Legal
Privacy Policy
Last updated: March 30, 2026
Data controller
The data controller responsible for processing your personal data on this website is:
Alevit
Operating as Wonaby
Email: [email protected]
We do not currently have a Data Protection Officer (DPO). For all privacy-related inquiries, please contact us at the email address above.
Our commitment
Wonaby is built on the principle that your achievements are yours. We collect only what we need to deliver the service and nothing more. We do not sell your data, serve ads, or share your personal information with third parties for marketing purposes.
What we collect and why
Under the General Data Protection Regulation (GDPR), we must have a lawful basis for each type of data processing. Below we describe what we collect, why, and the legal basis under Article 6 GDPR.
Waitlist sign-up
Data collected: Email address
Purpose: To notify you when Wonaby launches and to send occasional product updates
Legal basis: Consent (Art. 6(1)(a) GDPR) — you actively provide your email and can withdraw consent at any time by unsubscribing
Retention: Until you unsubscribe or request deletion
Website analytics (with consent)
Data collected: Page views, referral source, browser type, device type, approximate country (no IP addresses stored)
Purpose: To understand how visitors use our site and improve the experience
Legal basis: Consent (Art. 6(1)(a) GDPR) — analytics cookies are only set if you click "Accept" in our cookie banner
Retention: Analytics data is retained for up to 12 months, then automatically deleted
Cookieless analytics (without consent)
Data collected: Anonymized, aggregated page view counts only — no personal identifiers, no IP storage, no device fingerprinting
Purpose: Basic site usage statistics
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — minimal, non-identifying data necessary for running the website
What we do not collect
- We do not track you across other websites or applications.
- We do not use cookies for advertising or behavioral profiling.
- We do not collect sensitive personal data (health, financial, biometric, racial/ethnic origin, political opinions).
- We do not engage in automated decision-making or profiling that produces legal effects.
Third-party data processors
We use the following third-party services to operate Wonaby. Each processes data only on our behalf under a Data Processing Agreement (DPA) compliant with GDPR Article 28.
PostHog (EU instance)
Purpose: Website analytics and feature usage tracking
Data processed: Anonymous usage events, page views
Data location: European Union (Frankfurt, Germany)
Resend
Purpose: Transactional email delivery (waitlist confirmation)
Data processed: Email address
Data location: United States (with Standard Contractual Clauses)
Upstash
Purpose: Rate limiting to prevent abuse
Data processed: Hashed IP address (temporary, not stored long-term)
Data location: European Union
Railway
Purpose: Website hosting infrastructure
Data processed: Server logs (IP addresses, request metadata)
Data location: United States (with Standard Contractual Clauses)
International data transfers
Some of our processors operate outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) — EU-approved contractual terms that bind the recipient to protect your data to EU standards
- EU-US Data Privacy Framework — where the processor is certified under this framework
How we protect your data
We use industry-standard security measures to protect your information, including encrypted connections (HTTPS/TLS) for all data in transit. Access to personal data is restricted to authorized personnel only on a need-to-know basis. We regularly review our security practices to ensure they remain effective.
Your rights under GDPR
Under the General Data Protection Regulation, you have the following rights. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
- Right of access (Art. 15) — Request a copy of all personal data we hold about you
- Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data
- Right to erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten")
- Right to restriction (Art. 18) — Request that we limit how we process your data
- Right to data portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format
- Right to object (Art. 21) — Object to processing based on legitimate interests
- Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time without affecting the lawfulness of prior processing. For cookies, use the "Cookie Settings" link in our footer. For the waitlist, use the unsubscribe link in any email.
- Right to lodge a complaint (Art. 77) — You have the right to lodge a complaint with a supervisory authority in your EU member state. You can find your local authority at edpb.europa.eu.
Children's privacy
Wonaby is not directed at children under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].
Changes to this policy
We may update this privacy policy from time to time. When we make material changes, we will revise the "Last updated" date at the top of this page and, where appropriate, notify you via email or a prominent notice on our website. We encourage you to review this policy periodically.
Contact us
If you have any questions about this privacy policy, your personal data, or wish to exercise your GDPR rights, please contact us at [email protected].