Regalia Privacy Policy

Last updated: June 2026

        Summary: Regalia stores the data you enter to help you organise gifts. We do not sell your data, we do not use it for advertising, and you can delete it at any time directly from the app.
    

1. Data Controller

Regalia is an independently developed project. For any query related to the processing of your personal data, please contact us at: regalia.app@gmail.com

2. What data we collect, why, and on what legal basis

2.1 Account data

Name and email address, obtained via Google OAuth or direct registration with email verification, to identify your account and manage access.

Legal basis: Performance of the service contract (Art. 6.1.b GDPR). Without this data it is not possible to create or maintain your account.

2.2 Data about people on your gift list (cards)

Name or nickname, date of birth, category and, optionally, a profile photo.
Additional personal information such as sizes, tastes, hobbies and any notes you voluntarily enter in order to receive AI-powered personalised gift suggestions.
This data may refer to third parties (family members, friends) who are not necessarily Regalia users. You, as the user, decide what information you enter and assume responsibility for having a legitimate basis for doing so (e.g. that person's consent or a legitimate interest in organising a gift for them).

Legal basis: User consent (Art. 6.1.a GDPR). This data is entered voluntarily and can be deleted at any time.

2.3 Access to device contacts and photos

Contacts: When creating a card, the app may offer you the option to import data (name and date of birth) from a contact in your address book. This access is handled through the operating system's native picker: the app only receives the data of the contact you manually select, without accessing or reading the rest of your address book.
Photos: When adding a profile photo to a card, the selection is made through the operating system's native file picker. The app only receives the image you manually choose, without accessing the rest of your gallery or device storage.

Legal basis: User consent (Art. 6.1.a GDPR). The use of these pickers is entirely optional.

2.4 Your personal profile data

If you choose to fill it in voluntarily: display name, date of birth, gender, interests, hobbies, sizes (footwear, top, bottom) and your own wishlist.
This data is only shared with third parties if you explicitly activate the public profile link.

Legal basis: User consent (Art. 6.1.a GDPR). All fields are optional.

2.5 Gift Room data (group gifts)

When you create or join a Gift Room, your alias and the contributions you make voluntarily (information about the recipient, gift ideas, votes, vetoes) are visible to all other members of that room.
The room organiser can see all group contributions in order to generate AI-powered gift suggestions.
Contributions may include information about a person who is not a Regalia user. You decide what information you share and assume responsibility for having a legitimate basis for doing so.

Legal basis: User consent (Art. 6.1.a GDPR).

2.6 Secret Santa room data

When joining a Secret Santa room, you are asked for an alias to participate. Completely voluntarily, you may indicate what kind of gifts you would like to receive. This information is visible to the room organiser and, to the extent necessary for the draw, to the participant assigned to you.
Once the room ends or the organiser deletes it, this data is no longer accessible.

Legal basis: User consent (Art. 6.1.a GDPR).

2.7 Push notifications

If you accept push notifications, we store a technical device identifier (push subscription endpoint) to send you alerts about activity in your Gift Rooms or birthday reminders. This identifier does not contain personally identifiable information.
You can revoke this permission at any time from your browser or device settings, or by logging out of the app.

Legal basis: User consent (Art. 6.1.a GDPR).

2.8 Usage analytics data

Regalia uses Google Analytics 4 via Google Tag Manager to analyse anonymous app usage. Data collected includes pages visited, session duration, device type, country of origin and traffic source. No personally identifiable data is collected through these tools.

Legal basis: Legitimate interest of the controller to improve the service (Art. 6.1.f GDPR), provided that the data processed is anonymous and aggregated. For the use of third-party analytical cookies, your prior consent will be requested via the cookie banner.

3. Cookies

Regalia uses strictly necessary technical cookies for the operation of the service (session management, language preferences). It also uses third-party analytical cookies (Google Analytics 4) to measure app usage in an aggregated and anonymous manner.

When you access the app or associated web pages, a cookie consent banner will be shown. You can accept, reject or customise the use of non-essential cookies at any time from that banner or from your browser settings.

You can opt out of Google Analytics by installing Google's browser opt-out add-on.

4. Sharing features

Regalia offers three different mechanisms for sharing information, all voluntarily initiated by the user:

Feature	What is shared	What is NOT shared	Revocable
Gift list (/share/…)	Name, date of birth, age and pending gift list of a person on your list	Personal notes, hobbies, sizes, alias, category	The link stops working automatically if you remove that person from your list
Person card (/shared/person/…)	Name, date of birth and gift list (name, description and purchase link)	Personal notes, hobbies, sizes, alias	✅ Yes: you can disable the link, regenerate it or delete it at any time from the app
Own profile (/profile/…)	Your display name, age, gender, interests, hobbies, sizes and wishlist (your own data only)	Your email, data about other people on your list, purchase history	✅ Yes: you can disable or regenerate the link at any time from Settings → Share profile

Important note about third-party data: When you share the list or card of a person who is not a Regalia user (a family member, a friend), you are sharing that person's personal data with whoever receives the link. Only share with trusted people and for the legitimate purpose of organising a gift.

Shared links are accessible to anyone who has them. Regalia does not index these links in search engines or make them publicly discoverable.

5. Use of Artificial Intelligence

The descriptions, preferences and notes you enter may be sent to the OpenAI API (OpenAI language models) to generate personalised gift suggestions. We do not send directly identifying data (full name, email) to the AI model — only the profile information necessary to generate the suggestions.

In Gift Rooms, the group's contributions about the recipient may be synthesised by AI to generate a collective preference profile, visible only to the members of that room.

OpenAI processes this data in accordance with its own privacy policy, available at openai.com/policies/privacy-policy.

6. Storage and security

Your data is stored on Supabase, with servers located in the European Union (Frankfurt, Germany), in compliance with the GDPR. The application is deployed on Vercel. All communications are encrypted via HTTPS. Data access is protected by Row Level Security (RLS), ensuring that each user can only access their own data.

7. Third parties and data transfers

Regalia does not sell, rent or transfer personal data to third parties for commercial or advertising purposes. Third parties with limited data access are:

Supabase — storage and authentication (EU, Frankfurt)
Vercel — application deployment
OpenAI — AI suggestion generation
Stripe — payment processing. Regalia never has access to your credit card details.
Google — OAuth authentication and anonymous usage analytics (Google Analytics 4)
Amazon — affiliate programme. When you click on Amazon links, Amazon may place cookies for sales tracking, subject to Amazon's privacy policy.

8. Data retention

Your data is retained for as long as your account is active. If you delete your account from the app (Settings → Delete account), all your personal data, people, gifts, preferences, push subscriptions and sharing links will be permanently and irreversibly deleted.

"Gift list" links stop working automatically as soon as you remove the relevant person from your list, with no further action required.

In the event of permanent closure of the service or transfer of the business to a third party, users will be notified with a minimum of 30 days' notice via the app and/or by email, and will be offered the opportunity to export or delete their data before that date.

9. Your rights (GDPR)

In accordance with the General Data Protection Regulation (GDPR), you have the right to:

Access: request a copy of your personal data.
Rectification: correct inaccurate or incomplete data.
Erasure: delete your data. You can do this directly from the app at Settings → Delete account.
Restriction: request that we restrict the processing of your data.
Portability: receive your data in a structured, machine-readable format.
Objection: object to the processing of your data in certain circumstances.
Withdrawal of consent: where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at regalia.app@gmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with the competent data protection authority in your country of residence. In Spain: Agencia Española de Protección de Datos (AEPD) at www.aepd.es.

10. Minors

Regalia is not directed at persons under the age of 16. We do not knowingly collect personal data from minors. If we detect that a user is under 16, we will delete their account and associated data.

11. Changes to this policy

We may update this policy from time to time. We will notify you of any significant changes via the app and/or by email with at least 15 days' notice. The "Last updated" date at the top of this document indicates when the last revision was made. Continued use of the app after changes take effect constitutes acceptance of the new policy.