Privacy Policy

Last updated: March 2026

This policy explains what data Wishbullet collects, why we collect it, and how you can control it. We've kept it as concise and plain as possible.

1. What Data We Collect

Account information

When you create an account, we collect your email address and a hashed password. If you sign in via a social login provider (Google, X/Twitter, Facebook), we also receive your name and profile picture from that provider. We store this to create and identify your account.

Content you create

Ideas, comments, votes, and any other content you submit are stored in our database and associated with your account. This content is generally public.

Usage data

We collect anonymised, aggregate analytics about how people use the platform — pages visited, features used, and so on — using Google Analytics (see third-party services below). This data is aggregated and not linked to individual identities.

Payment information

If you purchase a subscription, payment is handled entirely by Lemon Squeezy. We receive a record of the subscription (plan, status, renewal date) but never see your card details.

Error and diagnostic data

We log application errors to help us diagnose and fix bugs. Error logs may include your user ID and the page you were on when the error occurred.

2. Third-Party Services

Wishbullet relies on the following third-party services. Each processes data in accordance with its own privacy policy.

  • Better Auth — authentication. Handles sign-in, sign-up, password reset, and session management. Account data is stored in our PostgreSQL database.
  • Cloudflare R2 — image and file storage. Uploaded images (cover photos, entity logos) are stored and served via Cloudflare's global CDN.
  • Resend — transactional email. We use Resend to send notifications such as subscription confirmations and council decisions. We pass your email address to Resend solely for delivery.
  • Lemon Squeezy — payment processing and subscription management. Subject to their privacy policy and PCI-DSS compliance.
  • Google Analytics — usage analytics. We use Google Analytics to understand aggregate usage patterns. You can opt out via browser extensions or cookie settings.

3. Cookies

We use a small number of cookies:

  • Auth session cookie — set by Better Auth when you sign in. Required to keep you logged in. Expires when you sign out or after a period of inactivity.
  • Theme preference — stores your light/dark mode choice. No personal data.
  • Google Analytics cookies — set by Google Analytics to distinguish users and sessions for aggregate usage reporting. You can opt out via browser extensions or your browser's cookie settings.

We do not use advertising cookies or any third-party tracking cookies beyond those listed above. See our Cookie Policy for the full list.

4. How We Use Your Data

We use the data we collect to:

  • Operate and improve the platform.
  • Authenticate you and protect your account.
  • Display your content to other users.
  • Send transactional emails you've requested or that are necessary for the service (e.g. payment receipts).
  • Diagnose and fix technical issues.
  • Understand aggregate usage patterns to improve the product.

We do not sell your data to third parties. We do not use your data for advertising.

5. Data Retention

We retain your account data and content for as long as your account is active. If you delete your account, your profile is removed and your content is anonymised (authorship is disassociated) within 30 days, except where retention is required by law or necessary to resolve disputes.

Payment records are retained as required by financial regulations (typically 7 years).

6. Your Rights

If you are in the European Economic Area (EEA) or the UK, you have the following rights under GDPR:

  • Access. Request a copy of the personal data we hold about you.
  • Rectification. Ask us to correct inaccurate data.
  • Erasure. Ask us to delete your personal data ("right to be forgotten").
  • Restriction. Ask us to limit how we process your data.
  • Portability. Receive your data in a structured, machine-readable format.
  • Objection. Object to processing based on legitimate interests.

7. Exercising Your Rights

You can delete your account directly from your account settings page, which triggers anonymisation of your content. For data export or other requests, email us at hello@wishbullet.com. We will respond within 30 days.

8. Children's Privacy

Wishbullet is not intended for children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child under 13 has created an account, please contact us and we will delete it.

9. Changes to This Policy

We may update this policy as the platform evolves. We'll notify you of significant changes via the platform or by email. The "last updated" date at the top of this page always reflects the current version.

10. Contact

For any privacy-related questions or requests: hello@wishbullet.com