✿ the small print

legal & policies

these are draft documents pending professional legal review. they describe how opia actually works today. if anything reads as unclear or wrong, please email us.

Privacy Policy

Draft — not legal advice. Have a lawyer (or a UK-based service like Termly / iubenda / SeersCo) review before publishing.

Last updated: 2026-05-11

Opia is a small social wishlist app run by Abbas Alibhai, based in London, United Kingdom (hereafter "we", "us", "Opia"). This page explains what data we collect, why, and what we do with it. The short version: only what the product needs to work, and we don't sell any of it.

If anything here is unclear, email abbasalibhai.business@gmail.com.

1. Who's the data controller?

Abbas Alibhai, sole trader, London, UK. UK GDPR / Data Protection Act 2018 apply.

EU users: Opia does not currently have a designated EU representative. If usage from the EU grows materially, this will be revisited.

US users: Opia is not currently a "Business" or "Service Provider" under CCPA/CPRA thresholds (under $25M annual revenue, fewer than 100,000 California consumers). The rights in section 6 are nonetheless honoured for any user who asks.

2. What we collect

2.1 Account data

When you sign in:

  • Email address (always)
  • Display name and profile image (when you sign in with Google)
  • A handle you pick (e.g. @abbas)
  • Your birthday (required at sign-up, see below)
  • A bio, country, and currency you optionally provide
  • Per-occasion dates you optionally provide (e.g. an anniversary)

Your birthday is mandatory to create an account. We require it for two reasons: (a) to verify you are at least 13 years old, which is a legal requirement we cannot waive (see section 8), and (b) so friends who follow you can see an upcoming birthday countdown if you choose to share it.

We never display your birthday year to anyone else — it is used only for age verification and is kept private. You separately choose, from /settings, whether your month/day appears on your public profile and in your friends' upcoming-occasion feeds. This is off by default. You can toggle it at any time.

2.2 Content data

The items you add to your wishlist: the source URL, title, image URL, price, currency, notes. We fetch a preview of each URL once and cache it.

2.3 Relationship data

Who follows whom, and which items have been claimed by which user. Claim activity is not visible to the wishlist owner — this is the core privacy invariant of the product.

2.4 Technical data

  • A session cookie set by our auth provider (Better Auth).
  • A first-party analytics cookie via PostHog (anonymised IP, no third-party advertising identifiers).
  • Server-side request logs (IP, user agent, timestamp) retained for ~14 days for security and debugging.

2.5 What we don't collect

  • We never read your phone book / contacts.
  • We don't share or sell email lists.
  • We don't run third-party advertising trackers.

2.6 Search engines and personal wishlists

Personal wishlist pages (e.g. opia.social/@your-handle) are unlisted by design: anyone with the share link can view them, but Opia instructs search engines not to index, archive, or summarise them via robots.txt, an HTML noindex directive, and (where supported) an X-Robots-Tag response header. Marketing and legal pages remain crawlable. This means handing the link to a friend will not cause your list to surface in a Google search.

Note: Opia cannot force a misbehaving bot to honour these directives, and we cannot retroactively remove your URL from a search engine that ignored them. If you ever discover your list indexed somewhere it shouldn't be, email abbasalibhai.business@gmail.com and we'll help you file the relevant removal request.

3. How we use it

PurposeLawful basis (UK GDPR Art. 6)
Run the service: store your list, render your profile, handle authContract (Art. 6(1)(b))
Send transactional emails (magic-link sign-in, claim notifications)Contract (Art. 6(1)(b))
Measure product usage in aggregate (PostHog)Legitimate interest (Art. 6(1)(f))
Detect abuse / debug errorsLegitimate interest (Art. 6(1)(f))
Affiliate commission tracking on outbound clicksLegitimate interest (Art. 6(1)(f)) — see Affiliate Disclosure
Age verification (must be 13+)Legal obligation (Art. 6(1)(c)) + Contract

We do not engage in automated decision-making or profiling with legal effect.

4. Sub-processors

Opia uses these third parties. Each handles a slice of your data under their own privacy terms:

ProviderRoleJurisdiction
Netlify (deployment + hosting)Serves the websiteUS (DPF-certified)
Neon (Postgres database)Stores your account + list dataEU/US regions
Better Auth (self-hosted library)Auth session managementRuns on our infra
Google (Sign-in with Google)Optional auth providerUS
Resend (transactional email)Sends magic-link + claim emailsUS (DPF-certified)
Skimlinks / Sovrn (affiliate network)Rewrites outbound merchant linksUS/UK
PostHogPrivacy-friendly product analyticsEU region

International transfers outside the UK rely on the UK International Data Transfer Addendum to the EU SCCs, or the UK Extension to the EU-US Data Privacy Framework where applicable.

5. How long we keep it

  • Account data: while your account is active, then 30 days after deletion (in case you change your mind), then permanently deleted.
  • Server logs: ~14 days.
  • Link preview cache: indefinite, but contains only public merchant page metadata, not personal data.
  • Affiliate click data: handled by Skimlinks under their retention terms.

6. Your rights

Under UK GDPR (and equivalent CCPA/CPRA rights for California users) you can ask us to:

  • Access the data we hold about you
  • Correct anything that's wrong
  • Delete your account and associated data
  • Export your data in a portable format
  • Object to or restrict specific processing
  • Withdraw consent for analytics

You can do most of this from the danger zone in /settings. For anything else, email abbasalibhai.business@gmail.com and we'll respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.

7. Cookies

CookiePurposeType
__Secure-better-auth.session_tokenKeeps you signed inStrictly necessary
PostHog cookieAnonymous product analyticsFunctional
Skimlinks cookie (set on click)Attributes affiliate conversionFunctional

We do not currently show a cookie banner because we set no marketing/advertising cookies. If we ever add any, an opt-in banner will appear first.

8. Children

Opia is not for under-13s. We collect your birthday year solely to enforce this. If you believe a child under 13 has signed up, email abbasalibhai.business@gmail.com and we'll delete the account.

9. Security

Passwords aren't used — sign-in is magic-link or Google OAuth. Sessions live in signed HTTP-only cookies. Outbound URLs you paste are SSRF-guarded before any fetch. Backups are encrypted in transit and at rest.

No service is unbreachable. If a breach affects you, we'll notify you within 72 hours per UK GDPR Art. 34.

10. Changes

If this policy changes materially, we'll email registered users and update the date at the top. Continued use after a change means you accept the new version.

11. Contact

Abbas Alibhai · London, UK
Email: abbasalibhai.business@gmail.com