Privacy Policy
How WantThis collects, uses, and protects your personal data. We believe in transparency and keeping things simple.
Last updated: 11 March 2026
1. Who we are
WantThis (wantthis.co.uk) is a wishlist and gift list service operated in the United Kingdom. When we say “we”, “us”, or “our”, we mean the operators of WantThis. We are the data controller for the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018).
2. Data we collect
We collect only the data necessary to provide the service:
Account information
- Email address, display name, and password hash when you register directly.
- If you sign in via Google or Apple OAuth, we receive your email, name, and (for Google) profile picture URL from the provider. We also store a provider-specific identifier to link your account.
- Account status flags (active, verified) and timestamps (last login, email verification date).
Lists and items
- List titles, descriptions, share tokens, and settings you configure.
- Items you add: titles, descriptions, URLs, images, prices, currency, priority, notes, categories, tags, quantity, and display order.
- Item metadata extracted from retailer URLs (canonical URL, retailer domain, product key) to provide product previews.
Price tracking
- When you enable price tracking, we store price history records (old price, new price, price source, timestamps) and your alert threshold percentage.
- Price check status and any error messages to help diagnose tracking issues.
Notifications
- In-app notification records (type, title, message, read status) for price drop alerts and system messages.
- If you opt in to push notifications, we store your Web Push subscription endpoint, encryption keys, and user agent string.
Affiliate click tracking
- When you click through to a retailer, we may record the click for affiliate attribution: the original URL, affiliate URL, retailer domain, affiliate method, and a random click identifier.
- We store a hashed version of your IP address (not the raw IP) and your user agent string for fraud prevention. No personal identity is linked to click records.
Cookies and local storage
- Authentication tokens (JWT) — stored in local storage to keep you signed in.
- Locale preference — your chosen language/currency setting.
- Push notification dismissal — a timestamp in local storage to remember if you dismissed the push prompt.
Third-party app access
- If you authorise a third-party application (e.g. ChatGPT, Claude) via OAuth, we store the app name, granted scopes, and hashed access tokens. We never share your password with third parties.
3. Legal basis for processing (UK GDPR)
We process your personal data under the following legal bases:
- Contract performance (Article 6(1)(b)) — processing your account information, lists, items, and price tracking data is necessary to provide the WantThis service you signed up for.
- Legitimate interest (Article 6(1)(f)) — affiliate click tracking and anonymised usage analytics help us fund and improve the service. We balance this against your privacy by hashing IP addresses and not building personal profiles.
- Consent (Article 6(1)(a)) — push notifications are only sent after you explicitly opt in. You can withdraw consent at any time by disabling notifications in your browser or device settings.
4. How we use your data
- To provide, maintain, and improve the WantThis service.
- To send transactional emails you have opted into (magic links, welcome emails, price drop alerts, Secret Santa invitations).
- To send push notifications about price drops and other alerts, if you have subscribed.
- To extract product metadata (title, price, image) from URLs you provide, solely to populate your wishlist items.
- To track prices over time and alert you when prices drop below your threshold.
- To enable authorised third-party applications to manage your wishlists on your behalf, within the scopes you approve.
- To attribute affiliate commissions that help fund the service, at no extra cost to you.
5. Third-party services
We use the following third-party services to operate WantThis:
| Service | Purpose | Data shared |
|---|---|---|
| Render | Hosting (API and database) | All service data (stored on Render infrastructure) |
| Resend | Transactional email delivery | Email address, email content |
| Google OAuth | Sign in with Google | Email, name, profile picture (received from Google) |
| Apple OAuth | Sign in with Apple | Email, name (received from Apple) |
| Web Push (browser) | Push notifications | Push subscription endpoint and encryption keys |
| Browserless / ScrapingBee | Price checking and metadata extraction | Product URLs only (no personal data) |
| Amazon Associates | Affiliate programme | Affiliate link click (no personal data sent by us) |
| AWIN | Affiliate network | Affiliate link click (no personal data sent by us) |
| ShareASale | Affiliate network | Affiliate link click (no personal data sent by us) |
We do not use advertising cookies, behavioural tracking, or analytics services that profile you across other websites.
6. Data sharing
We do not sell your personal data. We share data only in these limited circumstances:
- Shared wishlists — when you share a list via its link, recipients can see item names, descriptions, images, and prices. They cannot see your email or account details.
- Authorised apps — third-party applications you explicitly authorise via OAuth can access your wishlists and items within the scopes you grant. You can revoke access at any time from your account settings.
- Service providers — as listed in section 5, solely to operate the service.
- Legal obligations — if required by law, regulation, or valid legal process.
7. Data security
We take security seriously. Passwords are hashed with bcrypt. OAuth tokens are stored as SHA-256 hashes. IP addresses in click tracking are stored only as hashes. All connections use HTTPS. Access to admin functions requires authenticated admin accounts. We conduct regular security reviews of our codebase.
8. Data retention
- Account and wishlist data — retained for as long as your account is active.
- Price history — retained while the item exists in your list, and deleted when the item or account is deleted.
- Affiliate click records — retained for up to 12 months for commission reconciliation, then deleted or anonymised.
- Push subscriptions — automatically removed after repeated delivery failures.
- Account deletion — if you delete your account, we will remove your personal data within 30 days. Anonymised, aggregated statistics may be retained for service improvement.
9. Your rights (UK GDPR)
Under UK data protection law, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete personal data.
- Erasure — request deletion of your personal data (“right to be forgotten”).
- Data portability — receive your data in a structured, commonly used, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Restrict processing — request that we limit how we use your data in certain circumstances.
- Withdraw consent — where we rely on consent (e.g. push notifications), you can withdraw it at any time.
- Revoke third-party app access — disconnect any authorised OAuth applications from your account settings at any time.
To exercise any of these rights, contact us at privacy@wantthis.co.uk. We will respond within one month as required by law.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).
10. Cookies and local storage
WantThis uses only essential cookies and local storage. We do not use advertising or third-party tracking cookies.
| Name / Key | Type | Purpose | Duration |
|---|---|---|---|
| Auth tokens (JWT) | Local storage | Keeping you signed in | Until sign-out or token expiry |
| Locale preference | Local storage | Remembering your language/currency | Persistent |
| Push dismiss timestamp | Local storage | Remembering push notification prompt dismissal | 7 days |
11. Children
WantThis is not directed at children under 13. We do not knowingly collect personal data from children under 13. The Letters to Santa feature is designed to be used by parents or guardians on behalf of their children — the parent's account and email are used, not the child's. If you believe a child under 13 has provided us with personal data, please contact us and we will promptly delete it.
12. International data transfers
Some of our service providers (such as Render and Resend) may process data outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place, such as the provider's compliance with UK adequacy regulations or standard contractual clauses.
13. Changes to this policy
We may update this privacy policy from time to time. We will notify registered users of material changes via email. The “last updated” date at the top of this page indicates the most recent revision.
14. Contact
If you have questions about this privacy policy or wish to exercise your data rights, contact us at: privacy@wantthis.co.uk