Wichtlify
Menu
Legal

Privacy policy

1. Responsible person

Philip Ullman
Buergerstrasse 22
4300 st valentin austria
Email kontakt@wichtlify.com
Web https://wichtlify.com

2. Purpose, scope and legal basis of processing

We process personal data to provide the web application “Wichtlify” and to organize group Secret Santa events.

  • Provision of the platform / fulfillment of the contract (Art. 6 para. 1 lit. b GDPR)
  • Consents (Art. 6 para. 1 lit. a GDPR), e.g. email notifications
  • Legitimate interest (Art. 6 para. 1 lit. f GDPR), e.g. B. IT security, misuse-/Spam-Abwehr, error analysis

Web analysis (Google Analytics 4) – only with consent (Art. 6 Para. 1 lit. a GDPR)
We use Google Analytics 4 GA4 to measure the reach and improve our offering. The integration takes place via the Google Tag Manager. The Google Tag Manager itself does not create user profiles and does not set its own cookies, but only manages the triggering of tags. The collection analysis only takes place if you agree via our cookie banner. Consent mode v2. Without consent, no analysis cookies will be set

3. Categories of personal data

  • Group data: Group name, settings (self-registration, scrap gift mode, “everyone can see wishes”, email notifications), general info text, technical hashes (group_hash), timestamps (e.g. last draw, if available).
  • Members: Name, optional email, wish text, exclusions, private link (private_hash), draw assignments (who draws whom; additional junk-gift mode if enabled).
  • Registrierungen: Information on group creation including double opt-in (email, confirm_token), selected options, IP/UA when applying (to avoid misuse).
  • Protokolldaten: Server log files (IP address, date/Uhrzeit, retrieved URL, status code, user agent, referrer), rate limit counter.
  • Communication: Email content for system emails (draws, wish updates), including metadata (recipient, timestamp).
  • Usage /Gerate data (only if you consent to analysis): Page views, click paths, approximate location data (based on anonymized IP), browser /Gerate information, language settings, screen resolution, referrer URL and technical measurements (e.g. loading times). In GA4, pseudonymous identifiers are used for this.
  • Consent-Daten: Your chosen consent (e.g. “Analytics: ja/nein”) will be stored locally to take your preference into account on subsequent visits.

4. Function-specific notes

4.1 Registration & double opt-in

To create a group, we process the data you provide and send a confirmation email with a confirmation link. The group will only be created after confirmation.

4.2 Member management

Members can be created by the admin or – if self-registration is activated – register themselves. Each person receives one private link (private_hash) for your own view (maintain your request, view the draw).

4.3 Wishes

By default, only the person randomly assigned sees the wish. If the admin activates the “Everyone can see wishes” option, the wishes will be visible to all group members.

4.4 Exclusions

Exclusions set by the admin or members will be taken into account in the draw. Changes made after the draw only take effect when the draw is repeated.

4.5 Scrap Imp

If Scrap Imp is active, an additional person is drawn (preferably a different person than the “normal” Imp).

4.6 Email Notifications to Members

If enabled (“member notifications”), members with a stored email receive updates about the draw (including who they drew and the other person’s wish, if available) as well as new or updated wishes.

4.7 Web analysis / Google Analytics 4 (GA4, Consent Mode v2)

We use Google Analytics 4 from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. GA4 will only be activated after your consent.

  • No cookies without consent: With Consent Mode v2, analysis storage is “denied” until consent is given.
  • With consent: GA4 uses cookies/IDs for pseudonymous range measurement (see “Cookies & local storage”).
  • No Google signals/Remarketing: We neither use Google signals nor advertising functions/Remarketing.
  • IP-Schutz: GA4 does not log full IP addresses and, according to Google, anonymizes them by default.
  • Revocation/Change: You can change your selection at any time under “Cookie Settings” (footer link).

5. Recipient/processor

  • Hosting/Serverbetrieb: easyname GmbH, Austria (provision of infrastructure, sending emails via hosting server).
  • Email delivery: Internal mail server of the host.
  • Web analysis: Google Ireland Limited (“Google Analytics 4” service). The necessary contracts for order processing (Art. 28 GDPR) exist with Google, including standard contractual clauses for any third-country transfers.

If necessary, contracts exist with processors in accordance with Article 28 of the GDPR.

6. Third country transfer

When using Google Analytics 4, data may be transferred to companies in the Google group in third countries (especially the USA). This is done on the basis of the EU standard contractual clauses (Article 46 GDPR). We only activate GA4 with your consent. Nevertheless, increased risks with international data flows (e.g. access by authorities) cannot be completely ruled out.

7. Storage period

  • Groups & Members: until deleted by admin or completion/Zweckerreichung (e.g. manual deletion after Secret Santa).
  • Registrations (unconfirmed): usually automatic deletion after 30 days.
  • Server logs: for IT security and error analysis
  • Rate Limit/Spam-Schutz: short-term counters (for technical reasons), e.g. B. Minutes/Stundenbereich.
  • Email communication: Metadata in accordance with legal retention periods.
  • Analytics data (only with consent):Event-/Nutzungsdaten in GA4 is retained for 14 months by default according to our property setting.

8. Cookies & Local Storage

  • consent.v1 (localStorage): Remembers your cookie settings. Purpose: consent management. Duration: persistent until change/Ldeletion.
  • Technically required cookies (always active): PHPSESSID (session cookie): assignment of the session; is deleted when the browser is closed/Session-Timeout. CSRF token (server-side): Protection against form misuse.
  • Analysis cookies (only with consent)
    • _ga: distinguishes users, term: up to 2 years.
    • ga: Session-/Ereignis-Status, term: up to 2 years.
    We will not set any analysis cookies without your consent
  • Change consent/widerrufen: You can adjust your selection at any time using the “Cookie Settings” link in the footer.

9. Necessity of Provision

The provision of certain data is required to use the service (e.g. group name, member names). Email is optional but required for notifications.

Consent to analysis is voluntary and not required to use the core functions.

10. Security

We protect data through technical and organizational measures (including TLS encryption, access restrictions, hash-based private links). Please do not share your private link with third parties.

11. Rights of data subjects

You have the right to information (Art. 15), correction (Art. 16), deletion (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21 GDPR). You can revoke your consent (Art. 6 Para. 1 lit. a) at any time with future effect.

You can revoke your consent (analytics) at any time with future effect via “Cookie Settings”.

To exercise your rights, simply send an email to kontakt@wichtlify.com. We may require additional information for identification.

12. Right to complain

You can complain to a data protection supervisory authority. Responsible in Austria:

Austrian data protection authority
Barichgasse 40 42 1030 Vienna
Web https://www.dsb.gv.at
dsb@dsb.gv.at

13. Changes to this Statement

We adapt this data protection declaration if services, legal situations or technical standards change. The current status can be viewed on this page.

As of: October 19, 2025