Privacy Policy
Effective date · 11 May, 2026Last updated · 11 May, 2026
This Privacy Policy explains what personal data Wayflare OÜ ("Wayflare", "we", "us") collects, why we collect it, and what we do with it. We try to keep this document short and human-readable. If anything is unclear, email us at info@wayflare.eu and we will explain.
Wayflare OÜ is the data controller for the personal data described here.
- Legal entity: Wayflare OÜ
- Registered office: Pärnu mnt 141, 11314 Tallinn, Estonia
- Estonian registry code (registrikood): 17495514
- Contact: info@wayflare.eu
1. Scope
This policy covers wayflare.eu and the software products we operate under the Wayflare OÜ brand, currently including Cobwebs (cobwebs.app) and Nudgio (nudgio.life), and any future products we add to this list. We refer to all of these together as the "Services".
Some products may publish a short product-specific privacy notice that explains data flows unique to that product. Where there is a conflict, the product-specific notice controls for that product; this policy controls for everything else.
2. What we collect and why
We try to collect as little as possible. The categories below cover everything.
| Category | Examples | Why we collect it | Legal basis (GDPR) |
|---|---|---|---|
| Account data | Email address, name (optional), password hash or OAuth identifier | To create your account, log you in, and contact you about your account | Performance of contract (Art. 6(1)(b)) |
| Subscription and billing data | Subscription status, plan, renewal dates, billing country, last 4 digits of card, Stripe customer ID, invoices | To provide the paid Service, process payments, and meet tax and accounting obligations | Performance of contract; legal obligation (Art. 6(1)(b), (c)) |
| Product data | Content you create in the Service (e.g. day counters in Cobwebs, study plans in Nudgio) | To provide the feature you are using | Performance of contract (Art. 6(1)(b)) |
| Communications | Emails you send us, support messages | To respond to you and keep a record | Legitimate interests (Art. 6(1)(f)) |
| Technical data | IP address, browser, device, pages viewed, error reports, approximate location derived from IP | To keep the Service running, detect abuse, and fix bugs | Legitimate interests (Art. 6(1)(f)) |
| Product analytics (where enabled) | Aggregated, mostly anonymised event data inside the product | To understand which features are used and improve the product | Consent where required by ePrivacy rules; otherwise legitimate interests |
We do not sell personal data, we do not use it for cross-context behavioural advertising, and we do not profile users for automated decisions that produce legal or similarly significant effects.
3. Cookies and similar technologies
The marketing site wayflare.eu uses only strictly necessary cookies (for example, Cloudflare security cookies). It does not use marketing or analytics cookies, so we do not display a consent banner there.
Inside individual products (e.g. Cobwebs, Nudgio) we may use:
- Strictly necessary cookies for login sessions and security. These do not require consent.
- Optional product-analytics cookies (PostHog) where the product asks for your consent. You can decline, and the product will continue to work.
You can clear cookies in your browser at any time.
4. Sub-processors and other recipients
We use the following service providers ("sub-processors") to run the Services. We have signed data processing agreements with each of them and only share what they need to do their job.
| Sub-processor | Role | What it processes | Location | Transfer mechanism |
|---|---|---|---|---|
| Stripe Payments Estonia OÜ (and Stripe, Inc.) | Payments and merchant of record for our card processing | Name, email, billing address, payment method details, transaction data | EU + US | Intra-EU; SCCs + EU-US Data Privacy Framework for US transfers |
| Supabase, Inc. | Database, authentication, storage | Account data, product data | EU (eu-central-1, Frankfurt), with limited US support access | EU-hosted; SCCs for any access from the US |
| Resend (Resend Inc.) | Transactional email (sign-in links, receipts, account notifications) | Email address, message content | US | SCCs |
| Vercel Inc. | Web and app hosting, edge network | IP address, request metadata, content served | Global edge; primary processing US | EU-US Data Privacy Framework + SCCs |
| PostHog (Hiberly Ltd / PostHog Inc.) | Product analytics, error and session data inside our products | Pseudonymous event data, IP (truncated), device data | EU (eu-central-1, Frankfurt) | EU-hosted |
| Functional Software, Inc. (Sentry) | Error monitoring | Stack traces, user agent, IP, user ID where set | US | EU-US Data Privacy Framework + SCCs |
| Cloudflare, Inc. | DNS, CDN, DDoS protection | IP address, request metadata | Global edge; primary processing US | EU-US Data Privacy Framework + SCCs |
| Google LLC | "Sign in with Google" (optional) | Google account ID, name, email, profile picture if you choose this sign-in method | US | EU-US Data Privacy Framework + SCCs (separate controller for your Google account itself) |
We may add or replace sub-processors. When we do, we will update this list and, where the change materially affects you, notify you in advance.
5. International data transfers
Wayflare OÜ is established in Estonia. Some of the sub-processors above are established in the United States or process data outside the European Economic Area (EEA). When personal data leaves the EEA, we rely on:
- Adequacy decisions where they exist (for example, the EU-US Data Privacy Framework for certified US recipients), and
- The European Commission's Standard Contractual Clauses (2021/914) as a back-up, plus supplementary safeguards (encryption in transit and at rest, access controls, sub-processor due diligence).
You can request a copy of the safeguards we rely on by emailing info@wayflare.eu.
6. How long we keep data
- Account data and product data: until you delete your account, then promptly removed (see Section 8).
- Billing and tax records: retained for 7 years to comply with Estonian accounting and tax law, even if you close your account.
- Support emails: up to 3 years after the last interaction.
- Server logs and error data: typically up to 90 days, then deleted or anonymised.
- Backups: rolling backups are overwritten on a defined schedule (typically 30 days).
7. Your rights
If your personal data is subject to the GDPR, the UK GDPR or Switzerland's FADP, you have the right to:
- access your personal data and receive a copy,
- ask us to correct it if it is wrong,
- ask us to erase it ("right to be forgotten"),
- ask us to restrict processing,
- object to processing based on our legitimate interests,
- receive your data in a portable format, and
- withdraw consent at any time, where we rely on consent.
To exercise any of these rights, email info@wayflare.eu. We will reply within 30 days. There is no fee unless your request is manifestly unfounded or excessive.
You also have the right to lodge a complaint with a supervisory authority. Our lead authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, Estonia, info@aki.ee, https://www.aki.ee. You can also complain to the supervisory authority in your own country.
Notices for specific regions
- United Kingdom.This policy applies in the same way under the UK GDPR. The UK supervisory authority is the Information Commissioner's Office (ICO), https://ico.org.uk.
- California, USA.We do not sell or share personal information for cross-context behavioural advertising as those terms are defined in the CCPA/CPRA. California residents may exercise the rights described in Section 7. We do not currently meet the CCPA's business thresholds, but we will respond in good faith to any reasonable request. To submit a request, email info@wayflare.euwith "California privacy request" in the subject line.
- Brazil. This policy is intended to comply with the LGPD. Data subjects have the rights described in Section 7. Our representative for LGPD inquiries is info@wayflare.eu.
- Canada. This policy is intended to comply with PIPEDA. If you are in Quebec, Law 25 also applies; you may withdraw consent and request deletion as set out in Section 7.
- Australia. We handle personal information in accordance with the Australian Privacy Principles where they apply. Complaints can be sent to info@wayflare.eu first; if unresolved, you may complain to the Office of the Australian Information Commissioner.
8. Account deletion
You can delete your account at any time from inside the product or by emailing info@wayflare.eu. Deletion is immediate and cascading: account data, product data and analytics linked to your user identifier are removed from our live systems. The exceptions are:
- Billing and tax records described in Section 6, retained because the law requires it.
- Backups that roll over on a defined schedule and are then overwritten.
We do not maintain a "30-day grace period" or a "deactivated" state. Once you delete, the data is gone (subject to those two exceptions).
9. Children
The Services are not directed to children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child under 13 has given us personal data, email us and we will delete it.
In some EU countries the digital age of consent is higher than 13 (for example, 16 in Germany or the Netherlands). If you are between 13 and the digital age of consent in your country, you need authorisation from a parent or legal guardian to use the Services where consent is the legal basis for processing.
10. Security
We use industry-standard security measures: TLS in transit, encryption at rest where supported by our infrastructure, role-based access controls, MFA for administrative access, and regular dependency and security updates. No system is perfectly secure, and we cannot guarantee that personal data will never be exposed. If a personal-data breach affecting you occurs and is likely to result in a high risk to your rights, we will notify you without undue delay and notify the Estonian Data Protection Inspectorate within 72 hours.
11. Changes to this policy
If we make material changes, we will update the "Last updated" date and notify you by email or in-product notice before the changes take effect. Continued use of the Services after the effective date means you accept the updated policy.
12. Contact
Wayflare OÜ
Pärnu mnt 141, 11314 Tallinn, Estonia
Registry code (registrikood): 17495514
Email: info@wayflare.eu