Skip to main content
WishBubble
GDPR Compliant
Privacy Policy

Last updated: December 31, 2025

At WishBubble, we are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Data Controller

WishBubble is the data controller responsible for your personal data. We are based in Belgium and process your data in accordance with EU data protection law. For any privacy-related inquiries, contact us at privacy@wish-bubble.app.

Legal Basis for Processing

Under GDPR, we must have a lawful basis for processing your personal data. We rely on the following:

  • Consent: For optional features like marketing emails and non-essential cookies, we ask for your explicit consent.
  • Contractual necessity: To provide our service, we need to process certain data (e.g., your email for account creation).
  • Legitimate interests: For security, fraud prevention, and service improvement, balanced against your rights.
  • Legal obligations: To comply with applicable laws (e.g., tax regulations, court orders).

Information We Collect

We collect only the data necessary to provide our service. We practice data minimization and do not collect more than we need.

Information you provide

  • Account information: Email address, name, and password (hashed)
  • Profile information: Optional profile picture
  • Content: Wishlists, wishes, Bubble memberships, and claims you create
  • Communications: Messages you send to support

Information collected automatically

  • Device information: Browser type, operating system, device type
  • Usage data: Pages visited, features used, timestamps
  • Cookies: As described in our Cookie Policy (with your consent for non-essential cookies)

How We Use Your Information

We use your data to: (1) Provide and maintain our service, including account management and wishlist functionality; (2) Send transactional emails (password resets, invitations); (3) Send notification emails if you opt in; (4) Analyze usage to improve our service (anonymized/aggregated where possible); (5) Ensure security and prevent fraud; (6) Comply with legal obligations.

Information Sharing

We do not sell your personal data. We only share your information with trusted third parties who help us operate our service, and only to the extent necessary.

Our data processors

  • Vercel (USA) - Hosting and infrastructure
  • Resend (USA) - Transactional email delivery
  • Google OAuth (USA) - Social login (optional)

International Data Transfers

Some of our service providers are based in the United States. We ensure appropriate safeguards are in place for any international transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission, and we verify that recipients maintain adequate data protection standards.

Data Security

We implement industry-standard security measures including: encrypted data transmission (HTTPS/TLS), secure password storage using bcrypt hashing, access controls and authentication, regular security reviews, and secure hosting infrastructure. While no system is 100% secure, we continuously work to protect your data.

Data Retention

We retain your personal data only as long as necessary: Active accounts are retained while in use; deleted accounts have their data permanently removed within 30 days; backup data is purged within 90 days; anonymized analytics data may be kept indefinitely. You can request deletion at any time through your account settings.

Your Rights Under GDPR

As an EU resident, you have the following rights regarding your personal data:

  • Right of access: Request a copy of all personal data we hold about you
  • Right to rectification: Correct inaccurate or incomplete data
  • Right to erasure (Right to be forgotten): Request deletion of your personal data
  • Right to restriction: Limit how we process your data
  • Right to data portability: Receive your data in a machine-readable format (JSON)
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Withdraw consent at any time for consent-based processing

To exercise any of these rights, use the options below or contact privacy@wish-bubble.app. We will respond within 30 days.

Download My Data

Cookies and Tracking

We use cookies for essential functionality and, with your consent, for analytics and preferences. You can manage your cookie preferences at any time. View our Cookie Policy

Children's Privacy

WishBubble is not intended for children under 16. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child under 16, please contact us immediately and we will delete it.

Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or a prominent notice on our website. The 'last updated' date at the top indicates when the policy was last revised.

Supervisory Authority

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit) or your local supervisory authority.

Contact Us

For privacy-related questions, data requests, or concerns, please use our contact form. We aim to respond to all inquiries within 30 days. Contact Form