Intimate Shopping

Last updated: April 2026

Intimate Shopping is built privacy-first. This policy explains exactly what we collect, what we don't, and how your data is protected.

The short version

• Your shopping lists and saved items are end-to-end encrypted on your device before they ever leave it. Our servers only ever see ciphertext. We cannot read your saved items, and neither can anyone who breaches our database.
• We do not track you across apps or websites. We do not sell data. We do not show ads. We do not share data with advertisers or data brokers.
• We only collect what the app genuinely needs to work: an email address (for sign-in) and anonymized crash reports (if you opt in).

1. Who runs this app

Intimate Shopping is operated by Ben Wagner. Contact: mail@intimateshopping.app.

2. Data we collect

2.1 Data you actively provide

• Email address. Used only for account creation, sign-in, and password-free magic-link login. You can also sign in with Apple, in which case we receive either your real email or Apple's private relay address, depending on the option you choose during sign-in.
• Your shopping lists and saved items. This includes product names, prices, image URLs, sizes, brands, and any notes you attach. This data is encrypted on your device with AES-256-GCM before upload. The server only stores an opaque encrypted blob. We do not have the decryption key and cannot read any of this data.

2.2 Data collected automatically

• Authentication tokens. A JWT access/refresh token pair issued on sign-in, stored on your device in the iOS Keychain.
• Connection metadata. Standard server logs (IP address, request time, endpoint, response status). These are retained for 30 days for abuse prevention and rate limiting, then deleted.
• Crash reports. Only if you enable "Share App Analytics" in iOS Settings. Crash reports are anonymized by Apple and do not contain your encrypted data.

2.3 Data we do NOT collect

• Contents of your shopping lists or saved items (we only see ciphertext).
• Your browsing history on shopping websites.
• Your location.
• Your contacts, photos, calendar, or any other system data.
• Advertising identifiers (IDFA). The app does not request IDFA.
• Third-party analytics SDKs of any kind.

3. The browser extension (coming soon)

Safari and Chrome browser extensions are in development and not yet publicly available. When released, they will extract product data from supported shopping sites (Zalando, ASOS, Zara, H&M, etc.) when you click the extension icon. That data will be:

1. Parsed locally in your browser.
2. Encrypted in your browser using the same AES-256-GCM key as the iOS app, obtained during a one-time pairing flow.
3. Uploaded to the server as ciphertext to a pending-items queue.
4. Downloaded, decrypted, and merged into your lists by the iOS app the next time it syncs.

At no point will the server, the extension developer, or any third party see the unencrypted contents. This section will be updated when the extensions are publicly released.

4. Encryption details

• Content encryption: AES-256-GCM with a random 256-bit key generated on your device at first launch.
• Key storage: iOS Keychain, synchronised through iCloud Keychain so your key follows you to any iPhone signed into the same Apple ID. iCloud Keychain uses its own end-to-end encryption and is gated on your device passcode.
• Extension pairing: The iOS app generates a short code, derives a wrapping key via PBKDF2-SHA256 (600,000 iterations), wraps your encryption key, and sends only the SHA-256 hash of the code to the server. The raw code never leaves your device over the network — you type it manually into the extension.
• Transport encryption: TLS 1.2+ for all network traffic, with certificate pinning on critical endpoints.

5. Sharing and third parties

We do not share your data with third parties except:

• Our hosting provider (cloud infrastructure that runs the backend). They only see ciphertext and standard connection metadata.
• Apple for Sign in with Apple authentication and for iCloud Keychain, which stores your on-device encryption key and syncs it across iPhones you sign into with the same Apple ID. iCloud Keychain is end-to-end encrypted by Apple — neither we nor Apple can read the key.
• Our transactional email provider for sending magic-link sign-in emails. They receive only your email address and the one-time code.
• When required by law. If we receive a valid legal order, we will produce only what we have: your email address, account creation date, and the opaque encrypted blob. Because everything is encrypted, we cannot produce the contents of your shopping lists even under compulsion.

6. Data retention and deletion

• Active accounts: data is retained as long as your account exists.
• Server logs: 30 days.
• Deleted accounts: your encrypted blob, email, and all server-side state are permanently deleted within 30 days of account deletion. Magic-link codes and pairing codes are deleted immediately after use or after their 10-minute expiry, whichever comes first.
• You can delete your account at any time from Settings → Delete Account inside the iOS app.

7. Your rights (GDPR / CCPA)

Regardless of where you live, you have the right to:

• Access a copy of your data. Email us and we will provide your email, account metadata, and your encrypted blob. We cannot decrypt it for you — that only works inside the app.
• Correct inaccurate account data.
• Delete your account and all associated data (in-app, Settings → Delete Account).
• Export your data. Email us and we will provide your account data. Since your saved items are end-to-end encrypted, only you can decrypt them inside the app.
• Object to processing. Since we process only what's strictly necessary to run the app, the only way to object is to delete your account.
• Withdraw consent at any time.

We do not sell personal information under CCPA. We do not engage in "sharing" for cross-context behavioral advertising.

8. Children

The app is not intended for children under 16. We do not knowingly collect data from children. If you believe a child has created an account, email us and we will delete the account promptly.

9. International transfers

Our backend is hosted in the European Union. If you access the app from outside the EU, your data will be transferred to and processed there. Standard Contractual Clauses apply where required.

10. Security

• AES-256-GCM for data-at-rest on our servers (encrypted by you).
• TLS 1.2+ for data-in-transit.
• JWT access tokens with a 24-hour expiry, silently refreshed on the client when they run out; refresh tokens valid for 30 days with single-use rotation.
• Rate limiting on authentication endpoints.
• No plaintext passwords anywhere (magic-link and Sign in with Apple only).

We cannot absolutely guarantee security, but we take every reasonable step to protect your data, and the E2EE architecture means that even a full server compromise should not expose your shopping data.

11. Changes to this policy

If we change this policy in a material way, we will notify you in-app before the change takes effect. The "Last updated" date at the top reflects the most recent change.

12. Contact

Questions? Email mail@intimateshopping.app.