Olaf Wishlist
Back to Home

Privacy Policy

Last updated: 22 mars 2026

Introduction

Protecting your personal data is a priority for Olaf Wishlist. This privacy policy informs you about how we collect, use, and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

Data Controller

The data controller for personal data is:

Fabien Sintès

Email: contact@olaf-wishlist.com

Data Protection Officer (DPO)

For any questions regarding the protection of your personal data, you can contact our data protection officer at: contact@olaf-wishlist.com

Data Collected

In the course of using the Website and its services, we may collect the following data:

Account Data

  • Email address
  • Display name (username)
  • Profile picture (optional)
  • Date of birth (optional)
  • Time zone (automatically detected at registration, editable in profile) — used to schedule notifications at appropriate times
  • Birthday sharing preference (enabled by default) — your day and month of birth (not the year) are shared with your group members. Can be disabled at any time from your profile
  • Language preferences
  • Third-party authentication provider identifier (Google, Facebook, or Apple), where applicable
  • Name and photo of managed persons (children, relatives without an account), where applicable

Usage Data

  • Wishlists created (private, public, and memo)
  • Items added to lists
  • Reservations made and reservation notes
  • Contributions (participation amounts toward a group gift)
  • Messages exchanged in per-item discussion threads
  • Groups and associated members
  • Feedback, reports, and testimonials submitted

Technical Data

  • IP address (hashed for feedback)
  • Browser and device type
  • Pages visited and interactions

Data from Unregistered Visitors

When an unregistered visitor reserves an item on a public list, we collect the following data:

  • Email address (for reservation confirmation)
  • Reserver's name (displayed to the list creator after the event date)
  • Personal note (optional, intended for the list creator)

Legal basis: consent (submission of the reservation form).

Retention: this data is retained until the public list is deleted by its creator.

Mobile app permissions

The Olaf Wishlist mobile app requests certain permissions on your device only when you use the corresponding features:

  • Camera: used solely to scan group invitation QR codes. Captured images are never saved, nor transmitted to our servers or any third party. Processing takes place locally on your device and the camera is disabled immediately after the QR code has been read.
  • Notifications: used to alert you to events related to your lists and groups (new members, reservations, messages). You can disable notifications at any time from your device settings or your profile.
  • Storage / Gallery: used only when you choose to manually add an image to an item or to your profile. No image is accessed without an explicit action on your part.

None of these permissions involves the ongoing collection or storage of data. Access is one-off and strictly limited to the feature concerned.

Processing Purposes

Your personal data is processed for the following purposes:

PurposeLegal BasisRetention Period
Managing your user accountContract performanceAccount lifetime. Accounts created but never verified by email are deleted after 30 days. Automatic deletion after 3 years of inactivity (no sign-in). Immediate and irreversible deletion upon request
Providing wishlist servicesContract performanceAccount lifetime
Sending notifications related to your listsContract performanceAccount lifetime
Processing feedback and bug reportsLegitimate interest (service improvement)2 years
Event coordination between members: by default, your birthday's day and month are shared with your group members to facilitate gift coordination. You can disable this sharing at any time from your profileLegitimate interest (gift coordination between members of your groups)Account lifetime. Can be disabled at any time from your profile
Contextual reminders: sending reminders by email and notification when a birthday is approaching in your groups, when your list is empty before an event, or for end-of-year holidaysLegitimate interest (service quality)Account lifetime. Can be disabled from notification settings
Fraud prevention and securityLegitimate interestRate-limiting data: session duration. Hashed IP addresses (feedback): 2 years

Cookies and Trackers

The Website only uses cookies strictly necessary for its operation. These cookies do not require your prior consent in accordance with applicable regulations.

List of cookies used:

NamePurposeDuration
accessToken / refreshTokenAuthentication and session maintenance15 minutes / 30 days
olaf_wishlist_lg_localeStoring your language preference1 year

The Website uses your browser's local storage to remember your navigation preferences. This data remains on your device and is never transmitted to our servers.

No advertising tracking cookies or third-party analytics are used on this website.

Audience Measurement

This website uses Umami, a privacy-friendly audience measurement solution. This solution is self-hosted on our servers and does not use any cookies. No personal data is collected or shared with third parties. Statistics are anonymous and aggregated, and are used solely to improve the user experience of the website.

Browser Extension

The Olaf Wishlist browser extension (available for Chrome, Firefox, and Edge) also includes audience measurement via Umami.

No personally identifiable data is collected by the extension. Only anonymous, aggregated usage events are recorded (e.g., number of items added, number of reservations made).

These anonymous statistics are used solely to understand extension usage and improve its features.

The extension stores your session credentials and preferences locally on your device. This data is never shared with third parties.

Email Sending

For sending emails (transactional emails, notifications, confirmations), we use our own email infrastructure hosted on our servers.

No personal data is transmitted to a third-party provider for email delivery.

The data processed for sending communications is:

  • Recipient's email address
  • Message content
  • Technical data related to sending (timestamp)

This data is processed solely to ensure the delivery of communications and is stored on our servers located within the European Union.

Emails are transmitted from our infrastructure to recipients' mail servers. Our server attempts to establish an encrypted connection (TLS) when the recipient server supports it (opportunistic encryption). However, as with any email exchange on the Internet, end-to-end encryption cannot be guaranteed, as it depends on the configuration of the recipient's mail server.

Data Sharing

Your personal data is never sold to third parties. It may be shared with:

  • Our hosting provider, for secure data storage
  • OpenAI, for automatic moderation of testimonials published on the website (textual content analysis only, without transmitting personally identifiable data)
  • Google (Gemini), to optionally analyze product photos taken from the mobile app when you trigger that feature (the photo is sent for analysis only, is never stored by Olaf, and the processing is governed by the Google AI Studio terms)
  • Public list creators, who can view the name and email address of people who reserved an item, after the event date
  • Competent authorities, upon legal request

Transfers outside the EU: except for the optional product-photo analysis, which may involve processing by Google outside the European Union when you enable it from the mobile app, no data is transferred outside the EU. All other data is hosted in France by OVH.

Automatic deletion of inactive accounts

In accordance with the storage limitation principle (GDPR Article 5), your Olaf Wishlist account and all associated data are automatically deleted after 3 years of inactivity, meaning the absence of any sign-in during that period. This duration corresponds to the recommendation of the CNIL (French data-protection authority) for consumer services.

You are notified by email, in-app notification and push notification (if enabled) on three occasions before deletion: 30 days before, 7 days before, and 24 hours before.

Any sign-in to your account updates the last-active date and prevents automatic deletion for another 3 years. Simply signing in is enough to keep your account.

When deletion occurs, your lists (private, public and memo), your reservations and your contributions are erased. Ownership of your groups is automatically transferred to another member (priority to the oldest admins). If you are alone in a group, the group is also deleted. You can download all your personal data before deletion from your profile.

In addition, an account that is created but never verified by email is automatically deleted 30 days after it was created. A reminder email is sent to you 7 days before this deadline. You can verify your address — or request a new verification link — at any time, as long as the account has not yet been deleted.

You can also delete your account yourself at any time, without waiting for this automatic deletion. Visit the dedicated account deletion page.

Your Rights

In accordance with the GDPR, you have the following rights regarding your personal data:

Right of access

Obtain confirmation of the processing of your data and receive a copy. You can download your data directly from your profile.

Right to rectification

Have your inaccurate or incomplete data corrected

Right to erasure

Request the deletion of your data ("right to be forgotten")

Right to restriction

Request the restriction of processing of your data

Right to portability

Receive your data in a structured, readable format. Your data is available in JSON format from your profile.

Right to object

Object to the processing of your data for legitimate reasons

Right to withdraw consent

Withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to such withdrawal

To exercise these rights, you can:

  • Use your account settings ("My Profile" page)
  • Contact us at: contact@olaf-wishlist.com
  • Download your personal data from the "My Profile" page

You also have the right to lodge a complaint with your local data protection authority.

Deletion of User Data Linked to Facebook Login

If you used Facebook Login to create or connect your Olaf Wishlist account, you can request the deletion of your data in two ways:

From your Olaf Wishlist account

Log in to your account and go to the My Profile page. From there, you can:

  • Delete your account
  • Download your data
  • Edit or delete your profile information

By direct request

You can request the complete deletion of your data by writing to:

contact@olaf-wishlist.com

Please include the email address associated with your account in your message.

Remove Olaf Wishlist from your Facebook account

You can also remove the Facebook connection from your Facebook account:

  1. Open Settings & Privacy on Facebook.
  2. Go to Settings.
  3. Open Apps and Websites.
  4. Select Olaf Wishlist.
  5. Click Remove.

Data concerned

Deletion includes account data and third-party authentication data used by Olaf Wishlist, in accordance with our privacy policy.

Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

Security Measures

  • Secure communications via HTTPS protocol with TLS 1.2 or higher encryption
  • Passwords hashed using Argon2 algorithm (never stored in plain text)
  • IP addresses anonymized through irreversible hashing
  • Signed authentication tokens with limited lifespan
  • Encryption of sensitive data at rest
  • Regular encrypted backups
  • Data access strictly limited to authorized personnel
  • Access monitoring and logging to detect anomalies

We regularly review our security practices to adapt to technological developments and emerging threats. In the event of a security breach affecting your data, we commit to informing you as soon as possible in accordance with our legal obligations.

Changes

We reserve the right to modify this privacy policy at any time. In case of substantial changes, we will inform you by email or via a notification on the Website. The date of the last update is indicated at the top of this page.