WishButler
WishButler

Privacy Policy

This is a non-binding English translation. The German version is legally authoritative.

View German version →

Last updated: June 2026

This privacy policy applies to the WishButler mobile app (the "App") and to the website wishbutler.com / wishbutler.de (the "Website"). Section A covers the App, Section B the Website.

1. Controller

RootTwoLabs UG (haftungsbeschränkt)
Auestieg 21
22926 Ahrensburg, Germany
Email: hallo@roottwolabs.de

A. Privacy in the WishButler App

A.1 Core principle: your data stays on your device

WishButler is built to be data-minimal and privacy-friendly. The content you enter is generally stored locally on your device in the app's own database and is not transmitted to us. This includes in particular:

  • people you add (display name, first/last name, relationship, optional notes, optional profile picture);
  • events for those people (birthdays, anniversaries, name days, custom occasions) and their reminder settings;
  • the message drafts you generate and save, and your style preferences (tone, length, emoji usage);
  • app settings (e.g. language, reminder times).

You can change or delete this locally stored data at any time in the app. Uninstalling the app removes it from your device.

A.2 Anonymous installation identifier – no user account

Using the app requires no registration. We collect neither email address, password nor real name. On first use, the app generates a random, anonymous installation identifier (a technical ID). It is used solely to associate your usage quota for AI generations and any subscription with your app installation, and does not allow conclusions about your identity. Legal basis: Art. 6(1)(b) GDPR (providing app functionality) and Art. 6(1)(f) GDPR (legitimate interest in abuse and quota protection).

A.3 Access to device contacts (optional)

At your explicit request you can import people from your device's address book. The app will ask for permission to read your contacts. Only the fields needed for the app's function are imported (e.g. name, birthday, possibly phone number and contact photo). This data is processed locally on the device only and is not transmitted to us or third parties. You may decline the import or revoke the permission at any time in your device settings; the app remains usable without contact access. Legal basis: Art. 6(1)(a) GDPR (consent via granting the permission).

A.4 AI-assisted message suggestions

A core feature of the app is generating personal message suggestions. When you use this feature, the app transmits the necessary inputs (e.g. the occasion and keywords you provide about the person, such as "likes yoga and plants") over an encrypted connection to our server and from there to a specialised AI provider that produces the text suggestion. We aim to transmit as little data as possible and no directly identifying data.

We currently use OpenAI as our AI provider. Processing outside the European Union, in particular in the USA, cannot be ruled out. Where such a transfer to a third country occurs, we base it on the EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. The transmitted inputs are processed to provide the feature; your inputs are not used to train the provider's AI models under our instructions. Legal basis: Art. 6(1)(b) GDPR (provision of the feature you requested).

A.5 Processing on our server

To provide the AI feature and manage your usage quota, our server (hosted by Hetzner in Germany, see B.1) temporarily processes:

  • the inputs submitted for generation (as a job record; automatically deleted after 30 days at the latest, and within about an hour once your app confirms receipt);
  • usage counters and the balance of your quota, linked only to the anonymous installation identifier;
  • technically necessary connection data (e.g. IP address) for abuse prevention (rate limiting); this is not permanently merged with your content.

Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR (security and abuse prevention).

A.6 Reminders / push notifications

The app can remind you of upcoming occasions in good time. These notifications are scheduled locally on your device via the operating system's notification feature. Any technical token used for this stays on the device; we do not send central advertising or marketing push messages. You can disable notifications at any time in your device settings. Legal basis: Art. 6(1)(a) GDPR (consent via the system permission).

A.7 Subscriptions and in-app purchases

WishButler offers paid features. Purchases and subscriptions are processed through the respective app store (Google Play). Payment data is processed exclusively by the store operator; we do not receive full payment information. To manage subscription status we use the provider RevenueCat, Inc. (USA), which links the entitlement status to the anonymous installation identifier. Any transfer to the USA is based on EU Standard Contractual Clauses (Art. 46 GDPR). Legal basis: Art. 6(1)(b) GDPR (contract performance).

A.8 No tracking, no advertising, no location

The app contains no analytics or tracking tools, no advertising networks and no advertising identifiers. We collect no location data and no device identifiers such as advertising IDs. We do not create usage profiles and do not sell data.

B. Privacy on this Website

B.1 Hosting

This website is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Data collected in connection with the website is processed on servers within the European Union. A data processing agreement (DPA) pursuant to Art. 28 GDPR is in place with Hetzner. Legal basis: Art. 6(1)(f) GDPR (secure and efficient provision of the online service).

B.2 Server log files

When the website is accessed, information transmitted by your browser is automatically stored in server log files:

  • browser type and version
  • operating system
  • referrer URL
  • hostname of the accessing device
  • time of the server request
  • IP address

This data is not merged with other sources. Log files are deleted after 14 days at the latest. Legal basis: Art. 6(1)(f) GDPR (security and stability of the website).

B.3 Fonts (locally hosted)

This website uses the fonts Plus Jakarta Sans and Cascadia Mono. The font files are served locally from our server. There is no connection to Google Fonts or any other external font provider. Legal basis: Art. 6(1)(f) GDPR (uniform presentation of the online service).

B.4 Cookies

This website uses no tracking cookies, no analytics tools and no advertising services.

When you switch the language, a technically necessary language preference cookie ("wb_lang") is set. It contains only the language code (e.g. "de" or "en"), is stored for up to 12 months and contains no personal data. Legal basis: Section 25(2) no. 2 TDDDG (strictly necessary storage) and Art. 6(1)(f) GDPR.

C. Common provisions

C.1 Recipients / processors

We use carefully selected providers with whom the legally required agreements are in place:

  • Hetzner Online GmbH (Germany) – hosting of website and app server
  • OpenAI (USA/EU) – AI-assisted message suggestions (see A.4)
  • RevenueCat, Inc. (USA) – subscription status management (see A.7)
  • Google Ireland Ltd. / Google LLC – app distribution and payment processing via Google Play

C.2 Transfers to third countries

Where data is transferred to providers outside the EU/EEA (in particular to the USA) – this concerns the services named in A.4 and A.7 as well as, where applicable, the app store – we base the transfer on the EU Standard Contractual Clauses (Art. 46 GDPR) or, where applicable, an adequacy decision of the European Commission. The hosting of our own servers takes place exclusively within the EU.

C.3 Retention

Local app data remains on your device until you delete it or uninstall the app. Job records stored on the server for AI generations are deleted automatically after 30 days at the latest (much sooner after receipt confirmation). Server logs are deleted after 14 days at the latest. Quota/subscription data is processed for the duration of use or as long as required for the feature.

C.4 Deleting your data

WishButler uses no user account. You have full control over your data at all times:

  • Individual entries: you can delete people, events and messages directly in the app.
  • All app data: uninstalling the app or clearing the app's data in your device settings irreversibly removes all locally stored data.
  • Server-side data: the generation records briefly stored on the server are deleted automatically (see C.3). You can request any further deletion at any time by emailing hallo@roottwolabs.de, quoting your anonymous installation identifier.

C.5 Data security

We take appropriate technical and organisational measures to protect your data. Transmission between the app and the server is exclusively encrypted (TLS/HTTPS). Content data generally remains locally on your device and is not collected centrally. The servers are operated by a professional provider (Hetzner) in the EU and protected by access restrictions and up-to-date security patches.

C.6 Your rights

You have the right to:

  • access your processed personal data (Art. 15 GDPR);
  • request rectification of inaccurate data (Art. 16 GDPR);
  • request erasure of your stored data (Art. 17 GDPR);
  • request restriction of processing (Art. 18 GDPR);
  • receive your data in a structured, commonly used, machine-readable format (Art. 20 GDPR);
  • withdraw a given consent at any time (Art. 7(3) GDPR);
  • lodge a complaint with a supervisory authority (Art. 77 GDPR).

Because the app's content data is stored locally, you can view, change and delete it directly in the app. For matters concerning data processed on the server, please contact: hallo@roottwolabs.de. Please note that, as there is no user account, we can generally only attribute data processed on the server via the anonymous installation identifier.

Supervisory authority: Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD), Holstenstraße 98, 24103 Kiel, Germany.

C.7 Right to object

Where your personal data is processed on the basis of legitimate interests (Art. 6(1)(f) GDPR), you have the right to object to the processing at any time for reasons arising from your particular situation (Art. 21 GDPR). Please send your objection to: hallo@roottwolabs.de.

C.8 Changes to this privacy policy

We update this privacy policy whenever changes to processing make it necessary (e.g. when the iOS app or new features are introduced). The version published on this page applies.