Oskalista
← Legal

Last updated: 22 May 2026

Privacy Policy

1. Who we are

Oskalista is operated by Liam Aljundi, based in Göteborg, Sweden, who is the data controller for all personal data processed through this service.

Contact: contact@oskalista.com

2. What data we collect

List owners (registered accounts):

  • Email address and full name (provided at sign-up via Supabase Auth)
  • Shipping address (optional, entered in list settings)
  • List content: item names, descriptions, URLs, prices, and images
  • Billing information managed by Stripe — we never store card details

Gifters (visitors who mark gifts):

  • Name and email address (entered in the gift form)
  • An optional note to the list owner

3. Why we collect it

  • Account and list management — to create, display, and operate your wish list for guests.
  • Gift notifications — to email the list owner when an item is marked as gifted (via Resend).
  • Payments — subscription fees are processed by Stripe; we store your Stripe customer ID to manage your subscription.
  • Security — session cookies keep you logged in.

We do not sell your data, run advertising, or share it with third parties beyond the processors listed below.

4. Where data is stored

Your data is stored in Supabase, hosted on AWS eu-central-1 (Frankfurt, EU). All data stays within the European Economic Area.

Email notifications are sent via Resend (US-based; data is transmitted for sending only, with no storage beyond delivery logs).

5. Stripe

Subscription payments are processed by Stripe, Inc. Stripe may collect additional data as described in their own privacy policy at stripe.com/privacy.

6. Cookies

We use functional cookies only:

  • Supabase session cookie — keeps you logged in; deleted when you sign out or it expires.
  • List password cookie — remembers that you unlocked a password-protected list in this browser session.

We do not use tracking, analytics, or advertising cookies of any kind.

7. Your rights (GDPR)

Under the General Data Protection Regulation you have the right to:

  • Access — request a copy of your personal data.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion of your account and associated data, deleted within 30 days of a confirmed request.
  • Restriction / objection — restrict or object to processing in certain circumstances.
  • Portability — receive your data in a machine-readable format.

To exercise any right, email contact@oskalista.com. We will respond within 30 days.

You may also lodge a complaint with the Swedish data protection authority, Integritetsskyddsmyndigheten (IMY), at imy.se.

8. Data retention

  • List owner accounts: retained until you delete your account or request erasure (within 30 days of request).
  • Gifter data (name, email, note): retained alongside the list until the owner deletes it or the list is deleted.
  • Stripe billing records: subject to Stripe's own retention policy (typically 7 years for financial records).

9. Governing law

This policy is governed by Swedish law and the EU General Data Protection Regulation (GDPR 2016/679).

10. Changes

We may update this policy occasionally. The “last updated” date above reflects the most recent change. Continued use of Oskalista after changes constitutes acceptance of the updated policy.