Skip to main content
Legal · /privacy

Privacy policy.

Plain English, written by humans who have read the GDPR. Last updated 12 Apr 2026.

This is the policy that governs the data BothWant collects from you. It is also a description of the kind of company we are trying to be — one that does not require its customers to read seven thousand words to find out where their answers are stored.

What we collect.

The complete list, with no surprises after the comma:

  • Your email — used to log you in, and to send you exactly two kinds of email (transactional and the optional weekly journal).
  • A password hash — derived via Argon2id with a per-user salt. We do not store, log, or transmit your password itself.
  • Your encrypted answers — ciphertext only. We cannot read these and we have not constructed any system that would allow us to.
  • Operational metadata — account_created_at, last_login_at, partnership_id. Used to make the product work; not used for analytics.

That is the complete list. It does not contain your name, your phone number, your IP address persisted longer than the request, your device fingerprint, your contacts, your photos, or anything else you may be reflexively expecting an internet service to ask for.

How we use it.

Your email is used to authenticate you and to send you the two email types listed above. Your password hash is used to verify you on sign-in. Your encrypted answers are used inside a sealed reveal function, on the server, to compute the yes-yes intersection with your partner — and never for anything else.

Your answers are not analytics. There is no dashboard at BothWant where someone — engineer, support agent — can read what couples have said yes to. The architecture forecloses the question, not just the answer. If you would like to verify this for yourself, the architecture is described in detail at /security.

We use anonymized, PII-masked product analytics (PostHog, with masking enforced at the SDK level) to understand which screens are confusing and which buttons are getting clicked. The analytics pipeline does not see your email, your answers, or your partnership ID.

How we share it.

We share the minimum necessary data with the minimum necessary vendors, listed exhaustively here. If a vendor is not on this list, we are not sharing data with them.

  • Stripe — payment processing only. Receives your email and a Stripe customer ID. Does not receive your answers, your password hash, or your partnership data.
  • Resend — transactional and journal email delivery. Receives your email and the message body. Does not receive your answers.
  • Supabase — database and authentication hosting. Stores the encrypted blobs and the password hash. Cannot decrypt your answers; the keys are not on the server.
  • Vercel — web hosting and serverless function execution. Sees request metadata (URL, status, latency); does not persist request bodies.
  • PostHog — product analytics, anonymized. Sees which pages are visited and which buttons are clicked, with PII masking enforced.

That is the full sub-processor list. We will publish a maintained copy at /legal/sub-processors and we will email you before any vendor is added or removed.

We do not sell your data. We do not share your data with advertisers. We do not transfer your data to third parties for any purpose other than the operational ones above.

Your rights.

You can do the following from your /settings page, without contacting us:

  • Export everything we have on you — a JSON file with your account row, your encrypted blob, and your partnership records. The blob is yours; we cannot decrypt it for you, but you can decrypt it client-side using your password.
  • Update your email address. Updating it does not invalidate your encryption key, which is derived from your password.
  • Change your password. This re-derives your encryption key and re-encrypts your blob server-side without ever decrypting it in the clear (we use a key-encrypting-key wrap pattern, described at /security).
  • Delete your account, in full. See below.

If you delete your account, we delete you in full — every record across every table, including your partnership and your matches — and we roll forward our backups to exclude you within 30 days. There is no archive. There is no soft-delete. There is no “in case you change your mind”; if you change your mind, you sign up again.

If you are in the EU, the UK, or California, the rights enumerated above already cover what your local law requires (access, rectification, erasure, portability). You do not need to invoke a specific clause to exercise them — the buttons are in Settings.

Cookies.

We use one cookie. It is named bw_session, it is HTTP-only and SameSite=Lax, it expires after 30 days of inactivity, and it does the one thing cookies are for, which is to keep you logged in.

We do not use cookies for advertising, cross-site tracking, or analytics. We do not embed third-party cookies via our marketing site. There is no cookie banner because there is nothing to consent to beyond the session cookie that the browser already considers strictly necessary.

Children.

BothWant is not designed for, marketed to, or appropriate for anyone under 18. We do not knowingly collect data from minors. If we learn that we have, we delete it.

Contact.

For privacy questions, write to privacy@bothwant.com. A human on our team reads it.

For security disclosures, write to security@bothwant.com. We will acknowledge within 48 hours and we will not threaten you with a CFAA letter.

BothWant Editorial
A small studio · hello@bothwant.com