Privacy Policy
We built xwish.ai with privacy in mind: recipients never need an account, anonymous card creation is supported, and we collect only what's needed to run the service. This policy explains everything we collect, why, and your rights.
1. Data Controller
xwish.ai operates the greeting card platform available at https://xwish.ai. For the purposes of applicable data protection law, xwish.ai is the data controller responsible for your personal information.
For privacy requests, questions, or complaints, please use the contact details above. We aim to respond within 30 days.
2. Information We Collect
2.1 Information You Provide Directly
| Data | When collected | Required? |
|---|---|---|
| Name / display name | Account creation (via Google OAuth) | Yes, for accounts |
| Email address | Account creation; card email delivery | Yes, for accounts |
| Profile picture URL | Account creation (via Google OAuth) | No (can be blank) |
| Sender name | Card creation (anonymous or logged in) | Yes, for all cards |
| Recipient name | Card creation | Yes, for all cards |
| Card message content | Card creation (AI-generated from your inputs) | Yes |
| Recipient email address | Optional email delivery feature | No |
| Personal detail / context | Optional AI input to personalize card | No |
2.2 Information Collected Automatically
- Anonymous token — a random UUID stored in a browser cookie (
anon_token) for users who create cards without an account. Used solely to let you access cards you've created without logging in. Expires after 1 year. - Language preference — a cookie (
xwish_lang_pref) recording your chosen language. Expires after 1 year. - Session token — an HttpOnly, SameSite=Lax cookie stored after login. Expires after 7 days.
- Usage data — including cards created, credits earned and consumed, daily sign-in records, and feature interactions. Stored in our database.
- IP address and request metadata — processed by Cloudflare as part of infrastructure operation. Not stored in our application database.
2.3 Payment Information
If you purchase credits, your payment card details are entered directly into Stripe's secure payment interface and are never transmitted to or stored on our servers. We receive only confirmation of payment success, the package purchased, and a Stripe transaction reference.
2.4 Information About Card Recipients
If you provide a recipient's email address to deliver a card, we store that address to send the delivery email via Resend. Recipients are not required to create an account and we do not proactively contact recipients for any purpose other than delivering the card you've addressed to them.
3. How We Use Your Information
| Purpose | Information used |
|---|---|
| Providing and operating the Service | Account data, card content, session token, anonymous token |
| Generating AI card content | Occasion, sender/recipient names, tone, personal detail (passed to AI model; not retained beyond generation) |
| Delivering cards by email | Recipient email, sender name, card link |
| Processing payments and managing credits | Email, payment confirmation, credit logs |
| Sending transactional notifications | Email (credit expiry alerts, order confirmations) |
| Fraud prevention and security | Usage patterns, session data, IP (via Cloudflare) |
| Analytics and service improvement | Aggregated, anonymized usage data; Google Analytics (if enabled) |
| Legal compliance | Payment records, account data (as required by law) |
We do not sell your personal information to third parties. We do not use your personal information for targeted advertising or to build advertising profiles.
If Google Analytics is enabled on our site, Google may collect usage data as described in Google's Privacy Policy. You can opt out via Google Analytics Opt-out.
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) and United Kingdom, we process your personal data under the following lawful bases:
| Processing Activity | Lawful Basis |
|---|---|
| Account creation and management | Contract (Art. 6(1)(b) GDPR) |
| Providing card creation and delivery services | Contract (Art. 6(1)(b) GDPR) |
| Processing payments | Contract (Art. 6(1)(b) GDPR) |
| Transactional emails (order confirmations, credit expiry) | Contract / Legitimate Interests (Art. 6(1)(f) GDPR) |
| Security, fraud prevention, abuse detection | Legitimate Interests (Art. 6(1)(f) GDPR) |
| Analytics and service improvement | Legitimate Interests (Art. 6(1)(f) GDPR) |
| Legal compliance (tax records, financial obligations) | Legal Obligation (Art. 6(1)(c) GDPR) |
| Cookie consent (non-essential cookies) | Consent (Art. 6(1)(a) GDPR) |
Where we rely on legitimate interests, we have balanced these against your rights and interests. You may object to processing based on legitimate interests at any time (see Section 9).
6. International Data Transfers
Our infrastructure is provided by Cloudflare, which operates a global network including data centers within the European Economic Area. However, some of our service providers (Google, Stripe, Resend) are based in the United States or operate globally.
For transfers of EEA/UK personal data to countries that do not have an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or equivalent transfer mechanisms under UK GDPR.
By using the Service from outside the United States, you acknowledge that your information may be transferred to, stored in, and processed in the United States and other countries where our service providers maintain facilities.
8. Data Retention
| Data | Retention Period | Reason |
|---|---|---|
| Account profile data | Until account deletion + 30 days | Service operation |
| Cards (content, metadata) | Until deleted by creator, or 2 years after last view | Service operation |
| Credit and points logs | 3 years from transaction | Financial audit compliance |
| Payment order records | 7 years from transaction | Tax and legal obligation |
| Emails delivered (recipient address) | 90 days after delivery | Delivery confirmation |
| Anonymous tokens (cookies) | 1 year from last use | Functional (card access) |
After the retention period expires, we delete or anonymize the data. You may request earlier deletion of your account and associated data (see Section 9).
9. Your Privacy Rights
Depending on your location, you have the following rights regarding your personal information. To exercise any of these rights, contact us at support@xwish.ai. We will respond within 30 days (or the applicable statutory period).
All Users
- Access — request a copy of the personal information we hold about you.
- Correction — request that we correct inaccurate or incomplete information.
- Deletion — request deletion of your personal information, subject to legal retention obligations.
- Complaint — lodge a complaint with your local data protection authority.
EEA / UK Users (GDPR / UK GDPR)
- Right to restriction — request that we limit how we process your data in certain circumstances.
- Right to portability — receive your personal data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing.
- You have the right to lodge a complaint with your national supervisory authority. In the EU, find your authority at edpb.europa.eu. In the UK, contact the ICO.
California Residents (CCPA / CPRA)
- Right to know — request disclosure of the categories and specific pieces of personal information we collect, use, and share.
- Right to delete — request deletion of personal information we have collected (subject to certain exceptions).
- Right to correct — request correction of inaccurate personal information.
- Right to opt out of sale / sharing — xwish.ai does not sell or share your personal information for cross-context behavioral advertising. No opt-out is needed.
- Right to non-discrimination — we will not discriminate against you for exercising any CCPA rights.
California residents may submit requests by emailing support@xwish.ai with "California Privacy Request" in the subject line.
Canadian Residents (PIPEDA)
Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to access your personal information and to challenge its accuracy. To make a request, contact us at support@xwish.ai.
Australian Residents
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to access and correct your personal information. You may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy rights have been violated.
Brazilian Residents (LGPD)
Under Brazil's Lei Geral de Proteção de Dados (LGPD), you have rights including access, correction, anonymization, portability, deletion, and information about sharing. You may also file complaints with the Autoridade Nacional de Proteção de Dados (ANPD).
Middle East and Other Regions
We respect applicable data protection laws in all jurisdictions where we operate, including the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and Saudi Arabia's Personal Data Protection Law (PDPL). Residents of these regions may exercise access and correction rights by contacting us at support@xwish.ai.
10. Children's Privacy
The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are located in the European Economic Area, users under 16 must have verifiable parental consent before creating an account or submitting personal information.
If you believe that a child under the applicable minimum age has provided us with personal information without appropriate consent, please contact us immediately at support@xwish.ai. We will take prompt steps to delete such information.
11. Security
We implement technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These include:
- HTTPS encryption for all data in transit;
- HttpOnly, SameSite session cookies;
- Cloudflare infrastructure with built-in DDoS protection and WAF;
- Access controls limiting database access to the application layer;
- Payment data processed exclusively through Stripe's PCI-DSS compliant environment.
No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.
If you discover or suspect a security vulnerability, please contact us immediately at support@xwish.ai.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where practicable, notify registered users via email or an in-app notice at least 14 days before changes take effect.
Your continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the changes. We encourage you to review this Policy periodically.
Prior versions of this Policy are available upon request.
13. Contact Us
For any questions, requests, or concerns about this Privacy Policy or our data practices, please contact us:
We aim to respond to all privacy requests within 30 days. For complex requests, or where required by applicable law, we may extend this period by an additional 30 days, with notice.
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.