GDPR and privacy
Data controller/processor roles, sub-processor list, data retention, procedure for handling your customers' GDPR requests.
TLDR: you (the merchant) are the Data Controller, WooshPayment is the Data Processor. GDPR requests from your customers come to you โ we provide the operational tools. Main sub-processors: Whop (US), Vercel (US+EU), Resend (US+EU), Supabase Postgres (EU).
Roles
- You (merchant) = Data Controller โ you decide the purpose of processing your customers' data
- WooshPayment = Data Processor โ processes on your behalf
- Your customers = Data Subject โ their personal data
When a customer exercises a GDPR right with YOU, you are the first point of contact.
Sub-processor list
| Sub-processor | Function | Data location |
|---|---|---|
| Whop Inc | Payment gateway | US |
| Vercel | Frontend/edge hosting | EU (cdg1 Paris) + US |
| Supabase | Postgres database + backup | EU (Frankfurt) |
| Resend | Transactional emails | EU (eu-west-1) + US |
| GoDaddy | DNS and DKIM/SPF mail | Global |
When we add or change a sub-processor, we notify the merchant's primary contact via email.
Data Processing Agreement (DPA)
Roadmap. A pre-signed DPA downloadable from the dashboard is in progress. Today, if you need a customized DPA for your audit / B2B contract, write to us at noreply@wooshpayment.com and we'll send it within 5 business days.
GDPR rights โ operational procedure
Article 15 โ Right of Access
The customer requests to see what data you hold about them.
- Verify identity (email = the one on the order, or ID document)
- Extract the data: for now we don't have a "GDPR Export" button in the dashboard. Workaround:
- Search by email in Dashboard โ Orders โ Filter
- For each order, screenshot/export the details
- Add data from any merchant account if one exists
- Send the package to the customer via encrypted email or temporary link
ETA for "Customer data export" UI on the roadmap: post-launch.
Legal time to respond: 30 days from the request.
Article 17 โ Right to Erasure
The customer requests deletion of their data.
Current procedure:
- Verify identity
- Decide which level of erasure:
- Soft (recommended): PII removed, historical orders preserved anonymized (for tax). Done by manually editing the customer record, write to us if you need help.
- Hard: everything physically deleted. Only for specific requests (e.g. minor or data breach). Write to us.
- Notify the customer of the completed deletion
What to delete:
- Name, email, address, phone
- Any server-side pixel events referencing the customer
- Emails archived on Resend (purge via Resend API)
What not to delete (tax obligation):
totalAmountfor VAT declarationshopifyOrderId/whopPaymentIdfor reconciliation- Dates and country for aggregate statistics
Article 16 โ Right to Rectification
Customer wants to correct an incorrect data point. Dashboard โ Orders โ order โ edit address/customer fields.
Article 21 โ Right to Object
Customer wants to stop marketing (email, retargeting). Mark marketing_consent: false on their profile + flag in your external marketing systems.
Article 20 โ Right to Data Portability
Customer wants a machine-readable export. Same process as Article 15 in JSON format.
Privacy Policy & Cookie Banner
On your store URLs (yourstore.com): Privacy Policy and cookie banner are your responsibility (Shopify and Woo have built-in cookie banners / plugins available).
On the WooshPayment checkout ({slug}.wooshpayment.com or checkout.yourstore.com): the Privacy Policy linked in the footer points to a URL you configure (Settings โ Legal โ roadmap). Cookie banner on checkout: roadmap.
Marketing pixels are loaded conditionally on consent when configured by the merchant.
Data breach notification
If we detect a breach involving your customers:
- Within 72h: notification via email to the primary contact of the affected merchant
- Content: what happened, how much data is involved, countermeasures, recommendations
- You then have 72h to notify your local Data Protection Authority (for IT: garanteprivacy.it)
Sender email security
For WooshPayment sender authentication:
- SPF on
wooshpayment.com:v=spf1 include:secureserver.net include:_spf.resend.com -all - DKIM: CNAME
resend._domainkey.wooshpayment.comconfigured according to Resend dashboard - DMARC: roadmap (not published today)
This reduces phishing and impersonation of our sender. Emails always come from noreply@wooshpayment.com.
Data retention
| Type | Retention | Reason |
|---|---|---|
| Completed orders | Indefinite / 7 years minimum | IT/EU tax compliance |
| Abandoned checkout sessions | 30 days โ marked EXPIRED by cron | Minimization |
| Application logs (Pino) | 90 days | Debugging |
| Database backup | 30 days rolling | Disaster recovery |
| Platform audit log | Indefinite today (retention policy on roadmap) | Security |