Privacy policy

At MyWishlist we take your privacy seriously. This Privacy Policy describes how we collect, use, store, share, and protect the personal data of users of the website www.mywishlist.co, the dashboard at app.mywishlist.co, and the MyWishlist mobile application (together, the "Service"), in compliance with Brazilian Law No. 13,709/2018 (LGPD) and the Marco Civil da Internet (Law No. 12,965/2014). The Service is operated from Brazil and Brazilian law governs the processing of personal data.

1. Data Controller

The controller of the personal data processed by the Service is: GRACE LABS TECNOLOGIA LTDA CNPJ: 30.194.048/0001-49 Registered office: Esteio, State of Rio Grande do Sul, Brazil Official channel: contato@mywishlist.co A full mailing address can be requested via the contact channel above.

2. Information We Collect

We collect the following categories of data when you use the Service: • Account data: name, email, hashed password, language, and country of registration • List data: list names, descriptions, images, dates, and product links you publish • Reservation and contribution data: when a visitor reserves a gift or contributes cash, we collect their name, email, phone, messages, and payment data (the latter only for BR users — see Section 7) • Usage data: pages visited, features used, interaction events • Technical data: IP address, browser type, operating system, device identifiers • Mobile app data: push notification token, device model, and app version • Cookies and similar technologies: see Section 8

3. Legal Bases (Articles 7 and 11 of the LGPD)

We process personal data under the following legal bases: • Performance of a contract (art. 7, V): maintaining your account, creating lists, processing reservations and contributions, transactional communications • Compliance with a legal or regulatory obligation (art. 7, II): tax, accounting, and access-log retention (Marco Civil da Internet) • Regular exercise of rights (art. 7, VI): defense in administrative or judicial proceedings, fraud prevention • Legitimate interests (art. 7, IX): information security, abuse prevention, aggregate metrics for product improvement • Consent (art. 7, I): marketing communications and non-essential cookies; may be withdrawn at any time • Credit protection (art. 7, X): anti-fraud analysis by the sub-acquirer Pagar.me, in the context of cash gifts (BR users only)

4. How We Use Your Information

We use the collected information to: • Operate, maintain, and improve the Service • Authenticate your account and protect against unauthorized access • Display your lists and process reservations and contributions • Connect you with visitors who have reserved or contributed to gifts • Send transactional notifications and, subject to consent, marketing communications • Detect fraud, abuse, and unlawful activity • Comply with legal and regulatory obligations • Carry out aggregated and anonymized analytics to evolve the product

5. Information Sharing

We do not sell your personal data. We share data only in the following situations: • With visitors to your lists: contact information you have chosen to display • With you, the list owner: details of visitors who have reserved or contributed in cash • With operators (sub-processors): companies engaged to support the operation of the Service, described in Section 6 • With authorities: when required by law, court order, or valid administrative request • In corporate transactions: merger, acquisition, reorganization, or sale of assets, in compliance with the LGPD

6. Sub-processors and International Data Transfers

To operate the Service we rely on the following operators, all under data protection agreements: • Supabase (database hosting and authentication) — region as configured • Pagar.me Pagamentos S.A. (payment processing for PIX and credit card) — Brazil • Google LLC / Firebase Analytics (usage analytics) — United States • Vercel Inc. (website hosting and CDN) — United States and global infrastructure • Coolify (container orchestration for the dashboard and API) • Apple Push Notification Service and Firebase Cloud Messaging (push notification delivery) Some of these operators may carry out international data transfers (in particular to the United States). In such cases, we require adequate safeguards under article 33 of the LGPD, including specific contractual clauses and internationally recognized standards.

7. Payments and Financial Data (Brazil Only)

For users registered in Brazil who use the Cash Gifts feature: • Payment processing is performed by Pagar.me Pagamentos S.A., a sub-acquirer regulated by the Central Bank of Brazil • To receive funds via PIX, the list owner must provide their CPF and bank key; these data are shared with Pagar.me solely for settlement and to comply with regulatory obligations (KYC, anti-money-laundering — Law No. 9,613/1998) • Guests' credit card data are not stored by MyWishlist; they are captured and tokenized directly by Pagar.me, in a PCI DSS-certified environment • Financial records and statements are retained for the period required by Brazilian tax law (generally 5 years)

8. Cookies and Similar Technologies

We use cookies and similar technologies to operate the Service, in three categories: • Essential: necessary for authentication and basic functionality (cannot be disabled without impairing the Service) • Functional: remember preferences such as language and region • Analytical: help us measure usage and performance (Firebase Analytics) You can manage or delete cookies through your browser settings. Disabling essential cookies may prevent you from signing in or using features.

9. Analytics (Firebase)

We use Firebase Analytics, provided by Google LLC, to understand on an aggregate basis how users interact with the Service. The processing is based on legitimate interests (art. 7, IX, of the LGPD) and aims at continuous product improvement. Information collected by Firebase is governed by Google's Privacy Policy. You can disable analytics in your device settings or by using compatible blockers.

10. Data Security

We apply technical and administrative measures to protect personal data, including: • Encryption in transit (HTTPS/TLS) and at rest, depending on the provider • Passwords stored with modern hashing algorithms • Role-based access controls (RBAC) and least-privilege principle • Regular backups and continuous monitoring • Logging of access events and suspicious attempts Despite our best efforts, no system is absolutely secure. In the event of a security incident that could lead to relevant risk or harm to data subjects, we will notify the ANPD (Brazilian Data Protection Authority) and affected data subjects within the deadlines required by the LGPD.

11. Your Rights (Article 18 of the LGPD)

As a data subject, you may at any time: • Confirm whether processing takes place • Access your data • Correct incomplete, inaccurate, or outdated data • Request anonymization, blocking, or deletion of data that is unnecessary, excessive, or processed in non-compliance with the LGPD • Port your data to another service provider • Delete data processed under consent, subject to legal retention obligations • Obtain information about the entities with which we share your data • Be informed about the possibility of not providing consent and its consequences • Withdraw consent To exercise any of these rights, send your request to contato@mywishlist.co. We will respond within up to 15 (fifteen) days, in line with ANPD guidance.

12. Data Retention

We retain personal data for as long as necessary to fulfill the purposes for which it was collected, subject to the following periods: • Account data: while your account is active; after a deletion request, removed within 30 days, except when subject to legal retention • Application access logs: at least 6 months (article 15 of the Marco Civil da Internet) • Tax and financial data (BR): up to 5 years (tax law and anti-money-laundering rules) • Consent-based marketing data: until consent is withdrawn After these periods, data is deleted or anonymized.

13. Children's and Adolescents' Privacy

The Service is not directed to children (under 12 years old, in line with article 2 of the Brazilian Statute of the Child and Adolescent and article 14 of the LGPD). We do not knowingly collect data from children. If we identify improper collection, the data will be deleted. Use by adolescents (between 12 and 18 years old) must be in their best interest and requires the specific consent of at least one parent or legal guardian, under article 14 of the LGPD. If you are a parent or guardian and identify improper use by a child, please contact contato@mywishlist.co so that we may delete the data.

14. External Links

The Service contains links to third-party websites (stores, partners, social networks). We are not responsible for the privacy practices of those sites. We recommend reading the privacy policy of each site you visit before providing personal data.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect legal, regulatory, or Service changes. Material changes will be communicated with at least 15 (fifteen) days' notice by registered email or a prominent notice in the Service. We recommend reviewing this Policy periodically.

16. Contact and Data Protection Officer (DPO)

For questions about this Policy, to exercise rights, or to contact the Data Protection Officer (DPO), please use: Main email: contato@mywishlist.co DPO: Data Protection Officer — Grace Labs Tecnologia LTDA — contato@mywishlist.co You may also file complaints with the Brazilian Data Protection Authority (ANPD) through www.gov.br/anpd.