishandled your data

To exercise any of these rights, email privacy@wishvendor.com. We respond within one month (UK GDPR Article 12).

Passwords are stored as bcrypt hashes. Payment card data never touches our servers. Connections are encrypted via TLS. Access to our production database is restricted to a small number of authorised personnel. We log and monitor sensitive actions through a tamper-evident audit log.

No system is 100% secure. If a data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected users as required by law.

We use a minimal set of first-party cookies and localStorage keys:

• authjs.session-token — signed-in session, HTTP-only
• wishvendor:displayCurrency — your currency preference
• wishvendor:cart — in-progress cart items (cleared after checkout)

We do not use third-party advertising cookies or cross-site tracking pixels. Stripe Checkout may set its own cookies on its checkout.stripe.com domain when you pay — see Stripe's privacy policy for details.

WishVendor is not intended for anyone under 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, contact us and we will delete it.

We may update this policy from time to time. If we make material changes we will notify you by email and/or through a notice on the site before they take effect. The most current version supersedes all previous versions.

Questions about this policy, or want to exercise your rights? Email privacy@wishvendor.com.

Effective as of April 16, 2026