Privacy Policy
Effective date: January 1, 2025
Waitlio ("we", "us", or "our") is operated from Germany. We operate the waitlio.com website and platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service in accordance with the General Data Protection Regulation (GDPR) and applicable German data protection law (BDSG).
1. Data Controller
The data controller responsible for processing your personal data is:
Waitlio
Germany
Email: [email protected]
2. Information We Collect
Account Information
When you create a Waitlio account, we collect:
- Name and email address
- Password (stored securely using one-way hashing)
- Two-factor authentication credentials, if you enable this feature (stored encrypted)
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)
Billing Information
Billing is handled by our payment processor, Paddle. We do not directly store your credit card or payment details. Paddle collects and processes payment data on our behalf as our Merchant of Record. We store:
- Paddle customer identifiers
- Subscription status and plan details
- Invoice references and transaction amounts
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)
Subscriber Data
If you create a waitlist, the people who sign up to your waitlist ("subscribers") provide their email address. As the waitlist owner, you are the data controller for your subscriber data. Waitlio acts as a data processor on your behalf in accordance with Art. 28 GDPR.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — processing is necessary to provide the waitlist service you configured.
Automatically Collected Information
When you use our platform, we automatically collect:
- Session data, including your IP address and browser user agent, stored in our session database
- Cookies — see Section 6 below
- Analytics data — We use Google Analytics to understand how visitors use our website. Google Analytics collects information such as pages visited, time spent on the site, referring websites, and approximate geographic location. This data is processed in aggregated and pseudonymized form. See Section 6 for details on analytics cookies.
Legal basis: Consent (Art. 6(1)(a) GDPR) for analytics cookies; Legitimate interest (Art. 6(1)(f) GDPR) for essential session data — necessary for platform security and functionality.
3. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Waitlio platform
- Process your subscription and billing through Paddle
- Send transactional emails (account verification, password resets, team invitations)
- Validate subscriber email addresses for deliverability
- Analyse website usage and improve the user experience (via Google Analytics)
- Enforce our terms of service and protect against misuse
4. Third-Party Services and Data Transfers
We share data with the following third-party services, strictly as needed to operate the platform:
| Service | Purpose | Data Shared |
|---|---|---|
| Paddle | Payment processing (Merchant of Record) | Billing contact name and email, transaction details |
| EasyEmail API | Email address verification | Subscriber email addresses (for validation only) |
| Email provider (e.g., AWS SES, Postmark, or Resend) | Sending transactional emails | Recipient email addresses and email content |
| Google Analytics | Website usage analytics | Pseudonymized usage data, IP address (anonymized), cookies |
| Bunny Fonts | Web font delivery (privacy-friendly CDN) | Standard HTTP request data |
Some of these services may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as EU Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission, in accordance with Art. 46 GDPR.
We do not sell, rent, or trade your personal information to any third party.
5. Webhooks
If you configure webhooks on your waitlists, subscriber data (including email addresses and verification status) will be sent to the external URLs you specify. You are responsible for the privacy practices of those external endpoints. Webhook delivery logs are automatically purged after 7 days.
6. Cookies
Waitlio uses cookies for essential platform functionality and, with your consent, for analytics.
Essential Cookies
The following cookies are strictly necessary for the platform to function and do not require consent under Art. 5(3) of the ePrivacy Directive and § 25(2) TDDDG (German Telecommunications Digital Services Data Protection Act).
| Cookie | Purpose |
|---|---|
| Session cookie | Maintains your authenticated session |
| XSRF token | Protects against cross-site request forgery |
| Appearance preference | Stores your light/dark theme choice |
| Sidebar state | Remembers your sidebar open/closed preference |
Analytics Cookies
With your consent, we use Google Analytics cookies to understand how visitors interact with our website. These cookies are only set after you provide consent via our cookie banner, in accordance with § 25(1) TDDDG and Art. 6(1)(a) GDPR.
| Cookie | Purpose | Duration |
|---|---|---|
_ga |
Distinguishes unique visitors | 2 years |
_ga_* |
Maintains session state for Google Analytics | 2 years |
You can withdraw your consent at any time by adjusting your cookie preferences or by using browser settings to block or delete cookies. Google's privacy policy is available at https://policies.google.com/privacy.
We do not use any advertising cookies or tracking cookies beyond the analytics described above.
7. Data Retention
- Sessions expire after 120 minutes of inactivity
- Webhook logs are automatically deleted after 7 days
- Analytics data is retained according to Google Analytics' data retention settings (default 14 months)
- Account data is retained for as long as your account is active
- Subscriber data is retained until you or your team deletes it, or until the associated waitlist is deleted
When data is no longer needed, it is permanently deleted from our systems.
8. Data Security
We take appropriate technical and organizational measures to protect your data in accordance with Art. 32 GDPR, including:
- Passwords are hashed using bcrypt with a high cost factor
- Two-factor authentication secrets are encrypted at rest
- CSRF protection on all forms
- Rate limiting on authentication endpoints
- Webhook URLs are validated to prevent server-side request forgery
- Webhook secrets use HMAC signing for payload integrity
9. Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR) — You can view your personal data through your account settings
- Right to rectification (Art. 16 GDPR) — You can update your name and email address at any time
- Right to erasure (Art. 17 GDPR) — You can delete your account, which removes your personal data from our systems
- Right to data portability (Art. 20 GDPR) — You can export subscriber data from your waitlists as CSV files
- Right to restriction of processing (Art. 18 GDPR) — You may request that we restrict processing of your data
- Right to object (Art. 21 GDPR) — You may object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3) GDPR) — Where processing is based on consent (e.g., analytics cookies), you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal
- Right to lodge a complaint — You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence. In Germany, the relevant authorities are the state data protection commissioners (Landesdatenschutzbeauftragte)
To exercise any of these rights, contact us at [email protected].
10. Account Deletion
You can delete your account at any time from your profile settings. When you delete your account:
- Your user record is permanently removed
- Team memberships are cleaned up
- Waitlists you own, along with their subscribers, tags, webhooks, and logs, are permanently deleted
11. Children's Privacy
Waitlio is not intended for use by children under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by updating the "Effective date" at the top of this page. Your continued use of the service after any changes constitutes acceptance of the updated policy.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at [email protected].