Privacy

Privacy Policy

Needlist is built to be a quiet place. We collect the minimum we need to make the app work, we tell you what that is, and we don’t sell your data. This policy explains what we collect, why, who we share it with, and the choices and rights you have.

Needlist (“Needlist,” “we,” “us”) is operated by Surfstack LLC, which is the data controller responsible for your personal information under the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar laws. This policy applies to the Needlist mobile app, the Needlist website at needlisttosay.com, and related services (together, the “Service”).

The short version

  • We collect what we need to give you an account, save your lists, and run the app.
  • We do not sell your personal information, and we do not run advertising or analytics trackers on our site.
  • Affiliate cookies are only used with your consent — see our Cookie Policy.
  • You can access, correct, export, or delete your data, and withdraw consent, at any time.
  • Questions or requests: privacy@needlisttosay.com.

Information we collect

Information you give us.

  • Account details — your name or display name, email address, and a password (which we store only as a salted hash, never in plain text). If you sign in with Google, we receive your name, email address, and profile photo from Google instead of a password.
  • Profile & preferences — an optional avatar, bio, and the interest “vibes” you pick during onboarding, which help us tailor the gift ideas we show you.
  • Content you create — your gift lists and the items on them, events and invitations, claims, comments, and the friends or connections you add. Some of this is shared with the people you choose to share a list or event with.
  • Messages to us — the contents of emails or support requests you send.

Information we collect automatically.

  • Device & usage data — IP address, device and operating-system type, app version, and basic logs of how you interact with the Service, used to keep it running, secure, and free of bugs.
  • Diagnostics — crash and error reports, so we can find and fix problems.
  • Cookies & similar technologies — on the web, a strictly necessary cookie that remembers your sign-in and your cookie choice, and — only with your consent — affiliate cookies. If you’re signed in, we also store your cookie choice on your account so it carries across your devices. Full detail is in our Cookie Policy.

Information from third parties.

  • Sign-in providers (e.g., Google) when you choose to sign in with them.
  • Affiliate networks — when you buy through one of our affiliate links with consent, we typically receive only anonymized click and conversion data (such as that a referral resulted in a sale), never your name, payment details, or order contents. See our Affiliate Disclosure.
  • Workspace data — if you use Needlist through an employer or organization, we may receive your work profile from your organization or its HR system. See “Organization accounts” below.

How and why we use your information

Under the GDPR and UK GDPR, we rely on the following legal bases. Where we rely on consent, you can withdraw it at any time.

  • To provide the Service — create your account, save and share your lists and events, and deliver core features. Legal basis: performance of a contract.
  • To keep the Service secure and working — authentication, fraud and abuse prevention, debugging, and maintenance. Legal basis: legitimate interests, and legal obligation where applicable.
  • To communicate with you — transactional messages (e.g., account, security, event reminders, and claim notifications) and responses to your requests. Legal basis: performance of a contract and legitimate interests.
  • To credit affiliate referrals — so retailers can attribute a purchase to us. Legal basis: consent for affiliate cookies; legitimate interests in the underlying commercial relationship.
  • To improve the Service — understand which features are used so we can make them better, using the minimum data necessary. Legal basis: legitimate interests.
  • To comply with the law — meet legal, tax, and regulatory obligations and respond to lawful requests. Legal basis: legal obligation.

We do not run third-party advertising networks, cross-site ad trackers, or social-media tracking pixels, and we do not use your data for automated decision-making that produces legal or similarly significant effects about you.

How we share your information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share it only in these ways:

  • With people you choose — anyone you share a list or event with, or connect with, sees the content you share with them.
  • With service providers (processors) who help us run the Service, under contracts that limit them to our instructions. These fall into a few categories, with representative examples: cloud hosting and databases (Amazon Web Services); transactional email (Amazon SES); error monitoring (Sentry); real-time messaging (Pusher); payment processing for paid plans (Stripe); affiliate networks; and, for organization accounts, gift-card fulfillment, HR-system integration, and workspace messaging providers. We can provide the current list on request.
  • For legal reasons — to comply with the law, enforce our Terms, or protect the rights, safety, and property of Needlist, our users, or the public.
  • In a business transfer — if Needlist is involved in a merger, acquisition, or sale of assets, your information may be transferred, subject to this policy.

Payment card details for paid plans are handled directly by our payment processor; we never store full card numbers. Purchases you make at a retailer are governed by that retailer’s own privacy policy.

Organization accounts

If you use Needlist as part of an employer or organization (for example, a workplace gifting or recognition program), your organization is the controller of the workspace data it provides or directs us to process — such as employee rosters from its HR system, names, work emails, start dates, and team or manager relationships — and we act as its processor for that data, under our agreement with the organization. Your organization’s own privacy policy governs how it uses that data, and requests about it (including access or deletion) are best directed to your organization. The rest of this policy continues to apply to the personal account you use to sign in.

International data transfers

Needlist is operated from the United States, and our service providers may process data in the United States and other countries. When we transfer personal data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards — such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum — or another lawful transfer mechanism. You can request a copy of the relevant safeguards using the contact details below.

How long we keep your information

We keep your personal information for as long as your account is active and for a reasonable period afterward to meet the purposes described in this policy — for example, to comply with legal, tax, and accounting obligations, resolve disputes, and enforce our agreements. When we no longer need it, we delete it or anonymize it. If you delete your account, we delete or anonymize your personal data within a reasonable period, except where we are required or permitted by law to retain it.

Your rights and choices

Depending on where you live, you have some or all of the following rights over your personal information. Under the GDPR and UK GDPR these include the right to:

  • Access a copy of the personal data we hold about you.
  • Correct data that is inaccurate or incomplete.
  • Delete your data (the “right to be forgotten”).
  • Restrict or object to certain processing, including processing based on legitimate interests.
  • Port your data — receive it in a portable format or have it sent to another provider.
  • Withdraw consent at any time, where we rely on consent (such as affiliate cookies), without affecting processing already carried out.

To exercise any of these, email privacy@needlisttosay.com. You can update much of your information directly in the app, and change your cookie choices from our Cookie Policy. We will not discriminate against you for exercising your rights. We may need to verify your identity before acting on a request, and you may use an authorized agent where the law allows.

If you are in the EU, UK, or Switzerland and believe we have mishandled your data, you have the right to complain to your local supervisory authority (in the UK, the Information Commissioner’s Office at ico.org.uk). We’d appreciate the chance to address your concern first.

California privacy rights

If you are a California resident, the California Consumer Privacy Act, as amended by the CPRA, gives you specific rights. In the past 12 months we have collected the categories of personal information described in “Information we collect” above (identifiers such as name and email; account and profile information; your lists and other content; internet and device activity; and, with consent, commercial referral data), from the sources and for the business purposes described in this policy.

  • You have the right to know what we collect and how we use and disclose it.
  • You have the right to delete and to correct your personal information.
  • You have the right to opt out of the sale or sharing of your personal information — though we do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not use or disclose sensitive personal information beyond the purposes the law permits.
  • You have the right to be free from discrimination for exercising these rights.

To make a request, contact privacy@needlisttosay.com; you may use an authorized agent. California’s “Shine the Light” law: we do not share personal information with third parties for their own direct marketing.

Children’s privacy

Needlist is not directed to children under 13 (or the minimum age required in your country, if higher), and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, contact us and we will delete it.

How we protect your information

We use technical and organizational measures appropriate to the risk — including encryption in transit, hashed passwords, and access controls — to protect your information. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work to protect your data and to notify you and the relevant authorities of a breach where the law requires.

Changes to this policy

We may update this policy as the Service and the law evolve. When we make a material change, we’ll update the “last updated” date below and, where appropriate, notify you in the app or by email.

How to contact us

Needlist is operated by Surfstack LLC, the data controller for your information. For any privacy question or to exercise your rights, contact privacy@needlisttosay.com.

Last updated: 18 June 2026