1. Data Controller

Wish-A-Day is the data controller for the personal data processed in connection with our Service.

Contact: [email protected]

Address: 69 Canal View Dr, Lawrenceville, NJ 08648, United States

2. Data Protection Principles

We are committed to processing your personal data in accordance with the following data protection principles:

• Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner.
• Purpose Limitation: We collect personal data for specified, explicit, and legitimate purposes and do not further process it in a manner that is incompatible with those purposes.
• Data Minimization: We only collect and process personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
• Accuracy: We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date.
• Storage Limitation: We keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
• Integrity and Confidentiality (Security): We process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
• Accountability: We are responsible for, and able to demonstrate compliance with, these principles.

3. Types of Personal Data We Process

We process the following categories of personal data (as also detailed in our Privacy Policy):

• Identity Data: Display name, first name, last name (if provided).
• Contact Data: Email address, phone number (if provided).
• User Content Data: Wishes submitted, their categories, associated text/media, upvotes, reports.
• Profile Data: Profile picture, bio, location (if provided), preferences (e.g., post as anonymous).
• Technical Data: IP address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our Service.
• Usage Data: Information about how you use our website, products, and services, including interaction data.
• Communications Data: Records of your communications with us.

We do not typically collect "special categories" of personal data (e.g., race, ethnic origin, political opinions, religious beliefs, health data) unless you voluntarily provide it within your wishes or profile, which we advise against for sensitive information.

4. Legal Basis for Processing Your Personal Data

We process your personal data based on the following legal grounds:

• Consent: Where you have given clear consent for us to process your personal data for a specific purpose (e.g., creating an account, submitting a wish, subscribing to communications).
• Contract: Where processing is necessary for the performance of a contract to which you are a party (e.g., providing our Service to you under our Terms of Service).
• Legal Obligation: Where processing is necessary for compliance with a legal obligation to which we are subject.
• Legitimate Interests: Where processing is necessary for our legitimate interests or the legitimate interests of a third party, provided these interests are not overridden by your rights and interests. Our legitimate interests include operating and improving our Service, ensuring security, preventing fraud, and moderating content for community safety.

5. Your Data Protection Rights

Under applicable data protection laws (such as GDPR for EEA/UK residents and CCPA/CPRA for California residents), you have various rights, which may include:

• Right to Access: You can request a copy of the personal data we hold about you.
• Right to Rectification: You can request correction of inaccurate or incomplete personal data. (You can often do this via your profile settings).
• Right to Erasure (Right to be Forgotten): You can request deletion of your personal data in certain circumstances (e.g., using the "Delete My Data" feature).
• Right to Restrict Processing: You can request that we limit the way we use your personal data in certain circumstances.
• Right to Data Portability: You can request to receive your personal data in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller, in certain circumstances.
• Right to Object: You can object to the processing of your personal data in certain circumstances (e.g., for direct marketing or processing based on legitimate interests).
• Rights Related to Automated Decision Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, under certain conditions. Our AI-based toxicity flagging is a form of automated processing; flagged wishes may be hidden but are not typically subject to final automated decisions without potential for review.
• Right to Withdraw Consent: If we process your personal data based on your consent, you have the right to withdraw that consent at any time.
• Right to Non-Discrimination (CCPA/CPRA): We will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request in accordance with applicable data protection laws.

6. Data Security Measures

We have implemented appropriate technical and organizational security measures to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, but are not limited to:

• Encryption of data (e.g., HTTPS for data in transit, encryption for certain data at rest).
• Access controls to limit access to personal data to authorized personnel.
• Regular security assessments and vulnerability management.
• Data backup and recovery procedures.
• Staff training on data protection and security.

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure.

7. International Data Transfers

Your personal data may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different from the laws of your country. Specifically, our servers are located in the United States, and our third-party service providers may operate around the world.

Where we transfer your personal data to countries outside the EEA/UK, we will ensure that appropriate safeguards are in place to protect your personal data, such as by using Standard Contractual Clauses approved by the European Commission, or by relying on an adequacy decision or other lawful transfer mechanisms.

8. Data Retention

We will retain your personal data only for as long as is necessary for the purposes set out in this Data Protection Notice and our Privacy Policy, including for the purposes of satisfying any legal, accounting, or reporting requirements. When you delete your account via the "Delete My Data" feature, we will process the deletion of your personal data associated with your account in accordance with our procedures and applicable law.

9. Data Protection Officer (DPO)

While Wish-A-Day may not be formally required to appoint a Data Protection Officer under GDPR, we have designated a point of contact for data protection matters. For any inquiries regarding your personal data or to exercise your data protection rights, please contact:

Email: [email protected] (Subject: Data Protection Inquiry)

Address: Data Protection Inquiry, 69 Canal View Dr, Lawrenceville, NJ 08648, United States

10. Lodging a Complaint

If you have any concerns about our use of your personal information, you have the right to lodge a complaint with your local data protection supervisory authority. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.