Skip to content

Privacy Policy

Last updated: 3 May 2026

PRIVACY POLICY

This Privacy Policy explains how Wably collects, uses, stores, and shares personal data when you use our platform or when our clients use the platform to communicate with their end customers.

Two roles under GDPR: Wably acts as Data Controller when processing data of registered clients and platform visitors. Wably acts as Data Processor when processing end-customer data on behalf of its clients (see Section 6 — DPA).

1. Data Controller

Controller: Marco Santucci (trading as Wably)

Address: Calle Agustina de Aragón 92, Barcelona, Spain

Privacy contact: privacy@wably.app

2. Data We Collect and Why

2.1 Platform Clients (B2B)

When you register and use Wably as a business client, we process:

Identity data — name, company name, NIF/VAT number;

Contact data — email address, phone number;

Billing data — payment method details (handled by Stripe; we do not store card data), invoicing address;

Account data — username, hashed password (via Keycloak), role, subscription plan;

Usage data — login timestamps, feature usage, API call logs;

Configuration data — connected integrations, calendar settings, workflow configurations.

Legal basis and retention per processing purpose:

• Account creation and authentication — contractual necessity (Art. 6(1)(b)) — retained for contract duration + 1 year;

• Service provision — contractual necessity (Art. 6(1)(b)) — retained for contract duration;

• Billing and invoicing — legal obligation (Art. 6(1)(c)) — retained 5 years (Spanish tax law);

• Customer support — contractual necessity (Art. 6(1)(b)) — retained 3 years from last interaction;

• Security and fraud prevention — legitimate interests (Art. 6(1)(f)) — logs retained 12 months;

• Marketing communications (opt-in only) — consent (Art. 6(1)(a)) — until consent withdrawn;

• Legal compliance and dispute resolution — legal obligation (Art. 6(1)(c)) — as required by law.

2.2 Website Visitors

• IP address and browser metadata (for security and analytics);

• Cookie data (see Section 7).

2.3 End Customers of Our Clients

When our clients use Wably to interact with their own customers, those end customers’ personal data is processed under the instructions of our client, who acts as Data Controller. We act as Data Processor. See Section 6 (DPA) and Section 5 (WhatsApp Data) for details.

3. Data Sharing

GOOGLE DATA (GOOGLE CALENDAR AND GOOGLE CONTACTS)

When the user connects their Google account, Wably accesses Google data solely through Google's official APIs and only within the limits of the authorized scopes:

  • Google Calendar (calendar.events, calendar.events.freebusy, calendar.calendarlist.readonly): to create, update, and delete the events related to booked appointments, check busy time slots and calculate available slots, and allow the user to select which calendar to use.
  • Google Contacts (contacts): to import the existing address book (read) and, if the customer enables the option, add new contacts acquired through the assistant.

Google remains the authoritative source for contact data. Wably's operations are limited to reading and adding new contacts: Wably never modifies or deletes contacts in the user's Google account.

This data is used solely to provide the scheduling and contact-management features described above. It is not sold, is not used for advertising or profiling, is not used to train generalized or personalized artificial intelligence models, and is not shared with third parties except to the extent strictly necessary to provide the service (e.g., hosting infrastructure). OAuth tokens are stored in encrypted form and the user can revoke access at any time from the dashboard or from their Google Account security page.

Compliance with Google's Limited Use Policy. Wably's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We do not sell personal data. We share data only with:

Infrastructure providers — EU-based cloud hosting for database and application;

Stripe Inc. — payment processing;

Keycloak — self-hosted identity management;

Meta Platforms Inc. — WhatsApp Business API delivery;

Google LLC — Calendar and Contacts API integration (where enabled);

Legal authorities — when required by law or to protect rights and safety.

All third-party processors are bound by appropriate data processing agreements.

4. International Transfers

Wably stores data primarily within the European Economic Area (EEA). Where transfers outside the EEA occur (e.g. via Meta or Google infrastructure), they are carried out under EU Standard Contractual Clauses (SCCs) as adopted by the European Commission.

5. Your Rights

Under GDPR and Spanish Organic Law 3/2018 (LOPDGDD), you have the following rights:

Access (Art. 15) — request a copy of personal data we hold about you;

Rectification (Art. 16) — correct inaccurate or incomplete data;

Erasure (Art. 17) — request deletion where no compelling reason to continue processing;

Restriction (Art. 18) — request limitation of processing in certain circumstances;

Portability (Art. 20) — receive your data in a structured, machine-readable format;

Objection (Art. 21) — object to processing based on legitimate interests;

Withdraw consent — at any time without affecting prior processing;

Lodge a complaint — file with the AEPD (Agencia Española de Protección de Datos) at www.aepd.es.

To exercise any right, contact us at privacy@wably.app. We will respond within 30 days.

6. Data Security

• Encryption of data in transit (TLS 1.2+) and at rest;

• Role-based access control with principle of least privilege;

• Audit logging of data access and system events;

• OAuth tokens stored in encrypted form;

• Regular security review of third-party integrations.

7. Data Retention

After termination of a client account:

• Account and configuration data is deleted within 90 days;

• Billing and invoice data is retained for 5 years (Spanish tax law);

• Anonymised usage statistics may be retained indefinitely.

WHATSAPP MESSAGING DATA

This section provides additional transparency required by Meta’s WhatsApp Business Platform policies and applies to all use of Wably as a WhatsApp Business Solution.

Wably integrates with the WhatsApp Business API (provided by Meta Platforms Inc.) to enable businesses to automate appointment-related and transactional messages.

1. What WhatsApp Data We Process

When clients send messages via WhatsApp through Wably, we may process:

• Phone number (E.164 format);

• Messaging metadata (delivery status, timestamps);

• Message content to the extent required to route and log the communication;

• Opt-in and opt-out status;

• Contact profile data provided by the client (name, email, appointment details).

2. How We Use WhatsApp Data

WhatsApp data is used exclusively to:

• Deliver messages requested by the client (appointment confirmations, reminders, notifications);

• Log delivery status and errors for operational purposes;

• Maintain conversation context for the AI scheduling assistant;

• Comply with legal obligations.

WhatsApp data is never used for: advertising profiling, third-party data sales, cross-tenant data sharing, or any purpose unrelated to the contracted service.

3. Consent for WhatsApp Messaging

Our clients must ensure that every WhatsApp message recipient has explicitly opted in to receive messages. Opt-in must be: obtained directly by the client from the end customer; clear, specific, and freely given; documented and verifiable. Clients are solely responsible for obtaining and maintaining valid opt-in records.

4. Opt-Out

End customers can opt out at any time by replying “STOP” or equivalent, or by contacting the business directly. Opt-outs must be honoured by the client within 24 hours.

5. Permitted Message Types

Utility — appointment confirmations, reminders, rescheduling, cancellations;

Service — responses to user-initiated conversations within a 24-hour messaging window.

Promotional or marketing templates are not supported and their use is prohibited.

6. Meta’s Role

Meta Platforms Inc. is an independent data controller with respect to WhatsApp infrastructure. Their data handling is governed by the WhatsApp Business Policy and Meta Platform Terms. Wably is not responsible for Meta’s data practices.

7. Retention of Messaging Data

Message content and delivery logs are retained for a maximum of 12 months, after which they are permanently deleted unless legal obligations require longer retention.

DATA PROCESSING AGREEMENT (DPA)

This Data Processing Agreement forms part of the contract between Wably (“Processor”) and the Client (“Controller”) and governs the processing of personal data on behalf of the Controller, as required by Article 28 of the GDPR.

By accepting these Terms of Service, the Client enters into this DPA. For enterprise clients requiring a separately executed DPA document, contact legal@wably.app.

1. Definitions

Controller — the Client who determines the purposes and means of processing;

Processor — Wably, who processes data on behalf of the Controller;

Data Subject — the end customer of the Client;

Personal Data — as defined in GDPR Article 4(1).

2. Subject Matter

Wably processes personal data of the Controller’s end customers to provide scheduling, messaging, and automation services. Processing activities include: storing contact records, routing WhatsApp messages, syncing calendar events, logging automation results.

3. Types of Personal Data Processed

• Contact identification data (name, phone number, email address);

• Appointment data (date, time, notes, status);

• Communication data (message delivery logs, session context);

• Consent records (opt-in timestamp, opt-out status).

4. Processor Obligations

Wably undertakes to:

• Process personal data only on documented instructions from the Controller;

• Ensure personnel with access to personal data are bound by confidentiality;

• Implement appropriate technical and organisational security measures (Art. 32 GDPR);

• Not engage sub-processors without prior authorisation;

• Assist the Controller in responding to Data Subject rights requests;

• Delete or return all personal data upon termination of the service;

• Provide all information necessary to demonstrate compliance with Art. 28 GDPR.

5. Controller Obligations

The Controller undertakes to:

• Have a valid legal basis for all processing instructions given to Wably;

• Obtain all necessary consents, in particular for WhatsApp messaging;

• Ensure the accuracy of personal data before uploading to Wably;

• Notify Wably of any data subject restriction request that requires Processor action.

6. Authorised Sub-Processors

General authorisation is granted for:

• EU-based cloud infrastructure provider;

• Meta Platforms Inc. — WhatsApp Business API delivery;

• Google LLC — Calendar and Contacts API (where enabled by Controller);

• Stripe Inc. — payment processing (billing data only).

Wably will notify the Controller of any intended changes to sub-processors with at least 15 days’ advance notice.

7. Data Breach Notification

Wably will notify the Controller of any personal data breach within 48 hours of becoming aware, providing all information required for the Controller to meet its Art. 33 GDPR notification obligations.

8. International Transfers

Processing occurs primarily within the EEA. Where data is transferred to third countries, appropriate safeguards are in place in the form of EU Standard Contractual Clauses.

9. Audit Rights

The Controller has the right to conduct audits or request documentation to verify compliance, subject to reasonable advance notice and confidentiality obligations.

10. Duration

This DPA remains in force for the duration of the service contract. Upon termination, Wably will delete or return all Controller personal data within 90 days, unless legal obligations require continued retention.

CONTACT RIGHTS REQUESTS

General inquiries: info@wably.app

Privacy data rights: privacy@wably.app

Legal compliance: legal@wably.app

Support: support@wably.app

Postal address: Marco Santucci / Wably, Calle Agustina de Aragón 92, Barcelona, Spain

Supervisory authority: Agencia Española de Protección de Datos (AEPD) — www.aepd.es

We aim to respond to all privacy-related requests within 30 calendar days. Complex requests may take up to 3 months in total, with notification provided within the first 30 days.

This document was last updated on 3 May 2026 and supersedes all previous versions.