W
Whizard
Legal

Privacy Policy

We believe privacy should be simple and transparent. Here is exactly what we collect and why.

Last updated · April 2026
01

What we collect

We collect your name, email address, and the data you choose to connect - CSV files, API endpoints, and spreadsheet links. We do not sell your data to any third party, ever.

02

How we use it

To operate the service: authenticate your account, store and display your connected data, and send transactional emails (account verification, password reset). We use Plausible Analytics for aggregate usage statistics - no personal data is tracked by the analytics layer.

03

Data storage

Data is stored in PostgreSQL databases hosted on Railway in the EU. File uploads are stored on Cloudflare R2. Your API credentials and OAuth tokens are encrypted at rest using AES-256. Backups are retained for 30 days.

04

Cookies

We use a single httpOnly session cookie to keep you logged in. No advertising cookies. No third-party tracking cookies. The cookie is set with SameSite=Lax; Secure and expires after 7 days of inactivity.

05

Your rights (GDPR)

You can delete your account at any time from the Account settings page. This schedules permanent deletion of all your data within 14 days. To request immediate deletion or a data export, email privacy@whizard.app. You may also request access to a copy of all data we hold on you at any time.

06

Subprocessors

We share data only with the following subprocessors, each bound by a data processing agreement:

  • RailwayDatabase and compute hosting
  • Cloudflare R2File and asset storage
  • ResendTransactional email delivery
  • UpstashRedis caching layer
  • PlausibleAggregate analytics (no personal data)