Privacy Policy

At FORME ("we," "our," or "us"), we take your privacy seriously. This Privacy Policy explains how we collect, use, share, and protect your information when you use forme.gifts (the "Service").

1. Information We Collect

1.1 Information You Provide Directly

Account Information:

• Email address (via Google OAuth)
• Google profile information (name, profile picture)
• Account creation date

Subscription Information:

• Subscription tier and status
• Billing history (subscription start and end dates, plan changes)

Wishlist Content:

• Wishlist name and description
• Event dates
• Gift names and descriptions
• Product links
• Price ranges
• Images you upload

Booking Information (Gift-Givers):

• Your authenticated account identity (linked via Google OAuth)
• Booking timestamp

1.2 Information Collected Automatically

Essential Technical Information:

• Authentication session data (handled by Supabase Auth)
• Error logs for debugging (when the app crashes or fails)

Cookies and Local Storage:

• Session cookies for authentication (essential for login)
• Local storage tokens for booking retrieval (stored in your browser only, never sent to our servers)

1.3 Information From Third Parties

Google OAuth: When you sign in with Google, we receive:

• Your email address
• Your name
• Your profile picture
• Google account ID

We do not receive your Google password or access to other Google services.

Creem (Payment Processor): When you subscribe to a paid tier, Creem notifies us of:

• Subscription status (active, cancelled, expired)
• Plan type and billing period
• Billing events (subscription created, renewed, cancelled)

We do not receive your credit card number or full payment credentials from Creem.

2. How We Use Your Information

2.1 To Provide the Service

• Create and maintain your account
• Store and display your wishlists
• Enable wishlist sharing via unique links
• Process and track gift bookings
• Allow gift-givers to retrieve their bookings
• Manage your subscription tier and associated limits
• Send essential service communications

2.2 To Improve the Service

• Debug technical issues when they occur
• Monitor critical errors and uptime

2.3 To Protect Users

• Prevent fraud and abuse
• Enforce our Terms of Service
• Detect security threats
• Comply with legal obligations

2.4 To Communicate With You

• Respond to your support requests
• Send critical account or service updates (e.g., security issues, service changes)
• Notify you of Terms or Privacy Policy changes

We do NOT send:

• Marketing emails
• Promotional content
• Newsletter emails
• Feature announcements (unless critical to service operation)

The only emails you'll receive from us are essential service communications.

3. How We Share Your Information

3.1 With People You Choose

Publicly Shared Wishlists: When you share your wishlist link, anyone with that link can see:

• Your wishlist name and description
• Your event date (if set)
• All gift details (names, descriptions, images, prices, product links)
• Which items are booked (but not who booked them)

What Others CANNOT See:

• Your email address
• Who booked which items
• Booking timestamps or details
• Your subscription tier or billing information
• Any personal information beyond what you explicitly add to your wishlist

3.2 With Service Providers

We share information with trusted third-party service providers who help us operate the Service:

Supabase (Database & Authentication):

• Stores user accounts, wishlists, gifts, and bookings
• Provides authentication services
• See Supabase's privacy policy: https://supabase.com/privacy

Cloudflare R2 (Image Storage):

• Stores images you upload to your wishlists
• See Cloudflare's privacy policy: https://www.cloudflare.com/privacypolicy/

Netlify (Hosting Provider):

• Hosts the website
• Provides content delivery
• See Netlify's privacy policy: https://www.netlify.com/privacy/

Netlify may collect standard server logs (IP addresses, request timestamps) as part of their infrastructure. We do not have access to or use this data for tracking purposes.

Creem (Payment Processor / Merchant of Record):

• Processes subscription payments, billing, invoicing, and refunds
• Stores your credit card details and payment credentials on our behalf
• We receive only subscription status, plan type, and billing events — never your card numbers
• See Creem's privacy policy: https://www.creem.io/privacy

3.3 For Legal Reasons

We may disclose information if required by:

• Legal process (subpoena, court order)
• Law enforcement requests
• Protection against fraud or security threats
• Defense of our legal rights
• Compliance with applicable laws

3.4 Business Transfers

If FORME is acquired or merged with another company, your information may be transferred as part of that transaction. We'll notify you before your information is transferred and becomes subject to a different privacy policy.

3.5 Aggregated Data

We may share anonymized, aggregated data that cannot identify you personally (e.g., "50% of users add 10+ items to their wishlists").

4. Booking Privacy

4.1 How Bookings Work

When gift-givers book items, they sign in with their Google account. The booking is linked to their authenticated user ID. Wishlist owners cannot see who booked which items — they only see that an item has been booked.

4.2 Booking Data

Gift-givers can view and cancel their bookings from their account dashboard. Booking data is tied to your authenticated account, not stored separately.

5. Data Storage & Security

5.1 Where We Store Data

• Database: Supabase Cloud (AWS infrastructure)
• Images: Cloudflare R2 (S3-compatible object storage)
• Authentication: Supabase Auth
• Payments: Creem (payment credentials stored by Creem, not by us)
• Location: Servers may be located in various regions globally

5.2 How We Protect Data

• Encryption in transit: All data transmitted using HTTPS/TLS
• Encryption at rest: Database and storage encrypted
• Access controls: Strict role-based access to systems
• Row Level Security (RLS): Database policies ensure users only access their own data
• Regular backups: Automated backups for disaster recovery
• Security monitoring: Active threat detection and response

5.3 No Absolute Security

Despite our efforts, no system is 100% secure. We cannot guarantee absolute security against unauthorized access, hacking, or data breaches. You use the Service at your own risk.

6. Your Privacy Rights

6.1 Access Your Data

You can view, download, and export your wishlist data at any time through your account settings.

6.2 Correct Your Data

You can edit your wishlist name, description, gifts, and other content directly in the app.

6.3 Delete Your Data

You can delete your account and all associated data. Upon deletion:

• Your account, wishlists, and gifts are permanently removed
• Active bookings remain to honor gift-givers' commitments
• Some data may be retained as required by law or for legitimate business needs (e.g., fraud prevention)

6.4 Data Portability

You can export your wishlist data in a machine-readable format (e.g., JSON).

6.5 Regional Rights

Depending on your location, you may have additional rights:

European Union (GDPR):

• Right to access, rectify, erase, restrict processing, data portability, and object to processing
• Right to lodge a complaint with your local data protection authority
• Our legal basis for processing: Consent, Contractual Necessity, Legitimate Interests

California (CCPA):

• Right to know what data we collect, sell, or disclose
• Right to request deletion
• Right to opt-out of data sales (note: we do NOT sell personal data)
• Right to non-discrimination for exercising your rights

Other Regions: Check your local data protection laws for applicable rights.

6.6 Exercising Your Rights

To exercise any of these rights, contact us at privacy@forme.gifts. We'll respond within 30 days (or as required by local law).

7. Data Retention

7.1 Account Data

We retain your account and wishlist data as long as your account is active. Subscription and billing records are retained as required for tax and accounting purposes, even after account deletion.

7.2 After Account Deletion

• Most data is deleted within 30 days
• Backups may retain data for up to 90 days
• Some records may be kept longer for legal, tax, or fraud prevention purposes

7.3 Booking Data

• Active bookings are retained until the gift-giver removes them
• After account deletion, associated bookings are anonymized

7.4 Server Logs

Netlify may retain standard server logs as part of their hosting service. We do not actively collect, analyze, or use these logs for tracking purposes. Refer to Netlify's privacy policy for their log retention practices.

8. Children's Privacy

FORME is not intended for children under 13. We do not knowingly collect data from children under 13. If we discover we've collected such data, we'll delete it promptly.

Parents or guardians who believe we've collected information from a child under 13 should contact us at privacy@forme.gifts.

9. International Data Transfers

Your data is primarily stored and processed in the European Union (Supabase Cloud in AWS eu-west-1, Ireland). Some service providers may process data in other regions. We ensure appropriate safeguards are in place for any transfers outside the EU/EEA (e.g., Standard Contractual Clauses).

10. Cookies & Tracking

10.1 Essential Cookies

We use cookies necessary for the Service to function:

• Authentication: Keeping you logged in (managed by Supabase Auth)
• Security: CSRF protection and session management

You cannot opt out of essential cookies, but you can delete them by clearing your browser data (this will log you out).

10.2 No Analytics or Marketing Cookies

We do not use:

• Analytics cookies
• Marketing cookies
• Advertising cookies
• Tracking pixels
• Third-party tracking scripts

10.3 Local Storage

We use browser local storage to:

• Store booking tokens (so you can retrieve your bookings)
• Cache authentication state

Local storage data stays on your device and is not transmitted to our servers unless you explicitly take an action (like logging in).

10.4 Third-Party Cookies

Third-party sites linked from wishlists (e.g., Amazon, Etsy) may set their own cookies. We have no control over these cookies. Review their privacy policies directly.

11. Third-Party Links

Your wishlist may contain links to third-party websites. We are not responsible for:

• Their privacy practices
• Their data collection
• Their content or accuracy

Always review the privacy policies of sites you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do:

• We'll update the "Last Updated" date at the top
• Material changes will be communicated via email or in-app notification
• Continued use of the Service after changes constitutes acceptance

13. Contact Us

Questions, concerns, or requests regarding your privacy? Contact us:

• Email: privacy@forme.gifts
• Website: forme.gifts

13.1 Data Protection Officer (If Applicable)

If you're in the EU and need to contact our Data Protection Officer, email: dpo@forme.gifts

14. Legal Framework

This Privacy Policy complies with:

• General Data Protection Regulation (GDPR) - EU
• California Consumer Privacy Act (CCPA) - USA
• Other applicable data protection laws

---

By using FORME, you acknowledge that you've read and understood this Privacy Policy and consent to our data practices as described.