Privacy at MakeEmWait

Plain-language summary of how we handle your data. Last updated March 2026. Version v1.

Note: This page describes our data practices in plain language. It is not a legally binding privacy policy. If you need formal compliance documentation, consult a qualified attorney.

What data we collect

If you create a MakeEmWait account

  • Email address — used for your account login and so we can contact you about your account
  • Password — managed by a dedicated authentication service using SRP (Secure Remote Password) authentication. We never see, receive, or store your password.
  • Stripe customer record — when you register, we automatically create a Stripe customer record linked to your email. We store the Stripe customer ID in our database, not your card details. Stripe handles all payment data directly.
  • Subscription status — your plan tier (free trial, Basic, Advanced, or Pro), subscription status, and trial end date are stored as account attributes and synced from Stripe webhooks
  • API key — if you generate one, we store a SHA-256 hash. The raw key is shown to you exactly once at creation and never stored.

If you sign up for someone's waitlist

  • Email address — the only required field
  • Name — first and last name, if the waitlist owner configured names as optional or required
  • Phone number — if the waitlist owner configured a phone field
  • Custom question answers — responses to any custom questions the waitlist owner added (text, dropdown, etc.)
  • Referral token — a randomly generated 32-character hex string assigned to your signup for the referral tracking system
  • Referred-by token — if you signed up through someone's referral link, the referrer's token is stored so they get credit
  • Referral count — how many people signed up through your referral link
  • Position — your number in the waitlist queue
  • Device type — classified as mobile or desktop based on your browser's User-Agent header
  • Timezone — if your browser sends it (used for display purposes)
  • Country — derived from your timezone (e.g., "US", "GB"), not from IP geolocation
  • UTM parameters — utm_source, utm_medium, utm_campaign, utm_term, and utm_content if present in the signup URL (truncated to 200 characters each)
  • Signup timestamp — when you signed up
  • Verification token — if the waitlist requires email verification, a random token is generated and sent to your email
  • Consent record — if the waitlist owner enabled consent collection: a timestamp of when you consented, the version of the consent text shown, and the version of the privacy policy at that time

What we don't collect

  • No cookies — we don't set any cookies. Authentication uses browser localStorage.
  • No analytics or tracking scripts — no Google Analytics, no Meta Pixel, no third-party trackers anywhere on our site
  • No CAPTCHAs — we use a honeypot field for bot protection instead of tracking-heavy CAPTCHA services
  • No IP address logging — we don't store your IP address in our database
  • No browsing behavior tracking — we don't track page views, clicks, or session data on the marketing site

Types of emails we send

Transactional emails (no unsubscribe)

These are triggered by your own actions and are necessary for the service to work:

  • Signup confirmation — confirms you joined a waitlist
  • Email verification — verifies your email address when required by the waitlist owner

Marketing emails (with unsubscribe)

These are sent on behalf of waitlist owners and always include an unsubscribe link:

  • Email blasts — messages sent by the waitlist owner to all subscribers
  • Referral notifications — alerts when someone joins using your referral link
  • Milestone rewards — notifications when you hit a referral milestone

How to unsubscribe

  • Every marketing email contains an unsubscribe link in the footer and a machine-readable List-Unsubscribe header (RFC 8058)
  • Click the link to opt out of future marketing emails from that waitlist
  • Your waitlist position and data are preserved when you unsubscribe — you're only opting out of emails
  • To delete your data entirely, use the "Delete my data" option on the unsubscribe page

Why we collect it

Everything we collect serves a specific function:

  • Email + password — to authenticate you and manage your account
  • Stripe customer ID — to process subscription payments and manage billing
  • Signup data — to operate waitlists: tracking positions, powering referral leaderboards, sending confirmation emails
  • Device type + UTM params — to give waitlist owners analytics about where their signups come from (aggregated daily, not individual tracking)
  • Referral tokens — to track referral chains and credit people who bring in new signups

We don't use any of this data for advertising, profiling, or anything beyond running the service.

Who processes your data

We use the following third-party services to operate MakeEmWait:

  • Amazon Web Services (AWS) — cloud infrastructure including API Gateway, Lambda (backend processing), DynamoDB (database), Cognito (authentication), CloudWatch (operational logging), CloudTrail (audit logging), and S3 (encrypted backups). All data is stored in the US West (Oregon) region. AWS privacy policy
  • Stripe — payment processing. Stripe handles all credit card data directly; we never see or store card numbers. Stripe's privacy policy
  • Resend — transactional email delivery. This includes waitlist confirmation emails, email verification messages, referral milestone notifications, and email blasts sent by waitlist owners. Resend's privacy policy
  • GitHub Pages — hosts our marketing site (the page you're reading now). GitHub may collect standard web server logs. GitHub Pages data collection

We do not sell, rent, or share your data with anyone else.

Where your data may be sent

Waitlist owners can configure integrations that send signup data to external services when someone signs up:

  • Outbound webhooks — if the waitlist owner configured a webhook URL, your email, name, position, and referral count are sent to that URL when you sign up. This is a Pro plan feature.
  • Slack notifications — if the waitlist owner connected Slack, your email and position are posted to their Slack channel on signup
  • Discord notifications — same as Slack, but to a Discord channel

These integrations are configured by the waitlist owner, not by MakeEmWait. We validate that webhook URLs use HTTPS and block private/internal network addresses, but we have no control over what the waitlist owner does with the data on their end.

Aggregated analytics

For waitlist owners on the Pro plan, we provide daily analytics dashboards. These are built from aggregated counters, not individual tracking:

  • Daily counts — total views, signups, and referral signups per day
  • UTM breakdowns — aggregated counts by UTM source, medium, and campaign

Analytics data is stored as daily totals. We don't track individual user journeys or build profiles.

Where your data is stored

All data is processed and stored in the United States:

  • US West (Oregon, USA) — database, authentication, and backend processing
  • Resend (US-based) — email delivery
  • Stripe (US-based) — payment processing
  • GitHub Pages (US-based) — marketing site hosting

How long we keep it

  • Account data — kept until you delete your account
  • Waitlist signup data — kept until the waitlist owner deletes the individual signup, deletes the entire waitlist, or deletes their account. Deleting an account permanently removes all their waitlists and every signup in them.
  • Payment records — retained by Stripe per their data retention policies and applicable legal requirements
  • Analytics counters — kept as long as the waitlist exists
  • Rate limit records — temporary records used to prevent abuse (e.g., API key regeneration limits). Automatically deleted after 24 hours.
  • Webhook event IDs — Stripe webhook event IDs are stored temporarily to prevent duplicate processing. Automatically deleted after 7 days. No payment data is stored in these records.

Your rights

We believe you should have control over your data. Here's what you can do:

If you have a MakeEmWait account

  • Export your data — download all signup data for any of your waitlists as a CSV file from the dashboard
  • Delete your account — go to Account → Delete Account. This permanently removes your user account, all your waitlists, all signups in those waitlists, all email templates, all verified domains, all team member records, and your Stripe customer record. This action is irreversible.

If you signed up for someone's waitlist

  • Unsubscribe from emails — click the unsubscribe link in any marketing email to opt out of future emails while keeping your waitlist position
  • Delete your data (self-service) — after unsubscribing, click "Delete my data" on the unsubscribe page to permanently remove your signup record
  • Access your data — contact the waitlist owner to request a copy of your signup data
  • Delete your data (manual) — contact the waitlist owner to remove your signup, or email us at privacy@makeemwait.com and we'll help

Free trial

When you create an account, you automatically get a 7-day free trial of the Pro plan. No credit card is required. When the trial ends, your account reverts to a free tier with limited features. We don't auto-charge you.

Local storage

We store the following in your browser's localStorage (not cookies):

  • Authentication tokens (CognitoIdentityServiceProvider.*) — ID, access, and refresh tokens that keep you logged in (account holders only). Managed by the AWS Cognito SDK. ID and access tokens expire after 1 hour; refresh tokens after 30 days.
  • User session (mew_user) — cached account data (email, tier, status) so the dashboard doesn't need to re-fetch on every page load
  • Signup cache (mew_signup) — your waitlist position and referral link after signing up, so the success page can display your position and sharing links
  • Waitlist config (mew_waitlist_config) — cached waitlist settings used by the signup form
  • UI preferences (mew-theme, mew-sidebar-collapsed, mew-docs-sidebar-collapsed) — your chosen color theme and sidebar visibility state

We do not set any cookies. The AWS Cognito SDK used for authentication also uses only localStorage, not cookies.

You can clear this data at any time through your browser settings. Clearing it will log you out.

Leaderboards

Public leaderboards show only rank and referral count. Names are displayed as first name + last initial only (e.g. "Jane D."). Full names, email addresses, and other personal data are never shown on leaderboards.

Security

  • All traffic is encrypted via HTTPS
  • Passwords are managed by a dedicated authentication service using SRP (Secure Remote Password) — we never receive or store them
  • API keys are SHA-256 hashed before storage — the raw key is shown only once at creation and never stored
  • Webhook URLs are validated to be HTTPS and blocked from targeting private/internal network addresses
  • Email subjects and template variables are sanitized to prevent injection attacks
  • Database backups are enabled via point-in-time recovery
  • API requests are rate-limited to prevent abuse

Changes to this page

If we make significant changes to our data practices, we'll update this page and change the "last updated" date at the top. Since we don't collect email addresses for our marketing site, we can't notify you of changes — bookmark this page if you want to check back.

Contact

Questions about your data or privacy? Email privacy@makeemwait.com.