Privacy Policy

1.1 Account Information

When you create an account, we collect:

• Name and email address
• Profile photo (from your sign-in provider or uploaded by you)
• Username and bio (optional, for your public profile)
• Password (hashed and encrypted — we never store or see your actual password)
• Social media handles (optional, for your public profile)
• Referral source (if you signed up via a referral link)
• Notification preferences and app settings

1.2 Email Data (Optional)

If you choose to connect your Gmail account, we access your inbox using read-only permissions. We cannot send, delete, or modify your emails.

We scan your emails to find:

• Order confirmations and receipts
• Shipping and delivery notifications
• Discount codes and promotional offers
• Return and refund confirmations

We only search for emails from known retailers and carriers. We do not read personal correspondence, and we do not store the full content of your emails. We extract structured data (vendor name, order number, items, prices, tracking numbers) and discard the raw email content. We do retain email metadata (sender address, subject line, date, and a short preview snippet) for deduplication and search purposes.

You can disconnect your Gmail at any time from the Integrations page. When disconnected, we stop accessing your inbox immediately.

1.3 Purchase and Shipping Data

We store information about your purchases, including:

• Vendor name, order numbers, and purchase category
• Items purchased (names, prices, quantities, images, product identifiers like Amazon ASINs)
• Shipping carrier, tracking numbers, and delivery address (when available from emails)
• Delivery status, estimated delivery dates, and approximate delivery location coordinates
• Order amounts, refund amounts, and return deadlines
• Purchase type classification (physical, digital, subscription, or service)

1.4 Wishlist and Shopping Data

When you create wishlists and add items, we store:

• List titles, descriptions, and settings
• Item URLs, titles, prices, and images
• Tags, notes, sizes, colors, and priorities you assign
• Reservation information (who reserved an item for gifting)
• Collaborator information (who you've invited to edit your lists)

If a non-registered visitor reserves a gift on a public list, we collect their name and email address (provided voluntarily) to facilitate the reservation. This data is stored with the reservation record and deleted when the list owner deletes their account.

1.5 Receipt & File Uploads

When you upload receipt images or PDFs:

• Files are stored in encrypted private cloud storage (Vercel Blob) and are not publicly accessible
• Only you (the authenticated account owner) can view or download your receipts
• Receipt URLs cannot be shared — all access requires authentication
• Image metadata (EXIF data including GPS coordinates and device information) is automatically stripped before storage
• Files are validated for type integrity (magic byte verification) to prevent malicious uploads
• Uploads are scanned using AI to verify they are legitimate receipts or purchase documents — non-receipt content and inappropriate material is automatically rejected
• When you delete a purchase, all associated receipt files are permanently deleted from storage
• We do not use your receipt images for training, advertising, or any purpose other than displaying them back to you

1.6 Analytics Data

We collect basic, anonymized usage data to improve the Service:

• Pages visited (URL paths only — no personal data in query parameters)
• Anonymous visitor counts using hashed IP addresses — we never store your actual IP address

We use our own first-party analytics system. We do not use Google Analytics, Meta Pixel, or other third-party tracking pixels unless you explicitly consent via our cookie settings.

1.6 Affiliate Click Data

When you click a shopping link on WantHave, we record:

• The destination URL (the product page you're visiting)
• Which affiliate program was used
• The wishlist or page you clicked from
• A hashed visitor identifier (not your IP address or personal information)

4.1 Authentication Providers

Google, Apple, and Microsoft process your sign-in credentials. We receive your name, email, and profile photo from them. We do not share your WantHave data back to them.

4.2 Google / Gmail — Limited Use Compliance

If you connect Gmail, Google processes our read-only API requests (scope: gmail.readonly) to fetch your emails. Our use of Gmail data is governed by the following commitment, required by Google:

In practice, this means for your Gmail data specifically:

• The data is used only to provide the user-facing features of WantHave (purchase tracking, receipt archiving, discount-code organization).
• The data is not transferred to any other party except as necessary to provide the service (see Section 4.5 for the one AI processor we use, where only email body text is sent without any identifier tying it back to you).
• The data is not used for serving advertisements of any kind, including retargeting, personalized, or interest-based advertising.
• Humans at WantHave do not read your Gmail data except where required to investigate a specific abuse report or to honor a user-initiated support request.

Raw email content (subject, sender, body snippet) is automatically deleted 90 days after receipt by a daily cron job. Parsed derivatives (your purchase history, shipment tracking, discount codes) are user-owned and retained until you delete them.

4.3 Shipping Carriers

We send tracking numbers to USPS, UPS, FedEx, DHL, and Amazon Logistics APIs to fetch delivery status. No personal information is sent — only the tracking number.

4.4 Affiliate Networks

When you click a shopping link, the destination retailer or affiliate network (such as Skimlinks, Amazon Associates, or Impact Radius) may set cookies on your browser to track the purchase for commission purposes. This is standard across affiliate-driven services. You can opt out via our cookie settings.

4.5 AI Processing (AWS Bedrock)

We use Anthropic's Claude model, run inside Amazon Web Services (AWS) Bedrock, to parse receipt emails into structured data. When we make an API call, we send only the email body text — we do not send your Gmail address, your WantHave user ID, the Gmail message ID, or any other identifier that would let AWS or Anthropic correlate the content back to you.

No training on your data.AWS Bedrock's terms explicitly exclude customer inputs from any model-training corpus. Anthropic, as the underlying model provider, operates as a sub-processor under AWS's Bedrock contract and receives no separate retention rights.

No AWS-side retention.AWS Bedrock's optional model-invocation logging is not enabled in our AWS account — no CloudWatch or S3 logging destinations are configured. That means AWS does not retain a copy of your prompts or completions either. Even if logging were ever enabled, our prompts contain no user identifiers, so any retained payload could not be tied back to a specific WantHave account.

We previously routed these calls through Anthropic's direct API. We requested enrollment in Anthropic's Zero Data Retention (ZDR) program on 2026-04-16; the request was denied. We migrated to AWS Bedrock on 2026-05-20 as the pre-committed fallback — this gives us a contract path (AWS's standard Data Processing Addendum + AWS Bedrock terms) and a verifiable no-retention posture inside our own AWS tenancy.

The Service automatically falls back to deterministic regex parsing when the AI call is unavailable or rate-limited.

4.6 Infrastructure

Our Service is hosted on Vercel (compute), Neon (database), and Upstash (caching). These providers process data on our behalf and do not use your data for their own purposes.

For All Users

• Access — View all your data within the app at any time
• Update — Edit your profile, wishlists, and purchases
• Delete — Delete your account and all data from Settings
• Disconnect — Disconnect Gmail to stop email scanning
• Cookie control — Manage cookie preferences at any time

California Residents (CCPA)

Under the California Consumer Privacy Act, you have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Opt out of the "sale" of personal information — we do not sell your data
• Not be discriminated against for exercising your privacy rights

EU/EEA Residents (GDPR)

Under the General Data Protection Regulation, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase your data ("right to be forgotten")
• Restrict or object to processing
• Data portability (export your data)
• Withdraw consent at any time

Our legal basis for processing: (a) your consent (email scanning and optional cookies), (b) contract performance (providing the Service), and (c) legitimate interest (improving the Service and preventing abuse).

10.1 Mandatory Binding Arbitration

You and WantHave agree that any dispute, claim, or controversy arising out of or relating to this Privacy Policy, the Service, or your use of WantHave — including the determination of the scope or applicability of this agreement to arbitrate — shall be resolved exclusively through final and binding arbitration, rather than in court.

Arbitration shall be administered by JAMS (Judicial Arbitration and Mediation Services) under its Streamlined Arbitration Rules and Procedures, or by another mutually agreed-upon arbitration provider. The arbitration shall take place in the State of California, or at another mutually agreed location, and shall be conducted by a single arbitrator.

The arbitrator's decision shall be final and binding, and judgment on the award may be entered in any court of competent jurisdiction. The arbitrator may award the same damages and relief as a court, except that the arbitrator does not have the authority to award punitive damages or conduct class arbitration.

10.2 Class Action & Jury Trial Waiver

You agree that any dispute resolution proceedings will be conducted only on an individual basis and not as part of a class, consolidated, or representative action. You waive your right to participate in a class action lawsuit or class-wide arbitration against WantHave, its owners, officers, directors, employees, agents, partners, and affiliates.

You also waive your right to a trial by jury. If for any reason a claim proceeds in court rather than arbitration, both you and WantHave waive the right to a jury trial.

10.3 Limitation of Liability

To the maximum extent permitted by applicable law, WantHave and its owners, officers, directors, employees, agents, partners, and affiliates shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, use, goodwill, or other intangible losses, resulting from:

• Your use of or inability to use the Service
• Any errors, inaccuracies, or omissions in the automated email scanning, purchase tracking, or discount code detection features
• Unauthorized access to or alteration of your data
• Any third-party conduct on the Service
• Any other matter relating to the Service

Our total aggregate liability for all claims arising out of or relating to the Service shall not exceed the greater of: (a) the total amount you have paid to WantHave in the twelve (12) months preceding the claim, or (b) one hundred U.S. dollars ($100.00). Because WantHave is provided as a free service, this amount may be $0.

10.4 Indemnification

You agree to indemnify, defend, and hold harmless WantHaveand its owners, officers, directors, employees, agents, partners, and affiliates from any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from your use of the Service, your violation of this Privacy Policy, or your violation of any rights of a third party.

10.5 Exceptions

Nothing in this section shall prevent either party from seeking injunctive or other equitable relief in court for matters related to intellectual property, data security, or unauthorized access. Small claims court actions brought on an individual basis are also excluded from mandatory arbitration.

For EU/EEA residents: this arbitration clause does not limit your right to file a complaint with your local data protection authority under GDPR. Your statutory rights under EU consumer protection laws remain unaffected.

10.6 Governing Law

This Privacy Policy and any disputes arising from it shall be governed by and construed in accordance with the laws of the State of California, United States, without regard to its conflict of law provisions.