Note: The full privacy policy is currently available in German.

Privacy Policy for Wish-it

Web, Android, iOS

Version 1.1 • Last updated: 11 Jan 2026

App name Wish-it

Platforms Web, iOS, Android

Provider Digital-e UG (haftungsbeschränkt)

Language

A. Controller

Digital-e UG (haftungsbeschränkt)
Managing Director: Kurt Laabs
Norderstraße 47
25436 Tornesch, Germany

Email: anfrage@digital-e.org

No data protection officer appointed.

This notice provides information pursuant to Articles 12–14 GDPR in a transparent, intelligible and easily accessible way about the processing of your personal data when using our app and website.
Quote (Art. 12(1) GDPR): “The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.”

B. Types of processed data and data subjects

Categories of personal data

Depending on how you use the service, we process in particular:

Account / login data Email address, user ID (UID), login provider (Google/Apple) if applicable, tokens
User content Wish lists, names, descriptions, images/metadata
Device / usage data IP address, user agent, timestamps, interactions
Log data / error reports Technical logs for stability and security
Terminal device storage Local/session storage for settings/session
Affiliate redirects Partner ID / URL parameters when clicking Amazon links (no third‑party tracking on our site)

Data subjects: Users of the Wish-it app and website.

Legal bases are listed under section C.

C. Purposes and legal bases of processing

1. Provision and operation (app/web)

Processing for authentication, account management and synchronisation of user-generated content. Legal basis: Art. 6(1)(b) GDPR (performance of a contract / use of the service).

2. Security, troubleshooting and abuse prevention

Processing of technical logs for stability, security, error analysis and prevention of misuse/fraud. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure, functional operation).

3. Terminal device access (local/session storage)

Strictly necessary (without consent): e.g. login session / CSRF or comparable security tokens in session storage.
Optional (only with prior consent): Convenience/settings/caches (e.g. app_locale, tutorial_*, flutter.group_cache / flutter.participant_cache). Refusal has no functional disadvantages other than loss of convenience.

Legal framework: ePrivacy / Section 25 TDDDG (Art. 5(3) ePrivacy Directive 2002/58/EC) – selection in the consent dialog, withdrawal at any time in “Settings”.
Quote (Art. 5(3) Directive 2002/58/EC): “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent …; this shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication … or as strictly necessary …”.

4. Affiliate redirects (Amazon)

We label Amazon links as advertising/affiliate links. On our site we only redirect; Amazon sets cookies/tracking on its own domain. Legal basis for our processing: Art. 6(1)(f) GDPR (monetisation / referrer transfer via URL parameters).

 Important: On wish-it.de we do not use third‑party scripts and
    we do not set our own marketing cookies without consent.

D. Services, technologies and third parties

5.1 Firebase (Google)

Use: Authentication, (if applicable) data storage, push notifications

Data: Accounts/UID, tokens, technical log data, device information

Locations / transfers: Firebase Authentication is operated exclusively from US data centres; international transfers to the USA are possible. Safeguards are provided via Google’s Data Processing & Security Terms incl. Standard Contractual Clauses (SCC) and—where applicable—the EU‑US Data Privacy Framework. More information: Firebase Terms and Firebase Privacy/Subprocessors.

Legal bases: Art. 6(1)(b) GDPR (login/account), Art. 6(1)(f) GDPR (security/error analysis)

5.2 Cloudflare Workers (backend)

Use: Edge compute/workers, caching, security/firewall

Role: Processor; Cloudflare Customer DPA incl. Standard Contractual Clauses (SCC) and information on subprocessors is available (e.g. Customer DPA, Subprocessors).

Legal bases: Art. 6(1)(b)/(f) GDPR (technical provision/security)

Transfers: Global network infrastructure may lead to international transfers; safeguarded via SCC/DPF and documented security measures

E. Affiliate marketing

Affiliate links (Amazon)

Labelling:

“Ad/Affiliate link” at the link; additionally site‑wide the notice “As an Amazon Associate I earn from qualifying purchases.” (Amazon programme requirement; placed site‑wide or on pages with affiliate links in accordance with programme policies).

Process:

When you click, your request is redirected to Amazon with our partner ID. On wish-it.de we do not use third‑party scripts and we do not set our own marketing cookies; any cookie processing takes place on amazon.de under Amazon’s responsibility.

Legal basis:

Art. 6(1)(f) GDPR (monetisation / referrer transfer via URL parameters); no terminal device access for marketing on our site without consent.

F. Retention and deletion

Account data / user content

Until account deletion or after statutory retention periods.

Log / error data

Technically required, typically up to 30 days.

Terminal device storage

Essential: until end of session/logout. Optional: until withdrawal or defined lifetime; deletion control via settings.

G. Recipients of data & third-country transfers

Where data is transferred to third countries (in particular the USA) (e.g. Firebase Auth, Cloudflare), this takes place exclusively in accordance with Articles 44–46 GDPR (Standard Contractual Clauses; where applicable EU‑US Data Privacy Framework; supplementary measures).

Processors: Firebase/Google and Cloudflare (each with DPA, SCC/where applicable DPF and documented technical and organisational measures).
Affiliate: When you click Amazon links, referrer information/URL parameters are transmitted to Amazon; any cookies/tracking take place on Amazon domains.

H. Rights of data subjects

You have rights of access, rectification, erasure, restriction, data portability as well as objection/withdrawal (for consent-based processing). You can lodge a complaint with a supervisory authority.

Access

Art. 15 GDPR

Rectification

Art. 16 GDPR

Erasure

Art. 17 GDPR

Restriction

Art. 18 GDPR

Data portability

Art. 20 GDPR

Objection

Art. 21 GDPR

Contact for exercising your rights: anfrage@digital-e.org

I. Changes to this notice

We adapt this notice to technical/legal developments and will inform you about material changes in the app and on the website.

J. Other information

Security

We implement appropriate technical and organisational measures (e.g. encryption in transit/at rest, access controls, logging, deletion concepts), based on risk and industry standards.

Terminal device settings and withdrawal

You can withdraw your consent for optional local/session storage purposes at any time in the settings; until consent is given, these optional storage items are disabled. This corresponds to the ePrivacy requirements for terminal device access (in particular Section 25 TDDDG) and the “right to refuse”. Refusal is equally possible; optional convenience remains disabled.

All product privacy policies