Privacy Policy

The data controller responsible for the personal data processed through klauspicks.com is:

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have under the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

We collect different categories of personal data depending on how you interact with the platform:

A. Account Registration

• Email address
• Display name (optional — may be your first name or a chosen handle)
• Password (stored as a secure hash — we never have access to your plaintext password)
• Account creation date and last sign-in timestamp

B. Secret Santa Events

• Event name, date, budget, and settings configured by the organiser
• Participant names and email addresses (provided by the event organiser — see Section 4 for the lawful basis)
• Secret gift assignment pairs (stored encrypted in our database)
• Email delivery status and interaction logs (sent, opened, bounced) via our email provider

C. Wishlists

• Wishlist name, occasion type, event date (if set)
• Item names, URLs, notes, priority, and price (entered by the wishlist owner)
• Claim records — when a guest claims an item, we store the claim status and an anonymous browser-generated identifier (not linked to a real identity unless the claimant is logged in)
• Wishlist view counts and timestamps (aggregate analytics)

D. Usage & Analytics Data

• IP address (processed by Google Analytics — not stored in our own database beyond server access logs, which are retained for 30 days)
• Browser type, device type, operating system
• Pages visited, referral source, session duration
• Clicks on affiliate product links (via our own click-tracking endpoint)

E. Support & Contact Communications

• Any data you voluntarily provide when contacting us (name, email, message content)

F. Guest Visitors (No Account)

• A randomly-assigned reindeer name stored in your browser's local storage (e.g., "Dasher") — used only to display your anonymous identity to other viewers of the same wishlist in real time. This data never leaves your device unless you are actively viewing a shared wishlist.

• Providing the Service — creating and managing your account, running Secret Santa draws, sending reveal emails, displaying wishlists.
• Transactional emails — sending Secret Santa reveal notifications, event invitations, and any transactional messages you explicitly trigger.
• Analytics and improvement — understanding how the platform is used so we can fix bugs and improve the experience (via Google Analytics / Google Tag Manager).
• Affiliate tracking — recording clicks on affiliate product links to attribute commissions. No personal data is sent to affiliate networks; only anonymous click identifiers and product identifiers are used.
• Security and fraud prevention — detecting abuse of the platform, preventing spam, and protecting users.
• Newsletter / marketing — only if you have explicitly opted in (see Section 11).
• Legal compliance — meeting obligations under Romanian and EU law.

We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.

For EU/EEA residents, we process personal data on the following lawful bases under GDPR Article 6:

For participant email addresses entered by event organisers: the organiser acts as a data controller in their own right for the purpose of organising the gift exchange and warrants (per our Terms of Service) that they have a lawful basis for sharing those addresses. KlausPicks processes participant emails as a data processor on behalf of the organiser for the limited purpose of sending the event emails.

We use the following third-party services. Each is bound by a Data Processing Agreement (DPA) and appropriate transfer safeguards where applicable:

We retain personal data only as long as necessary for the stated purpose:

You may request early deletion of your personal data at any time (see Section 8). Note that certain data may be retained beyond the above periods if required by a legal obligation (e.g., Romanian accounting law requires retaining financial records for 10 years).

Your primary data is stored in the European Union (Supabase / AWS eu-central-1, Zurich, Switzerland). Switzerland is recognised by the European Commission as providing an adequate level of data protection.

Some of our processors (Resend, Google) are based in the United States. We ensure appropriate safeguards are in place for any transfers of personal data to these processors, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
• Where applicable, reliance on the EU-US Data Privacy Framework for certified US organisations.

You may request a copy of the relevant transfer safeguards by contacting us at privacy@klauspicks.com.

If you are located in the EU/EEA, you have the following rights under the General Data Protection Regulation:

To exercise any of these rights, contact us at privacy@klauspicks.com. We will respond within 30 days. Identity verification may be required before we process the request.

You also have the right to lodge a complaint with the competent supervisory authority. In Romania, this is:

The Service is not directed to children under 13 years of age (or 16 for EU residents), and we do not knowingly collect personal data from children below these thresholds without verifiable parental consent.

If you are a parent or guardian and believe your child has provided personal data to us without appropriate consent, please contact us at privacy@klauspicks.com and we will delete that information as soon as practicable.

Note that children may appear as participants in family Secret Santa events organised by an adult. In such cases, the adult organiser is responsible for ensuring that sharing the child's name and email (if applicable) is appropriate and compliant with parental responsibility obligations.

We use cookies and similar technologies on our website. For full details, please read our Cookies Policy.

In summary, we use:

• Essential cookies — required for authentication and security (Supabase session tokens). These cannot be disabled.
• Analytics cookies — Google Analytics 4 cookies (_ga, _gid, etc.) activated only with your explicit consent via our cookie banner.
• Functional local storage — a randomly-assigned anonymous reindeer name stored in your browser's local storage for the wishlist viewer presence feature.

You can manage your cookie preferences at any time via the cookie settings button in the footer, or through your browser settings.

We may send marketing communications (newsletter, product updates, gift inspiration content) to users who have explicitly opted in.

Our newsletter subscription process uses a double opt-in mechanism: you submit your email address, receive a confirmation email, and must click a confirmation link before you are added to our mailing list. This ensures your consent is unambiguous.

Key newsletter commitments:

• You may unsubscribe at any time by clicking the unsubscribe link in any email or by contacting privacy@klauspicks.com. Unsubscribe requests are processed within 3 business days.
• Newsletter emails are sent via Resend (and may in future be sent via Mailchimp or a similar marketing platform — we will update this policy if we switch providers).
• We do not sell or share your email address with any third party for their own marketing purposes.
• Newsletter subscription is entirely independent of your use of the Secret Santa or wishlist features. Declining to subscribe does not affect any functionality.

Newsletter recipients may include users worldwide. We apply the same GDPR-compliant consent and opt-out standards to all subscribers regardless of their location.

We may update this Privacy Policy periodically. When we do, we will update the "Last updated" date at the top of this page. For material changes that affect your rights, we will make reasonable efforts to notify registered users via email.

Your continued use of the Service after any changes constitutes acceptance of the updated policy. We encourage you to review this page periodically.

For any privacy-related questions, requests, or complaints, please contact our privacy point of contact:

If you are not satisfied with our response, you have the right to lodge a complaint with the Romanian supervisory authority (ANSPDCP) — see Section 8 above.