Privacy Policy

Last updated: April 6, 2026

Candl ("we," "us," "our") is a WhatsApp birthday reminder service. This policy explains what data we collect, why, and what control you have over it.

By messaging Candl on WhatsApp, you agree to this policy. If you disagree, stop messaging us and text "delete my account" to remove your data.

1. Information we collect

Information you provide

  • Phone number — your WhatsApp number, used as your account identifier
  • Your birthday — if you choose to share it
  • Friends' names and birthdays — the birthdays you ask us to remember
  • Messages — your conversation with Candl (used to understand your requests and maintain conversation context)
  • Preferences — your onboarding choices such as celebration style, reminder lead time, and communication preferences
  • Account state — where you are in setup (e.g., onboarding, active) so we can resume where you left off

Contact data you share

If you share your phone contacts with Candl, we extract and store only names, phone numbers, and birthdaysfrom the contacts you send. We do not access your phone's contact list directly — you explicitly send contacts to us via WhatsApp.

Automatically collected

We store timestamps of when you message us (to comply with WhatsApp's 24-hour messaging window). We do not use cookies, tracking pixels, or analytics on the WhatsApp interface.

2. How we use your information

  • Birthday reminders — sending you reminders when your friends' birthdays are coming up
  • Understanding your messages — processing your WhatsApp messages to add, update, or look up birthdays
  • Birthday sharing — facilitating mutual birthday sharing between you and your friends (only with explicit consent from both parties)
  • Message drafting and gift ideas — generating birthday messages and gift suggestions when you ask
  • Proactive messages — we may send you occasional follow-ups outside of your conversations, such as onboarding tips, prompts to fill in missing birthdays, or nudges when it's your birthday month. You can stop these at any time by telling Candl

We do not use your data for advertising, profiling, or any purpose unrelated to the birthday reminder service.

3. AI processing

Candl uses Anthropic's Claude AI (via their commercial API) to understand your messages and generate responses. When you message Candl:

  • Your message, recent conversation history (up to 20 messages), your saved birthdays (names and dates), your birthday, and your preferences are sent to Anthropic each time you message us — this context is needed so the AI can give accurate, personalized responses
  • Under Anthropic's commercial API terms, your data is not used to train AI models
  • Anthropic encrypts data in transit and at rest; their employees do not have routine access to your conversations
  • Your imported contacts' phone numbers are not sent to the AI — only names and birthday dates needed to process your request

4. Birthday sharing and mutual consent

Candl has a birthday sharing feature that lets friends see each other's birthdays. This is built on mutual consent:

  • You choose who you want to share your birthday with — sharing is never automatic
  • Both people must independently grant consent before either can see the other's birthday
  • You can revoke sharing at any time — the other person's access is immediately removed
  • Candl never confirms or denies whether someone else is a user of the service
  • Pending share requests expire after 12 months if not matched

5. How we share information with third parties

We do not sell, rent, or trade your personal information. We share data only with the service providers necessary to operate Candl:

Meta (WhatsApp Cloud API)

Message delivery. Meta processes messages through their infrastructure and may retain message data for up to 30 days per their policies.

Anthropic (Claude API)

AI message processing. Not used for model training. Data encrypted in transit and at rest.

Supabase (Database)

Secure data storage (PostgreSQL). SOC 2 Type 2 compliant.

Railway (Hosting)

Application hosting and compute.

Stripe (Payments)

Payment processing for subscriptions. We do not store your payment card details — Stripe handles all payment data directly.

We may also disclose information if required by law, legal process, or to protect the safety of our users.

6. Contact data and non-user privacy

When you share contacts with Candl, you may be providing us personal data about people who are not Candl users. By sharing contacts, you confirm that:

  • You have the right to share their name, phone number, and birthday with us
  • You understand we will store this data to provide you with birthday reminders

Contact data for non-users is stored solely to enable your birthday reminders and the sharing feature. If a non-user contacts us to request deletion of their data, we will honor that request.

When you delete your account, all contact data you imported is deleted with it.

7. Data retention

  • Active accounts — your data is retained as long as your account is active
  • Conversation history — we keep a rolling window of your most recent messages (up to 20) for conversation context; older messages are not retained
  • Deleted accounts— all data is permanently deleted when you delete your account (text "delete my account" to Candl)
  • Pending share requests — expire and are deleted after 12 months

8. Data security

We use industry-standard measures to protect your data, including encrypted connections (TLS), secure database access, and environment-isolated credentials. However, no system is 100% secure — we cannot guarantee absolute security.

9. Your rights

You have the right to:

  • Access your data— ask Candl "list my birthdays" or "show my shares" to see what we have
  • Delete your account — text "delete my account" to permanently erase all your data
  • Revoke sharing — stop sharing your birthday with anyone at any time
  • Stop using Candl — simply stop messaging us; your data will remain until you explicitly delete it

For EU/EEA residents (GDPR)

Our lawful basis for processing your data is your consent (provided by messaging us) and legitimate interest (providing the service you requested). You have additional rights to data portability, rectification, restriction of processing, and to lodge a complaint with your local data protection authority.

For California residents (CCPA)

We do not sell or share your personal information for cross-context behavioral advertising. You have the right to know what personal information we collect, request its deletion, and not be discriminated against for exercising your rights.

10. Children's privacy

Candl is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with their data, please contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. If we make significant changes, we will notify you via WhatsApp. Continued use of Candl after changes constitutes acceptance of the updated policy.

12. Contact us

Questions about this policy? Message Candl on WhatsApp or email us at privacy@candl.app.

← Back to home