Privacy Policy
Last updated: June 10, 2026 · Operated by Chateau Fiasco LLC, dba WantHave
WantHave ("we," "us," or "our") operates the WantHave web application and related services (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
This policy applies to all users of the Service, including registered account holders and visitors who browse public pages (such as shared wishlists and user profiles) without creating an account. By accessing or using any part of WantHave, you acknowledge that you have read and agree to this Privacy Policy and our Terms of Service. If you do not agree, please do not use the Service.
The short version
- We built WantHave to help you track what you want to buy, what you've bought, and save you money.
- We do not sell your personal information to anyone — ever. We make money through affiliate commissions when you click shopping links, and we never override your existing affiliate tags. (Aggregated, anonymous statistics that can't identify anyone are different — see Section 3.)
- Our automated tools (email scanning, purchase detection, discount code extraction) may occasionally make mistakes — see our Terms of Service for the full accuracy disclaimer. Don't rely on WantHave as your sole record of purchases.
- Your use of WantHave is governed by our Terms of Service, which include individual binding arbitration with a 30-day opt-out.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Name and email address
- Profile photo (from your sign-in provider or uploaded by you)
- Username and bio (optional, for your public profile)
- Password (hashed and encrypted — we never store or see your actual password)
- Social media handles (optional, for your public profile)
- Referral source (if you signed up via a referral link)
- Notification preferences and app settings
1.2 Email Data (Optional)
If you choose to connect your Gmail account, we access your inbox using read-only permissions. We cannot send, delete, or modify your emails.
We scan your emails to find:
- Order confirmations and receipts
- Shipping and delivery notifications
- Discount codes and promotional offers
- Return and refund confirmations
We only search for emails from known retailers and carriers. We do not read personal correspondence, and we do not store the full content of your emails. We extract structured data (vendor name, order number, items, prices, tracking numbers) and discard the raw email content. We do retain email metadata (sender address, subject line, date, and a short preview snippet) for deduplication and search purposes.
You can disconnect your Gmail at any time from the Integrations page. When disconnected, we stop accessing your inbox immediately.
1.3 Purchase and Shipping Data
We store information about your purchases, including:
- Vendor name, order numbers, and purchase category
- Items purchased (names, prices, quantities, images, product identifiers like Amazon ASINs)
- Shipping carrier, tracking numbers, and delivery address (when available from emails)
- Delivery status, estimated delivery dates, and approximate delivery location coordinates
- Order amounts, refund amounts, and return deadlines
- Purchase type classification (physical, digital, subscription, or service)
1.4 Wishlist and Shopping Data
When you create wishlists and add items, we store:
- List titles, descriptions, and settings
- Item URLs, titles, prices, and images
- Tags, notes, sizes, colors, and priorities you assign
- Reservation information (who reserved an item for gifting)
- Collaborator information (who you've invited to edit your lists)
If a non-registered visitor reserves a gift on a public list, we collect their name and email address (provided voluntarily) to facilitate the reservation. This data is stored with the reservation record and deleted when the list owner deletes their account.
1.5 Receipt & File Uploads
When you upload receipt images or PDFs:
- Files are stored in encrypted private cloud storage (Vercel Blob) and are not publicly accessible
- Only you (the authenticated account owner) can view or download your receipts
- Receipt URLs cannot be shared — all access requires authentication
- Image metadata (EXIF data including GPS coordinates and device information) is automatically stripped before storage
- Files are validated for type integrity (magic byte verification) to prevent malicious uploads
- Uploads are scanned using AI to verify they are legitimate receipts or purchase documents — non-receipt content and inappropriate material is automatically rejected
- When you delete a purchase, all associated receipt files are permanently deleted from storage
- We do not use your receipt images for training, advertising, or any purpose other than displaying them back to you
1.6 Analytics Data
We collect basic, anonymized usage data to improve the Service:
- Pages visited (URL paths only — no personal data in query parameters)
- Anonymous visitor counts using hashed IP addresses — we never store your actual IP address
We use two complementary, privacy-preserving systems. First, our own first-party analytics (hashed-IP visitor counts, as above). Second, Vercel Web Analytics and Vercel Speed Insights, provided by Vercel Inc. (our hosting provider): these are cookieless, set no identifiers on your device, do no cross-site tracking, and receive only anonymized page-view and page-performance (Core Web Vitals) events. We strip query strings from every event before it leaves your browser, so share tokens and invite codes are never included. Because these tools use no cookies and no persistent identifiers, they are not gated by the Analytics cookie toggle in Section 5. We do not use Google Analytics, Meta Pixel, or any cross-site tracking pixels.
1.7 Affiliate Click Data
When you click a shopping link on WantHave, we record:
- The destination URL (the product page you're visiting)
- Which affiliate program was used
- The wishlist or page you clicked from
- A hashed visitor identifier (not your IP address or personal information)
We never override your existing affiliate tags. If a product URL already contains an affiliate tag from another creator, influencer, or browser extension, we leave it intact. Your intent is always respected.
1.8 Waitlist Signups
While WantHave is invite-only, you can join the waitlist with just an email address. We store your email, where on our site you signed up from, and the referring page. We use this only to send you your invite and waitlist-status updates — we won't send marketing without separate consent, and we never share or sell the list. Waitlist records are kept until you receive an invite and create an account (after which your account record takes over) or until you ask us to delete you — email privacy@wanthave.app.
1.9 Group Gifting & Shipping Addresses
When you join a group gift, we store your name, optional email, and the amount you've pledged. Pledge amounts and participant names are visible to everyone in that gift group— that's the point. Pledges are informational only: WantHave never collects, holds, or processes any money (see our Terms of Service).
If you save a shipping address so a gift buyer can ship to you, every field of it is encrypted at rest (AES-256-GCM) and is never shown on any public page. It is revealed only to the designated, email-verified buyer of your gift through a gated, audited reveal — and you can revoke access instantly at any time.
1.10 Browser Extension
If you install the WantHave browser extension for Chrome, it works with the following data:
- A connection token is stored locally in your browser to keep you signed in to your WantHave account. This authentication information stays on your device.
- As you shop, the extension reads product and checkout page content locally— page text, displayed prices, and discount codes — to detect products, prices, and savings on the page you're viewing.
- When you take an action (such as saving an item) or when a price check runs on a product page while you are signed in, the extension sends the product-page URL to wanthave.app to power saving and price-drop alerts — together with the displayed price for non-Amazon stores. For Amazon, the extension never reads or sends the price; Amazon price data comes from a licensed third-party provider (Keepa). We send this only for the items you act on, not for every page you browse.
The extension never reads your cookies and never modifies, redirects, or overrides affiliate links on the pages you visit.
The extension's use of the data it receives adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. We use this data only to provide the saving and price-tracking features described above; we do not sell or share it with third parties, and we do not use it for advertising.
2. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service
- Create and manage your account
- Automatically track your purchases and deliveries from email
- Extract and store discount codes for your use
- Match purchased items to your wishlists
- Display your public wishlists and profile to others
- Send notifications about price drops, deliveries, and friend activity (configurable)
- Generate spending insights and purchase analytics for you
- Suggest or provide curated lists of items related to your Wants and Haves
- Earn affiliate commissions when you shop through our links (this keeps the Service free)
- Monitor and prevent abuse of the Service
3. We Do NOT Sell Your Personal Data
We do not sell, rent, or trade your personal information to anyone. Not to data brokers, advertisers, or any third party. This is a core principle of WantHave.
Our revenue comes from affiliate commissions — when you click a product link and make a purchase, the retailer pays us a small commission. This does not cost you anything extra, and your personal data is never part of the transaction.
Aggregated, anonymous data is different. We may create — and may share or sell — aggregated, de-identified statistics built from grouped usage data: for example, "running shoes were the most-saved item category in May" or "X% of tracked packages arrived late this quarter." This data is grouped across many users, contains no names, emails, or identifiers, and cannot reasonably be used to identify you. We commit to never attempting to re-identify it, and we require the same of anyone we share it with. If it could identify you, it's personal data — and personal data is never for sale.
4. Third-Party Services
We share limited data with the following service providers, solely to operate the Service:
4.1 Authentication Providers
Google, Apple, and Microsoft process your sign-in credentials. We receive your name, email, and profile photo from them. We do not share your WantHave data back to them.
4.2 Google / Gmail — Limited Use Compliance
If you connect Gmail, Google processes our read-only API requests (scope: gmail.readonly) to fetch your emails. Our use of Gmail data is governed by the following commitment, required by Google:
WantHave's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
In practice, this means for your Gmail data specifically:
- The data is used only to provide the user-facing features of WantHave (purchase tracking, receipt archiving, discount-code organization).
- The data is not transferred to any other party except as necessary to provide the service (see Section 4.5 for the one AI processor we use, where only email body text is sent without any identifier tying it back to you).
- The data is not used for serving advertisements of any kind, including retargeting, personalized, or interest-based advertising.
- Humans at WantHave do not read your Gmail data except where required to investigate a specific abuse report or to honor a user-initiated support request.
Raw email content (subject, sender, body snippet) is automatically deleted 90 days after receipt by a daily cron job. Parsed derivatives (your purchase history, shipment tracking, discount codes) are user-owned and retained until you delete them.
4.3 Shipping Carriers
We send tracking numbers to USPS, UPS, FedEx, DHL, and Amazon Logistics APIs to fetch delivery status. No personal information is sent — only the tracking number.
4.4 Affiliate Networks
When you click a shopping link, the destination retailer or affiliate network (such as Skimlinks, Impact, Rakuten Advertising, CJ Affiliate, Awin/ShareASale, eBay Partner Network, and Amazon Associates) may set cookies on your browser to track the purchase for commission purposes. This is standard across affiliate-driven services. You can opt out via our cookie settings.
This includes our own curated and editorial lists: lists published by the WantHave team may contain affiliate links, and pages that contain them carry a visible disclosure. See the Affiliate Links section of our Terms of Service for the full disclosure, including our promise to never override your existing affiliate tags.
4.5 AI Processing (AWS Bedrock)
We use Anthropic's Claude model, run inside Amazon Web Services (AWS) Bedrock, to parse receipt emails into structured data. When we make an API call, we send only the email body text — we do not send your Gmail address, your WantHave user ID, the Gmail message ID, or any other identifier that would let AWS or Anthropic correlate the content back to you.
No training on your data. AWS Bedrock's terms explicitly exclude customer inputs from any model-training corpus. Anthropic, as the underlying model provider, operates as a sub-processor under AWS's Bedrock contract and receives no separate retention rights.
No AWS-side retention. AWS Bedrock's optional model-invocation logging is not enabled in our AWS account — no CloudWatch or S3 logging destinations are configured. That means AWS does not retain a copy of your prompts or completions either. Even if logging were ever enabled, our prompts contain no user identifiers, so any retained payload could not be tied back to a specific WantHave account.
We previously routed these calls through Anthropic's direct API. We requested enrollment in Anthropic's Zero Data Retention (ZDR) program on 2026-04-16; the request was denied. We migrated to AWS Bedrock on 2026-05-20 as the pre-committed fallback — this gives us a contract path (AWS's standard Data Processing Addendum + AWS Bedrock terms) and a verifiable no-retention posture inside our own AWS tenancy.
The Service automatically falls back to deterministic regex parsing when the AI call is unavailable or rate-limited.
4.6 Infrastructure
Our Service is hosted on Vercel (compute, file storage, and the cookieless Web Analytics / Speed Insights described in Section 1.6), Neon (database), and Upstash (caching). These providers process data on our behalf under their data-processing agreements and do not use your data for their own purposes.
5. Cookies and Tracking
We use the following categories of cookies:
Essential
Session authentication and consent preferences. Always on.
Analytics
Helps us understand how people use WantHave. Off by default.
Marketing
Personalized content and social features. Off by default.
Affiliate
Price tracking and shopping features across partner retailers. Off by default.
You can manage your cookie preferences at any time from Settings > Privacy or by clicking "Cookie Preferences" when the cookie banner appears.
6. Data Retention
Account data
While your account is active
Purchase data (parsed)
While your account is active
Raw Gmail message fragments
90 days (auto-purged daily)
Email sync run metadata
180 days
Notifications
90 days
Bug-report screenshots
90 days
OAuth tokens (encrypted)
Until you disconnect or delete account
Analytics data
90 days (anonymized)
Price history
90 days
Affiliate click data
2 years
Waitlist signups
Until invited + account created, or on request
When you delete your account, all personal data is permanently deleted. This includes wishlists, purchases, email connections, discount codes, and all associated data. Anonymized analytics data (which cannot be linked back to you) may persist.
Consent records: When you agree to this Privacy Policy, we store a record of your consent including the date, policy version, and a cryptographic hash of your email address. If you later delete your account, this consent record is anonymized (your user ID is removed) but the hashed email, consent date, and policy version are retained. This is the minimum data required to demonstrate that consent was given, as permitted under GDPR's legitimate interest basis for legal compliance. These anonymized records cannot be used to identify you without your email address.
7. Your Rights
For All Users
- Access — View all your data within the app at any time
- Update — Edit your profile, wishlists, and purchases
- Delete — Delete your account and all data from Settings
- Disconnect — Disconnect Gmail to stop email scanning
- Cookie control — Manage cookie preferences at any time
California Residents (CCPA)
Under the California Consumer Privacy Act, you have the right to:
- Know what personal information we collect and how it is used
- Request deletion of your personal information
- Opt out of the "sale" of personal information — we do not sell your data
- Not be discriminated against for exercising your privacy rights
EU/EEA Residents (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict or object to processing
- Data portability (export your data)
- Withdraw consent at any time
Our legal basis for processing: (a) your consent (email scanning and optional cookies), (b) contract performance (providing the Service), and (c) legitimate interest (improving the Service and preventing abuse).
8. Data Security
We take security seriously. Our measures include:
- All data transmitted via HTTPS with TLS encryption
- Passwords hashed with bcrypt (12 rounds)
- Security headers enforced (HSTS, X-Frame-Options, Content-Security-Policy)
- Rate limiting on all API endpoints
- OAuth tokens stored in our database with encryption at rest
- No raw IP addresses stored — only cryptographic hashes
- Input validation on all API routes
While we implement commercially reasonable security measures, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.
9. Service Accuracy & Disclaimers — Moved
The "as is" disclaimer and the accuracy limitations of our automated email scanning now live in our Terms of Service (Sections 10 and 14). The privacy-relevant part stays true here: parsed data is derived from your emails, may contain errors, and is yours to correct or delete.
10. Dispute Resolution & Liability — Moved
Arbitration, the class-action waiver (including a 30-day opt-out), limitation of liability, indemnification, and governing law now live in our Terms of Service (Sections 15–18). They apply to privacy disputes too, except where law gives you non-waivable rights — for example, EU/EEA residents can always complain to their data-protection authority.
11. Children's Privacy
WantHave is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we discover we have collected such information, we will delete it promptly.
12. Account Termination — Moved
Suspension and termination are covered in our Terms of Service (Section 13). The privacy consequence: on account deletion, your data is removed as described in Section 6 above.
13. Changes to This Policy
WantHave is a free service and we reserve the right to update this Privacy Policy or change our business model at any time. When we make material changes, we will notify you by email or through a prominent notice within the Service. Your continued use after changes constitutes acceptance of the updated policy.
If we ever change how we use your data in a material way (such as sharing data with new categories of third parties), we will seek your explicit consent before doing so.
14. Contact Us
If you have questions about this Privacy Policy, want to exercise your privacy rights, or need to report a data concern:
Email: privacy@wanthave.app
We aim to respond to all privacy requests within 30 days.
© 2026 Chateau Fiasco LLC, dba WantHave. All rights reserved. · Back to WantHave