Privacy Policy

The Data Controller for personal data collected through this website is Roberto Tumini, reachable at robertotmn@gmail.com.

We collect and process the following personal data:

• Registered users: name, email address, hashed password and, if you use Google sign-in, Google identifier — needed to create the account, sign in and manage the service.
• Wishlists: baby name, due date, gender, description, gifts, product links, prices and uploaded images — needed to create and share the list. Anyone with the public link can view the list contents; link preview crawlers may read the title and image to generate previews.
• Guest reservations: giver name, optional email address, quantity and optional message — needed to coordinate gift reservations and notify the list owner.
• Collective gift pledges: giver name, optional email address, amount, optional note and management/cancellation token — needed to record, update or cancel the pledge and send related notifications.
• Security and support: password reset tokens, technical logs, IP address and data needed to prevent abuse, protect the service and answer user requests.
• Data stored in the browser: persistent authentication cookies, cookie preferences, language, checklist ticks, name favourites, drafts and interface preferences stored in localStorage or sessionStorage. This data stays on your device unless it is needed for a service feature.
• Analytics with consent: browsing data, page events and interactions collected through Google Analytics 4 and Microsoft Clarity only after consent via the cookie banner.

• Performance of a contract or pre-contractual steps (Art. 6(1)(b) GDPR): account, authentication, lists, reservations, pledges, operational emails and features requested by the user.
• Legitimate interest of the Controller (Art. 6(1)(f) GDPR): security, abuse prevention, technical logs, request handling and correct operation of shared lists.
• Consent (Art. 6(1)(a) GDPR): non-essential analytics cookies and tools, including Google Analytics 4 and Microsoft Clarity.
• Legal obligations (Art. 6(1)(c) GDPR): any retention or disclosure required by applicable law.
• When processing is based on consent, you can withdraw it at any time from the cookie preferences, without affecting the lawfulness of processing carried out before withdrawal.

Personal data may be shared with the following providers or recipient categories, acting depending on the service as processors or independent controllers:

• Google LLC — email delivery through Gmail SMTP, Google authentication and Google Analytics 4 (GA4), the latter active only with consent.
• Hetzner Online GmbH — hosting of the application, database and uploaded files on servers located in the European Union.
• Microsoft Corporation — Microsoft Clarity for behaviour analytics and session replay, active only with consent.

The application, database and uploaded files are hosted on servers physically located in the European Union. Some providers, such as Google LLC and Microsoft Corporation, may process data outside the EEA for the services listed above; where needed, these transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46 GDPR or by other mechanisms recognised by applicable law.

• Account and list data: kept until the user deletes the account or list.
• Reservations, pledges and guest messages: kept until the associated list is deleted or the individual reservation/pledge is removed where available.
• Uploaded images: kept while associated with the list or gift and deleted when the item or list is removed, except for temporary technical copies.
• Password reset tokens: valid for a limited time; previous unused tokens are removed when a new reset flow is requested.
• Cookies, local data, logs and backups: cookies and browser data remain until you delete them or they expire; logs and backups are retained for the technical time needed for security, maintenance and service recovery.

As a data subject, you have the right to (Arts. 15–22 GDPR):

• access your personal data;
• request correction if inaccurate;
• request deletion ("right to be forgotten");
• request restriction of processing;
• receive your data in a portable format;
• object to processing based on legitimate interest;
• lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).

To exercise your rights, write to robertotmn@gmail.com.

This website uses necessary technical cookies, including persistent cookies to keep you signed in and store some preferences. With consent, it uses analytics cookies and tools from Google Analytics 4 and Microsoft Clarity to understand and improve website usage. You can accept, reject or change preferences from the cookie banner; without consent, analytics tools are not loaded. We do not use advertising or marketing profiling cookies.

You can delete your account and associated data from the Security page of your profile. Deletion removes the account, lists and linked data from the production environment; residual backup copies may remain for the technical rotation period and are not restored except for security or service continuity needs. Alternatively, you can send a request to robertotmn@gmail.com with the subject "Data deletion request"; we will respond within 30 days.