Privacy Policy

Effective date: 25 February 2026

1. Scope

This Privacy Policy explains how Whyso (“we”, “us”, “our”) collects, uses, stores, and shares personal data when you use our websites, applications, APIs, and related services (the “Service”).

Data controller: WHYSO LTD (company number 16959953), registered office 20 Stella Road, Paignton, England, TQ3 1BH. Privacy contact: [email protected].

2. Personal Data We Collect

Account and identity data: name, email address, authentication identifiers, organization/workspace details.
Billing data: subscription plan, Stripe customer/payment references, billing status, invoices (we do not store full payment card numbers).
Service data: workshop content, brand assets, settings, exports, support tickets, user-generated notes and metadata.
Technical and usage data: IP address, device/browser information, timestamps, logs, route and feature usage, session and security events.
Communications data: messages and support correspondence.

3. How We Use Personal Data

Provide, maintain, and secure the Service.
Authenticate users and manage accounts/workspaces.
Process subscriptions, billing, and fraud prevention checks.
Generate requested outputs, including AI-assisted workshop features.
Provide customer support and troubleshoot issues.
Monitor reliability, detect abuse, and improve product performance.
Comply with legal obligations and enforce our Terms.

4. Legal Bases (UK GDPR / EU GDPR)

Where UK GDPR or EU GDPR applies, we process personal data on the following bases:

Contract: to provide the Service you requested and administer your account.
Legitimate interests: to secure, monitor, improve, and support the Service.
Legal obligation: for tax, accounting, regulatory, and law-enforcement responses.
Consent: where required, including for non-essential cookies/tracking.

5. Sharing and Processors

We share personal data only as necessary to operate the Service, including with:

Supabase (authentication, database, infrastructure data services)
Stripe (billing and subscription payment processing)
Vercel (application hosting and delivery)
OpenAI (AI processing for requested AI-assisted features and generated outputs)
Professional advisers, auditors, and authorities where legally required

We require processors to handle personal data under written contracts and appropriate safeguards.

6. International Data Transfers

Personal data may be processed outside your country. For transfers from the UK/EEA/Switzerland, we use appropriate safeguards, including the UK International Data Transfer Addendum (IDTA) and/or EU Standard Contractual Clauses (SCCs), plus technical and organizational controls where required.

7. Data Retention

We retain personal data for as long as needed to provide the Service, meet legal obligations, resolve disputes, and enforce agreements. Standard retention periods are:

Account profile data: while account is active, then typically up to 90 days after deletion request.
Billing and tax records: typically 6-7 years to meet legal/accounting obligations.
Security and access logs: typically up to 12 months.
Support records: typically up to 24 months after ticket closure.
Backups: rolling encrypted backups typically retained up to 35 days.

You can request deletion of your personal data by contacting [email protected]. We delete or anonymize data unless we are legally required to retain it.

8. Security

We use technical and organizational safeguards designed to protect personal data, including access controls, encryption in transit, and monitoring. No method of transmission or storage is fully secure, so we cannot guarantee absolute security.

9. Your Privacy Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, port, restrict, or object to processing of your personal data, and to withdraw consent where processing is based on consent.

To exercise rights, contact [email protected] with subject line “Privacy Request”.

We aim to acknowledge privacy requests within 5 business days and respond within 30 days. Where legally permitted and requests are complex, we may extend up to an additional 60 days with notice.

UK/EU: rights under UK GDPR/EU GDPR and right to lodge a complaint with your supervisory authority.
US states: where applicable (e.g., California and other state privacy laws), rights may include access, deletion, correction, portability, and opt-out rights.
Canada: rights under PIPEDA and applicable provincial laws, including access and correction.
Australia: rights under the Privacy Act 1988 (Cth), including access/correction and OAIC complaint rights.

10. US “Sale/Share” Statement

We do not sell personal information for money. We also do not knowingly share personal information for cross-context behavioral advertising in a way that would trigger “sale/share” requirements. If this changes, we will update this policy and provide required opt-out mechanisms.

11. Cookies and Similar Technologies

We use essential cookies and local storage necessary for authentication, security, and core application functionality. If we enable non-essential analytics or advertising cookies, we will request consent where required by law and provide management controls.

We do not activate non-essential cookies or trackers until consent tooling is live in-product.

See our Cookie Notice and Your Privacy Choices.

12. Children

The Service is not directed to children. You must be at least 18 years old to create an account, and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided data, contact us so we can take appropriate action.

13. Changes to This Policy

We may update this Privacy Policy periodically. Material updates will be notified through the Service or by email. The “Effective date” indicates when the latest version took effect.

14. Contact and Complaints

You may also complain to your local regulator, including the UK Information Commissioner’s Office (ICO), EU supervisory authorities, Canada’s OPC, or Australia’s OAIC, as applicable.

15. Related Terms

Use of the Service is also subject to our Terms of Use.