Wichtlify
Start on the web
Menu
Start on the web
Legal

Privacy Policy

Effective: 21 April 2026

1. Controller and contact

Philip Ullmann
Bürgerstrasse 22
4300 St. Valentin, Österreich
Email: kontakt@wichtlify.com
Web: https://wichtlify.com

For privacy requests, contact us at the email address above. This policy applies to wichtlify.com, the Web app, and the iOS and Android apps where they use Wichtlify backend services.

2. Short overview

Wichtlify processes personal data so you can create groups, invite members, run draws, manage wishes, receive notifications, and use Pro features.

Wichtlify is not intended to process special categories of personal data under Article 9 GDPR. Please do not enter such data in group names, free-text fields, wish descriptions, images, or messages.

3. Purposes and legal bases

  • Providing the platform: account, login, group administration, private roles, draw, wishes, invitations, notifications, and Pro entitlements under Article 6(1)(b) GDPR.
  • Consent: optional analytics cookies, push permission, certain email choices, and documented privacy confirmations under Article 6(1)(a) GDPR.
  • Legitimate interests: security, abuse prevention, error analysis, support, internal product measurement, and reliable service operation under Article 6(1)(f) GDPR.
  • Legal obligations: retention of accounting, tax, evidence, or security information where required under Article 6(1)(c) GDPR.

4. Data categories and features

We receive data from you, from group admins or organizers, from invited members, from your device or browser, from app-store and login providers, and from technical systems where this is needed for the relevant feature.

  • Account and authentication: name, email address, password hash, email verification, language, email settings, login tokens, app API tokens and, for Google or Apple login, provider ID, verified email address, and transmitted name. ID tokens are used for verification and are not stored as profile content.
  • Registration and groups: group name, event date, budget and currency, group type, settings, organizer name, organizer email, participant names, optional participant emails, exclusions, draw status, and consent records with timestamp, IP address, and source.
  • Invitations and private roles: private links, invitation tokens, claim links, access tokens, held invitations, email confirmations, and states needed to assign a person to a group or private role.
  • Draw, wishes, and content: assignments, wish texts, wish images, partner questions and answers, public group overviews, visible wish lists, and optional group branding data such as colors or images.
  • Notifications: in-app notifications, email logs, reminders, broadcasts, push device identifiers, push tokens, platform, environment, access tokens, and delivery/read status.
  • Pro and purchases: product ID, platform, transaction or order identifier, purchase token, status, start, expiry, and cancellation dates, plus store payloads so Pro access can be verified and synchronized. Payment itself is handled by the App Store or Google Play.
  • Support, security, and operations: IP address, user agent, timestamps, rate-limit counters, error logs, system events, admin audit trails, and technical connection data.

5. Cookies, local storage, analytics, and internal measurement

  • Strictly necessary: session, CSRF, locale, and security functions are required for login, forms, language selection, private links, and app APIs.
  • Local storage: the Web app stores your cookie choice, for example consent.v2. Native apps store authentication and role information on the device where needed for use.
  • Google Tag Manager and Google Analytics 4: analytics is activated only if you consent. Without consent, we do not load Google tags for analytics and we do not set analytics cookies. If consent is withdrawn, existing analytics cookies are deleted on the device where the browser allows this.
  • Internal events: selected product and security events, such as supported feature clicks, notification clicks, or purchase-status events, are logged server-side in a limited way. This measurement supports stability, abuse prevention, and product improvement.
  • Change and withdrawal: you can change your cookie choice at any time in the banner or dialog. If no earlier cookie choice has been stored yet, browser or operating-system signals, including Global Privacy Control, are treated as a refusal of analytics where technically readable.

6. Recipients, processors, and external services

  • Hosting and operations: server operation, database, and storage are provided by easyname GmbH in Austria. Emails are sent through the configured Wichtlify email infrastructure.
  • Email: transactional emails, invitations, reminders, confirmations, and broadcasts are sent through Wichtlify email infrastructure. The recipient email providers process emails independently.
  • Google services: Google Ireland Limited and affiliated Google companies may be involved for Google Tag Manager, Google Analytics, Google Sign-In, Firebase Cloud Messaging, Firebase Authentication in certain mobile login flows, Android services, and Google Play/Billing.
  • Apple services: Apple group companies may be involved for Sign in with Apple, Apple Push Notification service, App Store, StoreKit, and iOS system services.
  • App stores: purchases and subscription management happen directly through Apple App Store or Google Play. Wichtlify receives only the purchase and status data required for entitlement checks.
  • External links: when you open links to gift ideas, shops, app stores, or other external pages, the respective provider processes your data under its own responsibility.
  • Authorities and enforcement: data is disclosed only where legally required, necessary to enforce claims, or based on your consent.

7. Transfers outside the EEA

Part of the processing takes place within the EEA. Services from Google, Apple, or other global providers may nevertheless transfer data to the United States or other third countries.

Where required, we rely on adequacy decisions, in particular the EU-US Data Privacy Framework for certified recipients, Standard Contractual Clauses under Article 46 GDPR, or other permitted safeguards. A residual risk of access by third-country authorities cannot be fully excluded.

8. Retention and deletion

  • Accounts: account data remains stored until you delete your account or deletion is carried out under the product rules, unless statutory retention duties apply.
  • Groups and members: group, participant, invitation, draw, and wish data remains stored while the group is used, until deletion, or until retention is no longer required.
  • Images and branding: wish images and branding images are deleted or replaced when the related feature, group, or file is deleted, unless a backup or mandatory retention remains for a short period.
  • Tokens and codes: magic codes, confirmation links, invitation tokens, API tokens, and push mappings are deleted or deactivated after expiry, withdrawal, logout, device removal, or technical cleanup.
  • Logs: server, error, rate-limit, email, and security logs are kept only as long as needed for operation, evidence, security, abuse prevention, or legal duties.
  • Subscriptions and purchase data: purchase and entitlement data is stored for the entitlement period and afterwards as long as evidence, support, accounting, or legal claims require.
  • Analytics: analytics data follows the retention settings configured in Google Analytics and your consent. You can withdraw future processing through the cookie settings.

9. Required and optional data

Data required for an account, group, private role, invitations, draw, notifications, or Pro access must be provided if you want to use those features. Without it, the relevant feature cannot be provided or can only be provided in a limited way.

Optional choices such as certain email settings, push permission, wish images, branding, partner questions, or analytics consent can be declined or changed later without losing the basic functions entirely.

10. Automated draw

The draw creates game assignments for the group. It is not automated decision-making with legal or similarly significant effects under Article 22 GDPR. Wichtlify does not create personality profiles for advertising or scoring.

11. Security

Wichtlify protects data through HTTPS, access controls, role- and token-based access, password hashing, private storage for uploads, rate limits, logging of security-relevant events, and regular technical maintenance. No system can guarantee absolute security; we limit access to what is necessary.

12. Your rights

Subject to the GDPR, you have rights of access, rectification, deletion, restriction of processing, data portability, and objection. You may withdraw consent at any time with effect for the future.

Where processing is based on legitimate interests, you may object for reasons arising from your particular situation. You may object to direct marketing at any time.

To exercise your rights, email kontakt@wichtlify.com. We may request additional information where needed to verify your identity and identify the affected data safely.

13. Right to lodge a complaint

You may lodge a complaint with a data protection supervisory authority, in particular the Austrian Data Protection Authority:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna, Austria
Web: https://www.dsb.gv.at
Email: dsb@dsb.gv.at

14. Changes

We update this privacy policy when features, providers, the law, or processing activities change. The current version is available on this page.