Who we are
Rat List («we», «the app») is operated by Edouard Baillot, registered as auto-entrepreneur in France. Contact: hello@ratlist.app.
What we collect
- Email address — to sign you in. We never see your password because there isn’t one; we just email you a one-time link.
- Display name and optional short handle — you pick both at sign-up. They are visible to people in the friend circles you’ve joined.
- The content you create — wishlist items, photos you upload, group memberships, Secret Santa participation. All of this lives in our database under your account.
- Technical logs — IP address and User-Agent for the authentication provider’s anti-abuse layer, kept for a short rolling window.
- Gift-finder descriptions — if you use the AI gift finder, whatever you tell us about the person you’re shopping for: name, relationship, age, gender, interests, occasion, budget. That’s data about a third party, entered by you — details in the dedicated section below.
- Error reports via Sentry — when something crashes, we receive a stack trace and the URL you were on. No form values, no item titles, no names.
- Anonymous usage statistics via Umami — page views and feature-level events («an item was added»), with no cookies and nothing that identifies you. We see counts, not people.
We do not run ads. The only analytics we run is cookieless and aggregate-only (Umami, below). We do not sell or share your data with advertisers.
Why we collect it
To provide the service you signed up for (Art. 6(1)(b) GDPR — performance of contract):
- your email authenticates you
- your name and content are shown to people in your friend circles
- the gift-finder description is used to generate the suggestions you asked for — and for nothing else on our side
- error reports help us fix bugs
Aggregate usage statistics rest on legitimate interest (Art. 6(1)(f) GDPR) — they tell us which features matter, and nothing in them identifies you.
Who we share it with
We use a small number of sub-processors that store or transmit your data on our behalf:
- Supabase (database, authentication, file storage) — Frankfurt region, EU
- Vercel (frontend hosting) — serves the static app to your browser
- Resend (email delivery) — sends magic-link sign-in emails
- Sentry (error monitoring) — anonymised crash reports
- Umami (usage statistics) — open-source analytics we self-host on our own server in France (EU); cookieless, aggregate-only, no third-party analytics provider receives your data
- DeepSeek (the AI model behind the gift finder, and a fallback that helps auto-fill an item from a product link) — receives data only when you run a gift search or paste a link our own parser can’t fully read; processed in China — covered honestly in the next section
With that one exception (DeepSeek — next section), none of them are authorised to use your data for their own purposes. We never share your wishlist content with marketers, brands or affiliate networks.
The AI gift finder
The gift finder asks an AI model to pick ideas from our own hand-curated catalogue. Nothing leaves our servers until you press the button. When you do, we send the description you typed — name, relationship, age, gender, interests, occasion and budget of the person you’re shopping for — plus your interface language, so the answer comes back in it. If you linked that person to a friend on the app, a few categories, brands and item titles from their shared wishlist go along as hints. Legal basis: Art. 6(1)(b) GDPR — this is precisely the service you’re asking for at that moment.
The model is operated by DeepSeek, a Chinese AI company. Being upfront about what that means: DeepSeek processes and stores data on servers in the People’s Republic of China, and its published terms allow it to use inputs to improve its services and train its models. We do not have a separate data-processing agreement with DeepSeek that would forbid that.
What we do to keep the footprint small: the request is made from our server, so DeepSeek never receives your IP address, your email or any account identifier — only the description text itself. We have no contact details for the person you’re shopping for, so none are sent. And the gift plans stay visible only to you — the recipient never sees them. Our advice: describe the person with a first name or a nickname rather than a full name; the suggestions will be just as good. If you’d rather nothing went to an AI provider at all, simply don’t use the gift finder — every other feature works without it.
The same model helps in one more place. When you paste a product link and our own parser can’t fill in every detail, we send that page’s public head metadata — its title, description, price, image and brand tags — to DeepSeek so it can complete the item for you. That is the page’s own published product information, not anything about you: as with the gift finder the request is made from our server, so DeepSeek never receives your IP, email or account identifier. It only happens on the minority of links our parser can’t fully read on its own, and you can always type the details by hand instead.
How long we keep it
For as long as your account exists. When you delete your account from settings, everything you own (items, photos, group memberships, Santa records) is removed within 24 hours. Backups roll off within 30 days.
Your rights
Under GDPR you can ask us at any time to:
- access your data — use the Export my data button in settings
- correct it — edit your profile in settings
- delete it — the Delete account button in settings does this in one click
- port it elsewhere — the export is a portable JSON file
- restrict or object to specific processing — email hello@ratlist.app
You can lodge a complaint with your local data protection authority. For France that’s CNIL.
Cookies
We use one first-party cookie that holds your auth session — without it you’d have to sign in on every page reload. It’s essential to the service and does not require consent.
No tracking cookies, no advertising cookies, no third-party cookies. Umami, our analytics, works without cookies entirely.
Children
Rat List is not directed at children under 13. By signing in you confirm you are at least 13 years old.
Changes
If we update this policy in a way that materially affects you, we’ll email you before the change takes effect.
Contact
Questions? Concerns? hello@ratlist.app.