Privacy Policy
Effective Date: April 1, 2026
Last Updated: May 16, 2026
1. Introduction and Data Controller Details
This Privacy Policy explains how Mészáros Tamás Gábor ("Controller", "we", "us") collects, processes, and protects personal data in connection with the WishBloom mobile and web application ("App"), in accordance with Regulation (EU) 2016/679 ("GDPR") and the Hungarian Act CXII of 2011 on Informational Self-Determination and Freedom of Information.
| Controller Name | Mészáros Tamás Gábor |
| Address | 2053 Herceghalom, Kiserdő út 6., Hungary |
| stormstudio00@gmail.com | |
| App Name | WishBloom – Gift List & Registry |
2. Categories of Data, Purposes, and Legal Bases
| Processing Activity | Categories of Personal Data | Purpose | Legal Basis (GDPR) | Retention Period |
|---|---|---|---|---|
| Account Registration & Login (email/password) | Email address, username, password hash (handled by Firebase Auth) | Account creation, authentication | Art. 6(1)(b) – Contract | Until account deletion |
| Account Registration & Login (OTP/passwordless) | Email address, username, one-time code hash (stored server-side, deleted after use) | Passwordless authentication | Art. 6(1)(b) – Contract | OTP: deleted immediately after use; account: until deletion |
| User Profile | Display name / username, profile photo (stored in Firebase Storage), share code, birthday (optional), selected currency, selected language | Personalisation, social features, friend connections | Art. 6(1)(b) – Contract | Until account deletion |
| Wishlists & Gift Items | List names, item titles, descriptions, estimated prices, shop URLs, item images (stored in Firebase Storage), priority settings | Providing core wishlist functionality | Art. 6(1)(b) – Contract | Until account deletion or item deletion |
| Gift Sharing | Share code, shareable link, wishlist visibility settings | Enabling users to share lists with friends or publicly | Art. 6(1)(b) – Contract | Until account deletion |
| Friend Requests | Sender's name, sender's email address, recipient's email address, request status | Social connection features | Art. 6(1)(b) – Contract | Until friend connection is removed or account is deleted |
| Gift Contributions | Contributor's user ID, contribution amount, item and owner identifiers | Group gifting feature; hidden from gift recipient by technical design | Art. 6(1)(b) – Contract | Until contribution is removed or account is deleted |
| Push Notifications | Firebase Cloud Messaging (FCM) device token | Sending notifications about friend requests, gift reservations, and birthdays | Art. 6(1)(a) – Consent | Until notification permission is revoked or account is deleted |
| Birthday (optional) | Date of birth (day and month) | Sending birthday reminders to the user and their friends | Art. 6(1)(a) – Consent | Until removed by user or account is deleted |
| Link Import / AI Features | URLs submitted by the user; hobby, style, budget, personality, occasion preferences submitted via Gift Quiz | Automatic product data extraction; AI-generated gift idea suggestions | Art. 6(1)(b) – Contract | Not stored permanently; processed in real time |
| Product Image Scan (Pro) | Image uploaded by the user | Product identification via AI (Gemini Vision) | Art. 6(1)(b) – Contract | Not stored; processed in real time and discarded |
| Payment Processing (Pro Subscription) | Payment card data, billing details (processed exclusively by Stripe or PayPal; we do not receive raw card data), Stripe/PayPal customer ID stored in a restricted subcollection | Processing subscription payments for Pro features | Art. 6(1)(b) – Contract | As required by applicable accounting law (typically 8 years) |
| Firebase Analytics | Anonymised usage events (e.g., screen views, feature interactions), Firebase Installation ID | Understanding aggregate app usage; no personally identifiable information is logged | Art. 6(1)(f) – Legitimate Interest | Up to 14 months (Google Analytics default) |
| Rate Limiting & Abuse Prevention | Email address (hashed/sanitised as document key), timestamps of API calls; user ID and action type | Preventing spam, brute-force OTP attacks, and API abuse | Art. 6(1)(f) – Legitimate Interest | Max 24 hours (records expire automatically) |
| System Logs | IP address, device OS version, error logs | Security monitoring, debugging | Art. 6(1)(f) – Legitimate Interest | 30–90 days |
| Coming-Soon Newsletter | Email address | Notifying subscribers about the app launch | Art. 6(1)(a) – Consent | Until consent is withdrawn |
3. Data Processors
We engage the following third-party processors to provide the Service. All processors are bound by data processing agreements and applicable law.
| Processor | Role | Data Processed | Location |
|---|---|---|---|
| Google Ireland Limited (Firebase Auth, Firestore, Firebase Storage, Firebase Cloud Messaging, Firebase Analytics) | Primary infrastructure, authentication, database, file storage, analytics | All user data listed above | EU (primary); may involve US-based Google LLC infrastructure under SCCs |
| Stripe, Inc. | Payment processing | Payment card data, billing information, Stripe customer ID | USA – covered by Standard Contractual Clauses (SCCs) |
| PayPal Holdings, Inc. | Payment processing (alternative) | Payment data, PayPal subscriber ID | USA – covered by Standard Contractual Clauses (SCCs) |
| Google LLC (Gemini API) | AI-powered gift idea generation and product image recognition | Quiz preferences, product images (transient, not stored) | USA – covered by Standard Contractual Clauses (SCCs) |
| Scrape.do | Web scraping proxy for product data extraction | Product page URLs (no personal data) | EU/USA (varies by instance) |
| Nodemailer / Gmail SMTP (via Google Workspace) | Sending OTP authentication emails | Email address, OTP code (hashed before storage) | Google infrastructure |
| Newsletter Provider | Coming-soon subscription emails | Email address | Subject to applicable DPA |
International Data Transfers
Some processors (Stripe, PayPal, Google Gemini API) operate primarily in the United States. These transfers are safeguarded by Standard Contractual Clauses (SCCs) adopted under Commission Decision (EU) 2021/914, ensuring an adequate level of protection.
4. Data We Do NOT Collect
- We do not collect raw passwords. Passwords are managed exclusively by Firebase Authentication using industry-standard hashing.
- We do not collect payment card numbers, CVV codes, or bank account details. These are processed exclusively by Stripe or PayPal.
- We do not sell, rent, or trade personal data to third parties for marketing purposes.
- We do not use personal data (names, emails, wishlist contents) as inputs to analytics events.
5. Data Security
We implement appropriate technical and organisational measures in accordance with Art. 32 GDPR, including:
- Encryption in transit: All data is transmitted over HTTPS/TLS.
- Encryption at rest: Firebase (Google Cloud) encrypts stored data at rest.
- Access control: Firestore Security Rules restrict data access so users can only access their own data and data explicitly shared with them. Sensitive subcollections (billing, OTP codes, rate limits) are inaccessible to client applications.
- OTP security: One-time codes are SHA-256 hashed before storage and deleted immediately after use or expiry (5 minutes).
- Rate limiting: Automated abuse prevention limits OTP requests to 5 per email address per hour and restricts AI feature usage per user per minute.
- Principle of least privilege: The gift contribution feature is designed so that the gift recipient (list owner) cannot read who is contributing or how much.
6. Your Rights as a Data Subject
Under the GDPR, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of your personal data | Email us at stormstudio00@gmail.com |
| Rectification (Art. 16) | Correct inaccurate data | Update in-app via Edit Profile, or email us |
| Erasure (Art. 17) | Request deletion of your account and data | Use "Delete Account" in the app, or email us |
| Restriction (Art. 18) | Request restricted processing | Email us |
| Data Portability (Art. 20) | Receive your data in a machine-readable format | Email us |
| Withdraw Consent (Art. 7) | Withdraw consent for notifications, birthday data, or newsletter at any time | Revoke notification permission in device settings; remove birthday in-app; unsubscribe from newsletter |
| Object (Art. 21) | Object to processing based on legitimate interest | Email us |
Requests will be responded to within 30 days in accordance with Art. 12 GDPR. We may ask you to verify your identity before fulfilling a request.
7. Data Retention Summary
| Data Category | Retention Period |
|---|---|
| Account and profile data | Until account deletion |
| Wishlist and item data | Until deletion by user or account deletion |
| OTP codes | Deleted immediately after use, or after 5 minutes (expiry) |
| OTP rate limit records | Max 24 hours |
| API rate limit records | Max 24 hours |
| Push notification tokens | Until permission revoked or account deleted |
| Payment records (Stripe/PayPal IDs) | As required by law (typically 8 years) |
| Analytics data | Up to 14 months |
| System logs | 30–90 days |
| Newsletter subscriptions | Until consent withdrawn |
8. Children's Privacy
WishBloom is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data without appropriate consent, please contact us at stormstudio00@gmail.com and we will delete the data promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this document. For material changes, we will notify users via in-app notification or email where required by law.
10. Right to Lodge a Complaint
If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority:
Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
- Address:1055 Budapest, Falk Miksa utca 9–11., Hungary
- Email:ugyfelszolgalat@naih.hu
- Website:www.naih.hu
You may also lodge a complaint with the supervisory authority in your country of residence or place of work within the EU.
11. Contact
For any questions, requests, or concerns regarding this Privacy Policy or your personal data:
- Name:Mészáros Tamás Gábor
- Email:stormstudio00@gmail.com
- App:WishBloom – Gift List & Registry