Privacy Policy & Data Protection

What personal information do we process?

When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use.

Do we process any sensitive personal information?

We do not process sensitive personal information.

Do we collect any information from third parties?

We may collect information from public databases, marketing partners, social media platforms, and other outside sources.

How do we process your information?

We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

When and with whom do we share personal information?

We may share information in specific situations and with specific categories of third parties.

How do we keep your information safe?

We have adequate organizational and technical processes and procedures in place to protect your personal information.

What are your rights?

Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information.

Wishlist Data and Content

No Account Required: Pingwish operates without user accounts. When you create a wishlist, it is identified by a unique link rather than personal login credentials.

Wishlist Content: The information we store in your wishlists may include:

• Product names, descriptions, and links you add to your wishlist
• Any personal notes or comments you include with wishlist items
• Names or personal identifiers you choose to include in wishlist titles or descriptions
• Wishlist creation and modification timestamps

Data Storage and Lifecycle: Wishlists are stored in secure cloud databases and remain accessible via their unique links until:

• You explicitly delete them using the delete function
• 24 months of complete inactivity (no views or modifications)
• You request deletion by contacting us directly

Personal Data in Wishlists: While we don't require personal information, you may choose to include personally identifiable information in your wishlist content. Under GDPR, you have rights regarding this data including access, rectification, and deletion.

Contact Information

We may collect email addresses when you contact us for support or exercise your data subject rights. We do not require registration or account creation for basic service use.

Sensitive Information: We do not knowingly process sensitive personal information.

Information Automatically Collected

In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information includes:

• Log and Usage Data: Service-related, diagnostic, usage, and performance information our servers automatically collect
• Device Data: Information about your computer, phone, tablet, or other device you use to access the Services
• Location Data: Information about your device's location, which can be either precise or imprecise

Google API: Our use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Information Collected from Other Sources

In Short: We may collect limited data from public databases, marketing partners, social media platforms, and other outside sources.

Third-Party Service Providers

We may share your personal information with third-party service providers that perform services for us or on our behalf, including:

• CookieYes: Consent management platform — records and stores your cookie preferences (necessary cookie only, no personal data shared)
• Umami Analytics: Privacy-focused website analytics using cookieless tracking — no personal data shared
• Google Analytics 4: Website analytics (only when you have given consent) — anonymous usage statistics; data may be processed in the USA under Standard Contractual Clauses
• Hosting and Infrastructure Providers: For website hosting and technical operations

Affiliate Partners

We participate in affiliate marketing programs, including:

• Amazon Associates Program: When you click on Amazon product links, Amazon may track your activity for commission purposes
• Other Retail Partners: We may share anonymized or aggregated data with other affiliate partners to track referrals and commissions

These partnerships do not involve sharing your personal identifying information, but may involve sharing anonymized usage data and referral information.

Legal Requirements and Business Transfers

We may disclose your personal information if required to do so by law or in response to valid requests by public authorities, or in connection with a merger, acquisition, or sale of all or a portion of our assets.

How the Gift Finder Works

Pingwish offers a "Gift Finder" feature that allows you to describe gift ideas or search criteria in a free-text search input field. When you submit a search query through the Gift Finder, the text you enter is processed as follows:

• AI Processing (OpenAI): Your search input is transmitted to the OpenAI API, a third-party artificial intelligence service provided by OpenAI, L.L.C. (San Francisco, USA). OpenAI processes your input to extract structured search criteria (such as product category, price range, recipient type, and occasion) from your free-text description. This processing is necessary to interpret your intent and generate relevant product search parameters.
• Product Search APIs: The extracted search criteria are then used as input for product search APIs provided by our retail partners, including but not limited to Amazon, eBay, and other e-commerce platforms. These partners receive the structured search parameters (not your original free-text input) to return relevant product results.

Data Transmitted to Third Parties

When you use the Gift Finder, the following data may be transmitted to third-party services:

• To OpenAI: The full text of your search input as entered in the Gift Finder search field. OpenAI processes this data under its own data processing agreement and privacy policy. We use the OpenAI API in a configuration that does not retain your input for model training purposes.
• To Retail Partner APIs (Amazon, eBay, etc.): Structured, extracted search parameters derived from your input (e.g., "wireless headphones under 50 EUR for teenager"). Your original free-text query is not forwarded verbatim to retail partners.

Pingwish does not store, log, or retain your Gift Finder search queries on its own servers beyond the duration of the individual request processing.

Important: Do Not Enter Personal or Sensitive Information

WARNING: The Gift Finder search field is designed exclusively for describing gift ideas, product preferences, and search criteria. It is not designed, intended, or suitable for the entry of personal, private, or sensitive information of any kind.

You must not enter any of the following into the Gift Finder search field:

• Full names, addresses, phone numbers, or email addresses
• Financial information (credit card numbers, bank details, etc.)
• Identity documents or government-issued identification numbers
• Health or medical information
• Passwords, access codes, or security credentials
• Information about third parties without their consent
• Any data classified as "special category data" under GDPR (Article 9)

Disclaimer of Liability: Pingwish, its owner Daria Aparina (Loony Rocket e.U.), and its affiliates accept no responsibility or liability whatsoever for any personal, private, sensitive, or confidential information that you voluntarily enter into the Gift Finder search field. By using the Gift Finder, you acknowledge and accept that any text you enter may be transmitted to third-party services (including OpenAI and retail partner APIs) as described above, and that Pingwish has no control over how such third parties process, store, or handle the data once transmitted. You use the Gift Finder entirely at your own risk with respect to the content you choose to enter.

Legal Basis for Processing (GDPR)

The processing of your Gift Finder search input is based on Article 6(1)(b) GDPR — processing necessary for the performance of a service you have requested (providing personalized gift search results). By voluntarily entering a search query and submitting it, you initiate the processing necessary to deliver the requested service. You are not required to use the Gift Finder feature, and the rest of Pingwish's services function independently without it.

AI-Generated Results Disclaimer

Search results and product suggestions generated through the Gift Finder are provided "as is" for informational purposes only. Pingwish makes no warranties regarding the accuracy, completeness, suitability, availability, or appropriateness of AI-processed search results or any products returned by third-party APIs. AI processing may occasionally produce inaccurate, incomplete, or irrelevant results. Always verify product details directly with the retailer before making purchasing decisions.

Umami Analytics (Cookieless — No Consent Required)

We use Umami Analytics, a privacy-first, cookieless analytics solution that respects user privacy. Umami does not collect any personally identifiable information, does not use tracking cookies, and does not require user consent under GDPR, ePrivacy Directive, CCPA, or PECR. All data collected is anonymous and aggregated for statistical purposes only.

Because Umami does not process personal data or set cookies, it runs regardless of your cookie consent choice.

Google Analytics 4 (Requires Your Consent)

We additionally use Google Analytics 4 (GA4), provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). GA4 uses cookies to collect anonymous statistical data about how visitors use our website (pages visited, time on site, traffic sources). This data helps us understand and improve our service.

Consent required: Google Analytics is only activated after you explicitly accept analytics cookies in our consent banner. We implement Google's Consent Mode v2, which means all analytics storage is set to denied by default until you give consent. If you decline or ignore the banner, no GA cookies are set and no data is sent to Google.

No advertising: We do not use GA4 for advertising, remarketing, or cross-site tracking. Ad-related consent signals remain denied at all times.

Data transfer: Google Analytics may transfer data to Google servers in the United States. This transfer is covered by Google's Standard Contractual Clauses approved by the European Commission. For more information, see Google's Privacy Policy.

Legal basis (GDPR): Article 6(1)(a) — your explicit consent.

Austria exception: Google Analytics tracking is automatically disabled for visitors from Austria, consistent with Austrian data protection authority guidance.

Your Rights Under GDPR and Other Privacy Laws

In regions covered by GDPR (EEA, UK, Switzerland) and other privacy laws, you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete personal data
• Right to Erasure (Right to be Forgotten): Request deletion of your personal data
• Right to Restrict Processing: Request limitation of how we process your data
• Right to Data Portability: Request your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for cookies and analytics at any time
• Right to Lodge a Complaint: File complaints with your local data protection authority

How to Exercise Your Rights

Wishlist Data Management: Since Pingwish operates without accounts:

• Direct Deletion: Use the delete function available on your wishlist page
• Request Assistance: Email us at privacy@pingwish.com with your wishlist link
• Data Access: Contact us to request information about data associated with your wishlist link

Analytics Rights:

• Umami Analytics does not collect personal data or use tracking cookies, so no consent or opt-out is required for Umami
• Google Analytics: withdraw your consent at any time via the cookie settings link in our footer — this removes all GA cookies and stops further tracking
• Use browser settings to clear local storage if you wish to remove wishlist references from your device

Data Subject Request Process:

1. Contact us at privacy@pingwish.com
2. Specify which right(s) you wish to exercise
3. Provide sufficient information to identify your data (wishlist links, contact details, etc.)
4. We will respond within 30 days (or 1 month under GDPR)
5. Verification may be required to protect against unauthorized access

No Cost: Exercising your rights is free of charge unless requests are manifestly unfounded or excessive.

Complaints and Data Protection Authorities

If you believe your privacy rights have been violated, you can lodge a complaint with:

• Austria: Datenschutzbehörde (DSB) - dsb.gv.at
• Your local EU data protection authority if you reside elsewhere in the EEA
• Contact us first: We encourage contacting us directly to resolve issues quickly

Cookies We Use

Consent Management Cookie (Necessary): CookieYes stores your consent decision in a cookie named cookieyes-consent. This cookie is strictly necessary to remember your preferences and is set regardless of your consent choice. It does not track you or collect personal data.

Analytics Cookies (Only With Consent): If you accept analytics cookies, Google Analytics 4 may set the following cookies: _ga, _ga_*. These cookies collect anonymous data about how you use our website and expire after 2 years / 1 minute respectively. No analytics cookies are set if you decline or have not yet responded to the banner.

No Advertising Cookies: Pingwish does not use cookies for advertising, remarketing, or cross-site tracking under any circumstances.

Privacy-First Analytics with Umami (Cookieless)

Cookieless Analytics: We use Umami Analytics, a privacy-focused analytics solution that operates without cookies. Umami:

• Does not collect personally identifiable information (PII)
• Does not track individual users across sessions
• Does not use cookies or similar tracking technologies
• Collects only anonymous, aggregated statistics about website usage
• Is fully compliant with GDPR, CCPA, and PECR without requiring user consent
• Does not sell or share data with third parties

Because Umami does not process personal data or track users, it does not require user consent under privacy regulations and runs independently of your cookie choice.

Google Analytics 4 (With Your Consent)

When you accept analytics cookies, we activate Google Analytics 4 to collect anonymous usage statistics. GA4 uses Google's Consent Mode v2 — all storage defaults to denied until consent is granted. Data collected includes pages visited, session duration, traffic sources, and country-level location. No personal identifiers are collected. Visitors from Austria are excluded from GA4 tracking at all times.

You can withdraw your consent at any time via the cookie settings in our footer. Upon withdrawal, GA cookies are cleared and no further data is sent to Google.

Browser Local Storage for Wishlist References

What We Store Locally: We store wishlist identification keys (unique links) in your browser's local storage to enable the "My Wishlists" feature. This local storage:

• Contains only wishlist link references, not the actual wishlist content
• Helps you access and manage your wishlists conveniently from the "My Wishlists" page
• Remains only on your device and is never transmitted to our servers
• Can be cleared at any time through your browser settings
• Does not track your behavior or collect personal information

No Remote Tracking: We do not track, monitor, or access your local storage data remotely. The wishlist keys are stored purely for your convenience to help you find wishlists you've created.

Important Security Note: If you use Pingwish on a shared or public computer, other users may access your wishlist references through the same browser. To protect your privacy, clear your browser's local storage for pingwish.com after use.

Third-Party Services and Data Processing

We integrate with the following third-party services:

CookieYes — Consent Management: We use CookieYes (CookieYes Limited, 3 Warren Yard, Warren Park, Wolverton Mill, Milton Keynes, MK12 5NW, United Kingdom) to manage cookie consent. CookieYes stores your consent preference in a necessary cookie and does not share personal data with third parties. Privacy Policy: cookieyes.com/privacy-policy.

Umami Analytics — Privacy-First Analytics (Cookieless): Umami is an open-source, privacy-focused analytics solution that operates without cookies or personal data collection. It does not use cookies, does not collect PII, does not track users across sessions, and is fully GDPR/CCPA/PECR compliant without requiring user consent. No personal data is transferred internationally. More information: umami.is.

Google Analytics 4 — Website Analytics (Consent Required): Provided by Google Ireland Limited. When you accept analytics cookies, GA4 collects anonymous usage statistics (pages viewed, session data, traffic sources). Data may be transferred to Google servers in the United States under Standard Contractual Clauses. You can opt out at any time by changing your cookie preferences in our footer. Privacy Policy: policies.google.com/privacy.

Amazon Affiliate Program: We participate in the Amazon Services LLC Associates Program and other Amazon affiliate programs. When you click on Amazon product links on our website, Amazon may set cookies to track your activity and we may earn a commission on qualifying purchases. This does not affect the price you pay. Amazon's use of cookies is governed by Amazon's Privacy Policy: Amazon Privacy Notice.

No Advertising Networks: We do not use advertising networks, remarketing services, or other third-party tracking technologies on our website.

Managing Cookies and Local Storage

Cookie Preferences: You can change or withdraw your analytics consent at any time by clicking the cookie settings link in our website footer. Withdrawing consent removes GA cookies and stops all GA tracking immediately.

Browser Settings: You can also clear cookies and local storage data through your browser settings:

• Chrome: Settings → Privacy and Security → Clear browsing data → Cookies and other site data
• Firefox: Settings → Privacy & Security → Cookies and Site Data → Clear Data
• Safari: Settings → Privacy → Manage Website Data → Remove All
• Edge: Settings → Privacy, search, and services → Clear browsing data

Note: Clearing local storage will remove your saved wishlist references, and you'll need the direct links to access your wishlists again.

Legal Basis for Data Processing

Under GDPR and other applicable privacy laws, our legal basis for data processing is:

• CookieYes Consent Cookie: Legitimate interest (necessary to record your cookie preference)
• Umami Analytics: Legitimate interest (website improvement) — no consent required as no personal data is processed
• Google Analytics 4: Article 6(1)(a) GDPR — your explicit consent via the cookie banner
• Local Storage: Legitimate interest (providing user convenience) — data stays on your device
• Wishlist Data: Contractual necessity and legitimate interest (service delivery)

Data Retention

• CookieYes Consent Cookie: 1 year from the date of consent
• Google Analytics Cookies (_ga, _ga_*): 2 years / 1 minute respectively — only set after consent, cleared on withdrawal
• Browser Local Storage: Persists indefinitely until manually cleared by the user
• Umami Analytics Data: Anonymous aggregated statistics; no personal data retained
• Wishlist Data: Retained for 24 months of inactivity or until deleted

Updates to This Policy

We may update this policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the updated policy on our website with a new effective date.

Minimum Age Requirements

Service Age Limit: Pingwish is not intended for use by children under the age of 13. Users must be at least 13 years old to use our services. Users between 13 and 16 years old (or the age of digital consent in their country) should have parental guidance when using our service.

For Users in the European Economic Area: The minimum age for using our service may be higher in your country based on local laws regarding digital consent (typically 16 in many EU countries).

Children's Data Protection

COPPA Compliance: We do not knowingly collect, use, or disclose personal information from children under 13 years of age without verifiable parental consent, in compliance with the Children's Online Privacy Protection Act (COPPA).

GDPR Compliance for Minors: We do not knowingly process personal data of children under the age of digital consent in their respective EU member state without parental consent.

If We Discover Child Data: If we become aware that we have collected personal information from a child under the applicable age limit without appropriate consent, we will take steps to delete such information promptly.

Parental Rights: Parents or guardians who believe their child has provided personal information to us may contact us at privacy@pingwish.com to request review, deletion, or to stop further collection of their child's information.

Safe Usage Guidelines

Parental Guidance: We recommend that parents or guardians supervise minors' use of our service and ensure they understand:

• Not to include personally identifiable information in wishlists
• To keep wishlist links private and only share with trusted individuals
• To understand that affiliate links may lead to third-party shopping sites
• To seek parental permission before clicking on any external links

Privacy-First Approach

Transparency Notice: We believe in full transparency about our data practices. Pingwish has been designed with privacy as a fundamental principle.

Our Privacy-First Measures:

• No advertising cookies or third-party tracking networks
• Umami Analytics: cookieless, no personal data, no consent required
• Google Analytics 4: only activated after your explicit consent; GA Consent Mode v2 defaults all storage to denied; Austria users always excluded
• No user accounts, login, or authentication system
• No session tracking across pages or visits
• Minimal data collection — only what is necessary for service functionality
• Local browser storage for wishlist references (not tracked remotely)

Your Rights: If you have any privacy concerns, you can:

• Manage or withdraw cookie consent via the cookie settings link in our footer
• Contact us to exercise your right to access, rectify, or delete your data
• Clear browser local storage to remove wishlist references
• File a complaint with your local data protection authority if you believe your rights have been violated

Affiliate Marketing Financial Relationships

Material Connections Disclosure: We want to be completely transparent about our financial relationships. Pingwish participates in affiliate marketing programs, which means we may receive financial compensation when you purchase products through certain links on our website. This creates a material connection that could potentially influence our product recommendations and content.

Editorial Independence: While we earn commissions from affiliate relationships, we maintain editorial independence and only recommend products we genuinely believe will provide value to our users. However, you should be aware that financial incentives exist and may influence which products we choose to feature or recommend.

User Protection: This disclosure is made to comply with:

• FTC Guidelines on Endorsements and Testimonials
• EU Consumer Rights Directive
• Amazon Associates Program requirements
• Austrian and European consumer protection laws

Third-Party Service Dependencies

Service Reliability Disclaimer: Our website relies on the following third-party services: CookieYes (consent management), Umami Analytics (cookieless analytics), Google Analytics 4 (consent-gated analytics), and Amazon affiliate tracking. Changes to these services' terms, privacy policies, or availability could affect our service delivery.

Regulatory Compliance Updates: Privacy laws and regulations are continuously evolving. We commit to updating our practices and policies to maintain compliance with GDPR, DSGVO, CCPA, and other applicable privacy regulations.

Technical and Organizational Security Measures

Data Protection: We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

• Encryption: All connections to our website use HTTPS encryption
• Secure Hosting: Our services are hosted on secure cloud infrastructure with industry-standard security practices
• Access Controls: Limited access to personal data on a need-to-know basis
• Regular Updates: We maintain current security patches and updates
• Data Backups: Secure backup procedures to prevent data loss

Limitations: While we implement reasonable security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

Privacy by Design Principles

Minimal Data Collection: Pingwish is designed with privacy in mind:

• No User Accounts: We don't require registration or personal information to use our basic service
• Private by Default: Wishlists are private and accessible only via unique links
• Local Storage: Wishlist preferences are stored locally in your browser when possible
• Data Minimization: We collect only the minimum data necessary for functionality
• Transparency: This comprehensive privacy policy explains all data practices

User Control: You maintain control over your data through:

• No Consent Required: We don't use tracking cookies or collect personal data through analytics, so no consent management is needed
• No User Login: There is no user authentication system, login, or session tracking
• Direct wishlist deletion capabilities
• Easy contact methods for data subject requests
• Local browser storage that you can clear at any time

Data Breach Procedures

Incident Response: In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Assess and contain the breach promptly
• Notify relevant supervisory authorities within 72 hours where required by law
• Notify affected users without undue delay if high risk to individual rights
• Implement measures to prevent future incidents
• Document all incidents for regulatory compliance