Plain-English summary
We collect the minimum we need to operate the Service and reply to you. We never sell your data. You can ask us to delete it any time.
Legal · Privacy
Privacy Policy
Last reviewed 2026-05-01 · version 1.0
1. Who we are
Wemalo GmbH (the "Controller") operates the Wemalo Cloud platform. Postal address and registry information appear in our [Imprint](/legal/imprint).
2. What we collect
| Category | Examples | Why |
|---|---|---|
| Account data | Name, email, phone, role | To create your account and authenticate you |
| Tenant data | Company name, VAT id, billing address | To bill correctly and meet tax requirements |
| Operational data | Orders, SKUs, inventory you upload | To run the Service for you |
| Diagnostic data | IP address, browser, timestamps | Security, abuse prevention, debugging |
| Communications | Contact-form submissions, support tickets | To reply to you and improve the product |
3. Lawful basis
We process personal data on the lawful bases of (a) contract performance (running the Service), (b) legitimate interests (security, abuse prevention, product analytics in aggregate), and (c) consent for non-essential cookies and the newsletter.
4. Sharing + sub-processors
We share personal data only with sub-processors that help us deliver the Service. The current sub-processor list is published at [/legal/subprocessors](/legal/subprocessors) and we notify existing customers before adding a new one.
We never sell personal data and never share it for advertising.
5. International transfers
All data stays in the EU by default (Hetzner, Frankfurt + Helsinki). Sub-processors that operate outside the EU are listed individually in the subprocessor list with the transfer mechanism (Standard Contractual Clauses, adequacy decision, etc.).
6. Retention
- Account + tenant data: kept for the lifetime of the account.
- Operational data: kept while you're a customer; 30 days after
termination, then permanently deleted.
- Audit logs: 24 months from the event date, then deleted.
- Marketing communications: kept until you unsubscribe.
- Diagnostic data: 30 days rolling window.
7. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you
- request correction or deletion
- restrict or object to processing
- data portability (CSV / JSON exports are built into the dashboard)
- lodge a complaint with a supervisory authority
To exercise these rights, email [dpo@wemalo.com](mailto:dpo@wemalo.com). We respond within 30 days.
8. Cookies
We use a small set of strictly-necessary cookies to keep you logged in and remember your theme preference. Analytics and marketing cookies are opt-in only and explained in the [Cookie Policy](/legal/cookies).
9. Changes
We notify you of material changes by email (account holders) and by banner on the next dashboard sign-in. The "last reviewed" date at the top of this page tracks any change.
10. Contact
[dpo@wemalo.com](mailto:dpo@wemalo.com) for any privacy question or rights request.
Questions about this policy? Email legal@wemalo.com or use the contact form.