Legal
Privacy Policy
Last updated: April 2026 · Iseoluwa Ink
Iseoluwa Ink(“we,” “us,” “our”) operates The Wishing Well. This Privacy Policy explains what information we collect, how we use it, and your choices. By using the app, you agree to this policy.
01
Information we collect
What you provide directly
| Data | When collected | Why |
|---|---|---|
| Email address | Account creation / sign-in | Authentication and account identification |
| Desire text | Session creation | AI processing to generate your scene |
| Refinement feedback | During sessions | Improving your generated scene |
| Payment information | At purchase | Processed by Stripe — we do not store card numbers |
Collected automatically
| Data | Source | Why |
|---|---|---|
| Session metadata | Supabase | Session state and completion tracking |
| Payment event data | Stripe webhook | Confirming payment before unlocking sessions |
| Server request logs | Vercel | Error detection and uptime monitoring |
What we do not collect
- Device location
- Contacts or calendar data
- Photos or camera access
- Health or biometric data
- Social graph or relationship data
- Advertising IDs — we run no ads
02
How we use your information
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Providing the service | Email, desire text, session data | Contract performance |
| Processing payments | Payment info via Stripe | Contract performance |
| Delivering your session by email | Email, generated scene | Contract performance |
| Authentication | Email address | Contract performance |
| Improving the service | Aggregated usage data | Legitimate interests |
| Legal compliance | As required by law | Legal obligation |
| Customer support | Email, session data | Legitimate interests |
We do not:
- Sell your personal information
- Use your desire text to train AI models
- Share your session content with third parties except as described below
- Send marketing emails without your consent
03
AI processing
Your desire text is sent to Anthropic’s API to generate your personalized scene. Anthropic processes this data to fulfill your request. Per Anthropic’s API terms, content submitted through the API is not used to train their models.
For details on Anthropic’s data practices, see anthropic.com/privacy.
04
Third-party services
We share data with these services only as needed to operate:
| Service | Purpose | What we share | Their policy |
|---|---|---|---|
| Supabase | Database, authentication | Email, session data | supabase.com/privacy |
| Stripe | Payment processing | Payment info, order amount | stripe.com/privacy |
| Anthropic | AI generation | Your desire text, feedback | anthropic.com/privacy |
| Resend | Transactional email | Email address, session content | resend.com/privacy |
| Vercel | App hosting | Request logs | vercel.com/legal/privacy-policy |
We do not share your data with advertisers, data brokers, or analytics networks.
05
Data retention
| Data | How long we keep it |
|---|---|
| Account and session data | Retained while your account is active |
| Completed sessions | Retained for access via your Library |
| Payment records | As required by Stripe and tax law (typically 7 years) |
| Server request logs | Typically 30–90 days |
When you delete your account, we delete your personal data within 30 days, except where we are required by law to retain it.
06
Your rights
Depending on your location, you may have rights to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your account and associated data
- Withdraw consent for optional processing
- Data portability — receive your data in a machine-readable format
- Object to processing based on legitimate interests
To exercise any of these rights, email hello@thewishingwell.app. We will respond within 30 days.
California residents (CCPA): You have the right to know what personal information we collect, to delete it, and to opt out of sale. We do not sell personal information. Contact us at hello@thewishingwell.app.
EU / UK residents (GDPR): Our legal bases for processing are described in Section 02. You may lodge a complaint with your local supervisory authority.
07
Data security
We use industry-standard security measures including:
- Encryption in transit (TLS / HTTPS)
- Supabase Row Level Security — your data is only accessible to your authenticated session
- Environment variable management for API keys
- Private code repositories
No system is 100% secure. If you discover a security vulnerability, please report it to hello@thewishingwell.app before public disclosure.
08
Children's privacy
The app is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact hello@thewishingwell.app and we will delete it.
09
International transfers
Your data may be processed in the United States and other countries where our service providers operate. By using the app, you consent to these transfers. We use standard contractual clauses where required by applicable law.
10
Changes to this policy
We may update this policy from time to time. Material changes will be communicated with at least 14 days notice by email or in-app notification. Continued use after the effective date constitutes acceptance of the updated policy.
11
Contact
Privacy questions or requests:
hello@thewishingwell.app