Privacy Policy

1. Overview

Wishr ("we", "our", "us") operates the Wishr web application and the Wishr Chrome Extension. This policy explains what data we collect, how we use it, and your rights. We do not sell your data to third parties.

2. Data Collected by the Chrome Extension

a) Authentication information

When you sign in, your email address and password are sent to the Wishr API to authenticate you. Your password is never stored. A session token is saved locally in chrome.storage.local to keep you signed in between sessions. This token is only transmitted to Wishr servers.

b) Website content from the active tab

When you open the extension popup on a product page, a locally-bundled script reads the product title, price, and image from that page. This data is used only to pre-fill the save form. It is transmitted to Wishr servers only when you explicitly click Save. The extension does not read or store page content in the background.

c) Page URL

The URL of the active tab is read when you open the popup and saved as part of the saved item so you can return to the product page later. The extension does not track your browsing history.

3. Data Collected by the Web App

When you create an account and use the Wishr web application we collect:

• Email address and password (hashed — we never store plaintext passwords)
• Display name, username, and optional profile photo
• Optional bio, Instagram URL, and Facebook URL you choose to add to your profile
• Space names, items, notes, and product URLs you save
• Social interactions you initiate: friend requests, comments, reactions, pledges

4. How We Use Your Data

• To operate and deliver the Wishr service
• To authenticate you and keep your account secure
• To enable social features (your circle, sharing, recommendations)
• To send in-app notifications for activity on your spaces
• To track price changes on items you have saved

We do not use your data for advertising, profiling, or any purpose unrelated to operating the Wishr service.

5. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with the infrastructure providers required to operate the service:

• Supabase — database, authentication, and file storage
• Vercel — hosting and serverless functions
• Upstash — caching layer (no personal data stored)
• Inngest — background job processing

Profile information you mark as public (display name, username, bio, social links, public spaces) is visible to other users and to anyone with the link.

6. Data Retention

Your data is retained for as long as your account is active. You may delete your account at any time by contacting us at the email below, which will remove your personal data from our systems within 30 days.

7. Security

All data is transmitted over HTTPS. Passwords are hashed using bcrypt via Supabase Auth. Row Level Security policies on our database ensure users can only access their own data. Session tokens are stored in chrome.storage.local, which is sandboxed to the extension and inaccessible to web pages.

8. Your Rights

You have the right to access, correct, or delete your personal data at any time. To exercise these rights, contact us at the email address below.

9. Children's Privacy

Wishr is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this policy from time to time. The date at the top of this page will reflect the latest revision. Continued use of Wishr after changes constitutes acceptance of the updated policy.