Skip to main content
Legal · /privacy

Privacy policy.

Plain English, written by humans who have read the GDPR. Last updated 1 Jul 2026.

This is the policy that governs the data BothWant collects from you. It is also a description of the kind of company we are trying to be — one that does not require its customers to read seven thousand words to find out where their answers are stored.

What we collect.

The complete list, with no surprises after the comma:

  • Your email — used to log you in, and to send you exactly two kinds of email (transactional and the optional weekly journal).
  • Your password — held by our authentication provider (Supabase Auth) as a salted hash only. We never store or log your plaintext password.
  • The profile fields you give us during onboarding — the details you choose to share so the product can address you and pair you with your partner.
  • Your quiz answers — stored in our Postgres database, encrypted at rest (AES-256) and in transit (TLS 1.2+). Row-level security scopes them to you; the only thing ever shown to your partner is the overlap you both matched on.
  • Payment metadata via Stripe — a customer ID and your subscription status. Your card number goes to Stripe directly and never touches our servers.
  • Analytics events — PostHog, with PII masking enforced. Which screens are visited, which buttons are clicked. Never your answers.
  • Operational metadata — account_created_at, last_login_at, partnership_id. Used to make the product work.

That is the complete list. It does not contain your card number, your contacts, your photos, your location history, your device fingerprint, or anything else you may be reflexively expecting an internet service to ask for.

How we use it.

Your email is used to authenticate you and to send you the two email types listed above. Your answers are used for exactly one thing: computing the reveal. When both partners have finished, the comparison runs on our servers — in a privileged context, never on either partner's device — and only the mutual overlap is returned to either of you. Your unmatched answers are never sent to your partner.

Your answers are not analytics. There is no dashboard at BothWant where someone — engineer, support agent — can browse what couples have said yes to, and internal access to production data is restricted to what operating the service requires. The architecture is described in detail at /security.

We use anonymized, PII-masked product analytics (PostHog, with masking enforced at the SDK level) to understand which screens are confusing and which buttons are getting clicked. The analytics pipeline does not see your email, your answers, or your partnership ID.

How we share it.

We share the minimum necessary data with the minimum necessary vendors, listed exhaustively here. If a vendor is not on this list, we are not sharing data with them.

  • Stripe — payment processing only. You pay Stripe directly; card numbers never touch our servers. Stripe receives your email and holds your customer ID and subscription status. It does not receive your answers or your partnership data.
  • Resend — transactional and journal email delivery. Receives your email and the message body. Does not receive your answers.
  • Supabase — database and authentication hosting. Stores your account, answers, and matches, encrypted at rest (AES-256), with row-level security on every user-facing query. Daily backups are retained for 30 days.
  • Vercel — web hosting and serverless function execution. Sees request metadata (URL, status, latency); does not persist request bodies.
  • PostHog — product analytics, anonymized. Sees which pages are visited and which buttons are clicked, with PII masking enforced.

That is the full sub-processor list. We will publish a maintained copy at /legal/sub-processors and we will email you before any vendor is added or removed.

We do not sell your data. We do not share your data with advertisers. We do not transfer your data to third parties for any purpose other than the operational ones above.

Your rights.

You can do the following from your /settings page, without contacting us:

  • Export everything we have on you — one click, an instant JSON download of your profile, your responses, your matches, and your journal.
  • Update your email address.
  • Change your password.
  • Delete your account, in full. See below.

Deletion is immediate and irreversible. The moment you confirm, we remove your auth user and every row that belongs to you — responses, matches, partnership, journal — and we cancel your Stripe subscription as part of the same flow. Deleted data drops out of our daily backups as the 30-day retention window expires. There is no archive. There is no soft-delete. There is no “in case you change your mind”; if you change your mind, you sign up again.

If you are in the EU, the UK, or California, the rights enumerated above already cover what your local law requires (access, rectification, erasure, portability). You do not need to invoke a specific clause to exercise them — the buttons are in Settings. If a button fails you, or you would rather a human did it, write to privacy@bothwant.com and we will handle it by hand.

Cookies.

We use cookies for one job: keeping you signed in. Our authentication provider sets HTTP-only session cookies that do the one thing cookies are for.

We do not use cookies for advertising or cross-site tracking, and no advertiser scripts run on bothwant.com. Product analytics run through PostHog with PII masking enforced; they measure which screens get used, not who you are.

Children.

BothWant is not designed for, marketed to, or appropriate for anyone under 18. We do not knowingly collect data from minors. If we learn that we have, we delete it.

Contact.

For privacy questions, write to privacy@bothwant.com. A human on our team reads it.

For security disclosures, write to security@bothwant.com. We will acknowledge within 48 hours and we will not threaten you with a CFAA letter.

BothWant Editorial
A small studio · hello@bothwant.com