Privacy policy
What personal data we collect when you use webatla, what we do with it, and the rights you have under the GDPR.
What we collect
1.1 Account data
When you sign up: email address, password (hashed with Argon2id), display name, optional company name and country. Optional later: profile photo, job title, language, timezone.
1.2 Billing data
Invoice details (company name, VAT ID, address) and the metadata of your purchases (which dataset, when, how much). Card details are handled by Stripe — webatla never sees or stores them.
1.3 Usage data
Server logs of your downloads and API calls (timestamp, IP address, dataset name, byte count, response code) for billing and abuse prevention.
1.4 Support data
If you contact us: your message, our reply, and any attachments you choose to send.
1.5 Cookies
See §3 Cookies below.
1.6 What we don't collect
We don't ask for or store: phone numbers, government IDs, biometric data, location beyond IP-derived country, or any "special categories" of personal data per GDPR Art. 9.
How we use it
We process the data above for the following purposes and on the legal bases shown:
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Operate your account | Account data, password hash | Art. 6(1)(b) — contract |
| Process payments & issue invoices | Billing data, purchase metadata | Art. 6(1)(b), 6(1)(c) — contract / legal obligation |
| Deliver datasets & track quotas | Usage logs | Art. 6(1)(b) — contract |
| Transactional email (receipts, expiry warnings) | Email address | Art. 6(1)(b) — contract |
| Security & fraud prevention | IP address, request patterns | Art. 6(1)(f) — legitimate interest |
| Customer support | Whatever you send us | Art. 6(1)(b), 6(1)(a) — contract / consent |
| Privacy-friendly analytics | Page-view counts (no cookies, no IDs) | Art. 6(1)(a) — consent (see §3) |
| Marketing newsletter (opt-in only) | Email address | Art. 6(1)(a) — consent (revocable) |
Cookies
We use a minimum of cookies. Three categories:
- Essential — login session, fraud prevention, language preference. These are always on; without them the site can't work. Legal basis: legitimate interest (Art. 6(1)(f)) — no consent needed under TTDSG §25(2)(2).
- Analytics — we use Plausible Analytics, which is cookie-less and runs on EU infrastructure. We enable it only if you opt in.
- Marketing — currently unused. The toggle exists so we can ask before turning anything on in the future.
You can change your choice any time:
Sharing with third parties
We share data only with the processors listed below, all of whom are bound by data-processing agreements (DPAs) under GDPR Art. 28.
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe Payments Europe Ltd. | Card & SEPA payments | Card details, billing address, amount | Ireland (with US transfers under SCCs) |
| Cloudflare, Inc. | CDN, DDoS protection | IP address, request metadata | EU edge with US fallback (SCCs + DPF) |
| Postmark (ActiveCampaign LLC) | Transactional email | Email address, message content | US (SCCs + DPF) |
| Plausible Insights OÜ | Cookie-less web analytics (only if you consent) | Hashed visitor signal, page URL, referrer | Estonia / Germany |
| Hetzner Online GmbH | Server hosting & backups | Everything we store, encrypted at rest | Germany & Finland |
We do not sell personal data, ever. We do not share data with advertising networks.
International transfers
The two US-based processors above (Stripe US fallback, Postmark) operate under the EU–US Data Privacy Framework and additionally under Standard Contractual Clauses. We assess these transfers annually and will switch processors if the protection level drops.
Your rights under GDPR
You have the right to:
- Access — get a copy of the personal data we hold about you (Art. 15)
- Rectification — correct inaccurate data (Art. 16)
- Erasure — ask us to delete your data, subject to legal retention (Art. 17)
- Restriction — pause processing while a dispute is resolved (Art. 18)
- Data portability — receive your data in a structured, machine-readable format (Art. 20)
- Objection — object to processing based on legitimate interests (Art. 21)
- Withdraw consent — for anything processed on the basis of consent (Art. 7)
- Complain to your local data protection authority — see the EDPB list of EU authorities.
Self-serve: delete your account from settings. For a data export (Right of Access) or anything else, email privacy@webatla.com — we verify the request and reply within 30 days as required.
Data retention
- Account data — kept while your account is active, plus 6 months after deletion to handle disputes
- Invoices & tax records — retained for the statutory period required by applicable EU tax law (typically 5–10 years)
- Server logs — 30 days, then aggregated
- Support tickets — 2 years from last reply
- Marketing consents — until you withdraw + 3 years for proof of withdrawal
Security
- All traffic is encrypted in transit (TLS 1.3)
- Backups are encrypted at rest (AES-256)
- Passwords are hashed with Argon2id (memory-hard, salted)
- Internal access is least-privilege and audit-logged; production access requires hardware-key MFA
- We run quarterly external pentests and follow a published vulnerability disclosure policy
If you discover a security issue, please email security@webatla.com. We will acknowledge within 24 hours.
Children
The service is not directed at people under 16. We don't knowingly collect personal data from children. If you believe a child has given us personal data, email privacy@webatla.com and we'll delete it.
Changes to this policy
We may update this policy. Material changes will be announced by email at least 30 days before they take effect. The "Last updated" date at the top always reflects the current version.
Contact & Data Protection Officer
For any privacy question, email privacy@webatla.com.
Our Data Protection Officer is reachable at dpo@webatla.com under GDPR Art. 37.
Account, licensing, payment and refunds.
Read the terms →