Privacy — jurisdiction by jurisdiction.

When you connect a WhatsApp number to WAppTrack, we receive the events that number receives — texts, edits, deletions, media references, contact records, group activity, shared locations, and session status. Those events are written to your private archive. We do not sell that archive, we do not use it to train models, and you can request export or deletion at any time. The rest of this page explains the same posture in the legal vocabulary each jurisdiction expects.

Controller. WAppTrack Personal, operated from the Netherlands. This is a sole-operator service during waitlist phase; a corporate entity will be named here at paid launch.

Contact. Privacy questions, access requests, and deletion requests: hello@wapptrack.app.

Processors / sub-processors.

• WaSenderAPI — receives WhatsApp events from your connected number on our behalf and forwards them as webhooks. Required for the service to function.
• Cloudflare — site hosting, edge compute, and D1 storage for the archive and waitlist records. Cloudflare operates a global network; the storage region applicable to your account will be listed here once verified at paid launch.
• Transactional email provider — not yet selected; will be named here before paid launch and any non-transactional email is sent.

Categories of personal data we process.

• Account email address (you provide it).
• Archive events from your connected number (text content, edits, deletions, media references, contact records, group membership, shared locations, session status).
• Technical logs (request metadata, IP addresses — hashed with a per-deployment salt for the waitlist form, full IP retained briefly in edge logs for abuse defence).
• Payment metadata (only once paid access opens — handled by the payment processor named here at that time; we never store full card numbers).

Purposes. Operate the service, prevent abuse, comply with legal obligations, and (once paid access opens) bill correctly.

Retention windows.

• Waitlist email: kept until cohort closes or you ask for removal — whichever comes first.
• Archive events: kept per the retention window you set on your account.
• Technical logs: 30 days, then aggregated or deleted.
• Payment metadata: as required by tax / accounting law in the controller's jurisdiction (typically 7 years for invoices).

If you are in the European Union, the European Economic Area, or the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR apply.

Legal bases (Art. 6 GDPR)

• Contract (Art. 6(1)(b)). Processing the events your connected number receives, and storing them in your archive, is necessary to provide the service you signed up for.
• Legitimate interest (Art. 6(1)(f)). Security, fraud and abuse prevention, rate-limiting, and basic operational telemetry. We balance this against your rights and minimise what we keep.
• Consent (Art. 6(1)(a)). Required for any non-essential email beyond your invite (we don't send any today, and won't without explicit opt-in).
• Legal obligation (Art. 6(1)(c)). Tax records, lawful requests from authorities.

Your GDPR rights

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure / "right to be forgotten" (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21), including objection to legitimate-interest processing
• Right to withdraw consent at any time, without affecting prior lawful processing
• Right to lodge a complaint with a supervisory authority — for the Netherlands controller this is the Autoriteit Persoonsgegevens (Dutch DPA).

How to exercise these rights

Email hello@wapptrack.app from the address on file. We respond within 30 days, extendable once where the request is complex (Art. 12(3) GDPR). Identity verification is the minimum needed to confirm the request is yours; we do not ask for ID copies when account-bound proof (a reply from your account email plus a recent session reference) is enough.

International transfers

Data may be processed on Cloudflare's global edge network, which can include servers outside the EU/UK. Cloudflare operates under the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum, with supplementary technical measures (TLS in transit, encryption at rest). At paid launch, the specific storage region pinned for your account will be listed in the data map above.

UK GDPR

If you are in the United Kingdom, the same rights mirror under UK GDPR and the Data Protection Act 2018. Complaints can be lodged with the Information Commissioner's Office (ICO). There is no UK representative appointed at this time; we will name one before any UK-targeted paid launch if statutory thresholds require it.

The United States does not yet have a single federal privacy law, so this section is split by state.

California — CCPA / CPRA

Categories of personal information collected in the last 12 months: identifiers (email), customer records (account email, optional display name), internet/electronic activity (technical logs, request metadata), geolocation (only when you connect a number that receives shared-location messages — we store those events because that is the service), and the contents of communications received by your connected number (this is the archive itself; you are the only intended recipient of it).

Sources. Directly from you (account email), from your connected WhatsApp number via WaSenderAPI (archive events), from your device when you load the dashboard (technical logs).

Business purposes. Providing and maintaining the service, security, fraud prevention, debugging, complying with law.

Sharing. With the processors listed in the data map, under written instructions and confidentiality, for service operation only.

We do not sell personal information and we do not share it for cross-context behavioural advertising, as those terms are defined in the CCPA / CPRA. We have not done so in the prior 12 months.

Sensitive personal information. The contents of your archive can include sensitive PI (e.g. precise geolocation in shared-location messages, messages that reveal religious or health information). We use this SPI only to provide the service you signed up for and we do not infer characteristics about you from it. You may use the right-to-limit mechanism below to constrain SPI processing further.

Your CCPA / CPRA rights.

• Right to know what we collect, use, disclose, and (would) sell
• Right to delete your personal information
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing for cross-context behavioural advertising (we don't do either; the link is here when applicable)
• Right to limit the use and disclosure of sensitive personal information
• Right to data portability (a structured copy of your archive)
• Right to non-discrimination for exercising these rights

Authorized agents. You may designate an authorized agent to make a request on your behalf. The agent must provide written authorization signed by you, and we will verify the request directly with you (typically by email reply) before acting.

Shine the Light (Cal. Civ. Code § 1798.83). We do not share personal information with third parties for their own direct marketing. There is no list to request because no such sharing happens.

Financial incentives. We do not offer financial incentives in exchange for personal information.

How to exercise. Email hello@wapptrack.app with the request. We respond within 45 days, extendable once where allowed.

Other US states — VA, CO, CT, UT, TX

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Texas (TDPSA) have rights that mirror the CCPA framework: right to access, delete, correct (where the state law provides it), portability, and to opt out of targeted advertising, sale, and certain profiling. We do not engage in those activities, and the same email channel handles those requests. Where the state requires an appeal mechanism (Virginia, Connecticut, Colorado), if we deny a request you may appeal by replying to the denial; we respond to appeals within the statutory window.

Global Privacy Control (GPC). We honor browser-level opt-out preference signals such as GPC as opt-out signals to the extent applicable state law treats them as such. Because we do not sell or share for targeted advertising, the practical effect today is no change in behaviour — the signal is logged for audit purposes.

Children — COPPA

The service is not directed to children under 13 and we do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, email hello@wapptrack.app and we will delete it on discovery and terminate any associated account.

For users outside the EU/EEA, UK, and the United States, we extend the same core posture as a matter of policy: minimum necessary collection, no sale, right to access and delete on request, and reasonable security measures. Where local law (for example Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, India's DPDP Act, South Africa's POPIA, Singapore's PDPA, the UAE's PDPL, Switzerland's revFADP, Japan's APPI, or South Korea's PIPA) grants additional rights or imposes additional obligations, we respect those as they apply to you and our processing.

Jurisdictional carve-outs. Where local law conflicts with this notice (for example mandatory data localisation), we apply the stricter standard or, if compliance is not feasible, decline to operate in that jurisdiction rather than violate the rule.

Data localisation. Data resides on Cloudflare's global network. The specific region pinned for your account will be disclosed in the data map at paid launch once verified.

The marketing site currently uses no analytics cookies and no third-party advertising trackers. The only client-side storage we set is what's needed to keep you signed in once an authenticated dashboard exists. If we add analytics or any non-essential cookies, a region-aware consent banner will ship at the same time and this section will be updated with the categories, vendors, and opt-out controls.

• TLS in transit on all endpoints.
• Cloudflare D1 encrypts data at rest.
• Access to production data is restricted to the operator account and processor systems under contract.
• Webhook ingestion fails closed: events with unrecognised signatures are rejected.
• Breach notification: in the event of a personal data breach we notify affected users and the relevant supervisory authority within statutory windows (72 hours under GDPR / UK GDPR; without unreasonable delay under US state laws), with the detail those laws require.

No system is perfectly secure. We aim for proportionate, layered defence and transparent incident communication.

For material changes, we email account holders (and waitlist subscribers, if the change affects them) and publish the updated notice at least 30 days before it takes effect, mirroring the change rule in our terms. Non-material edits (typos, clarifications, contact updates) take effect on publication and are reflected in the "last updated" date at the top of this page.

The address you submit on the waitlist is used only to invite you when private archive access opens — one transactional email at most. No marketing drip, no resale, no sponsor handoff. Storage facts as they stand today:

• Stored in Cloudflare D1 in the controller's account.
• The submitting IP address is hashed with a per-deployment salt before storage; the raw IP is not retained alongside the email.
• Never sold, never shared with third parties for marketing.
• If you'd like the record removed before access opens, email hello@wapptrack.app and we'll delete it.