← Back to Waydly

Privacy Policy

Effective date: June 17, 2026

1. Who we are (controller identity)

Waydly is a product operated by PolarCurve LLC, a limited liability company organized under the laws of the State of Wyoming, United States ("PolarCurve LLC," "we," "us," or "our"). For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent laws, PolarCurve LLC is the controller of personal data processed through waydly.com and the Waydly service.

Controller address: PolarCurve LLC, c/o Registered Agents Inc, 30 N Gould St, Ste R, Sheridan, WY 82801, United States.

Privacy contact: hello@waydly.com.

We do not currently designate an EU or UK representative under Article 27 of the GDPR / UK GDPR unless and until required by applicable law. If that changes, this section will be updated with the representative's contact details.

2. Scope

This Privacy Policy describes how we collect, use, share, and protect personal data when you (a) visit waydly.com, (b) create or use a Waydly account, or (c) interact with a link or hosted form delivered through the Waydly service.

When you (a customer) use Waydly to deliver links and forms to your visitors, you act as the controller of those visitors' personal data, and PolarCurve LLC acts as your processor for that data. If your use of the Service requires a data processing agreement under applicable law, our Data Processing Addendum (DPA), including applicable international-transfer terms, is available on request and we will enter into it with you upon reasonable request; contact hello@waydly.com.

3. What data we collect

  • Account data: email address (used as your sign-in identifier), display name (optional), the plan you're on, and a one-way salted hash of your password (we never store the password itself, and we cannot recover or read it).
  • Authentication & security data: single-use, time-bound tokens (for email verification, password reset, and email-change confirmation), the timestamp and approximate origin of each successful sign-in, failed-sign-in counters used for temporary account lockout, and a short audit log of security events (sign-up, verification, sign-in success/failure, password change/reset, email change, sign-out-everywhere). We process this data on the lawful basis of legitimate interest in protecting your account from unauthorized access.
  • Billing data: for paid plans, your payment is processed by Stripe, Inc. We receive a Stripe customer identifier, the subscription tier, and the subscription status; we do not receive or store card numbers, CVV codes, or full card details.
  • Service usage data: the short links you create, the action each link triggers (e.g., destination URL, WhatsApp number, form fields, calendar URL), routing rules, and any branding settings you configure.
  • Click events: when a visitor clicks one of your Waydly links, we log a minimal, privacy-respecting event containing the destination country (derived from Cloudflare's edge), device class (mobile/desktop/tablet/bot), and the referring domain. We do not store IP addresses, do not fingerprint browsers, and do not perform cross-site tracking.
  • Form submissions: when a visitor submits one of your hosted Waydly forms, we store the field values you configured so you can view them in your dashboard. You control which fields are collected.
  • Operational logs: short-retention diagnostic logs (errors, request paths) for operating and securing the service. Logs are retained for a maximum of 30 days.

4. Lawful bases for processing (GDPR Art. 6)

We process personal data under one or more of the following lawful bases:

  • Contract (Art. 6(1)(b)) — to provide the Waydly service to you under our Terms of Service, including authenticating you, creating and serving your links, capturing form submissions, and billing.
  • Legitimate interests (Art. 6(1)(f)) — to secure the service, prevent abuse, operate at acceptable quality, and compute aggregate analytics. We balance these interests against your fundamental rights and freedoms.
  • Consent (Art. 6(1)(a)) — for any non-essential cookies and any optional marketing communications. Consent is captured via our cookie banner and can be withdrawn at any time at /cookies.
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and applicable law-enforcement requests.

5. How we use your data

  • To create your account and authenticate sign-ins.
  • To operate, maintain, and secure the Waydly service.
  • To bill subscriptions and prevent payment fraud (via Stripe).
  • To respond to your support requests.
  • To send essential service notices (e.g., security incidents, material changes to terms).
  • To produce aggregate, non-identifying analytics about how the service is used.

We do not sell personal data, do not share it with advertising networks, and do not use it to train AI models.

6. Who we share data with (sub-processors)

We use a small set of carefully chosen sub-processors to deliver the service. Each is bound by contractual data-protection obligations:

  • Cloudflare, Inc. — edge compute (Workers), edge database (D1), key-value store (KV), object storage (R2), and analytics engine used to provide the Service. Depending on the service component and your configuration, data may be processed in the United States and other countries. Where personal data is transferred outside the EEA, the UK, or Switzerland, we rely on the contractual transfer safeguards described in §7.
  • Stripe, Inc. — subscription billing and payment processing. Card data is collected directly by Stripe; we do not see or store it.
  • Resend (Resend Co.) — transactional email delivery (magic-link sign-in, billing receipts, service notifications).
  • Google LLC (Google Workspace) — operational email for our team.

The current sub-processor list is available on request to hello@waydly.com. We will provide advance notice of material sub-processor changes for customers with an active DPA.

7. International transfers

PolarCurve LLC is established in the United States. When personal data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States or to a sub-processor outside those regions, we rely on appropriate safeguards under GDPR Chapter V — including the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and additional supplementary measures as needed. Where Stripe, Cloudflare, or other sub-processors are self-certified under the EU-U.S. Data Privacy Framework (DPF) or its UK / Swiss extensions, we also rely on that mechanism where applicable.

8. Data retention

  • Account data (including the password hash): kept for the life of your account, then deleted within 30 days of account closure.
  • Authentication tokens (verify, reset, change-email setup): retained only inside their short single-use windows (typically 15 minutes to 24 hours) and deleted on use.
  • Security event log (sign-in success/failure, password change, email change): retained for up to 180 days for fraud and abuse detection, then deleted, unless required to be kept longer to investigate a specific incident.
  • Billing records: kept for 7 years to comply with applicable tax and accounting law, then deleted.
  • Click events: retained for up to 90 days, then aggregated.
  • Form submissions: retained for the life of the parent link or until you delete them.
  • Operational logs: maximum 30 days.

9. Your rights

If you are located in the EEA, the UK, Switzerland, California, or another jurisdiction granting you data-subject rights, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") subject to lawful retention obligations.
  • Restrict or object to processing based on legitimate interests.
  • Data portability (receive your data in a structured, commonly used format).
  • Withdraw consent at any time, where processing relies on consent.
  • Lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority in the EU/EEA, or the Information Commissioner's Office in the UK).

To exercise any of these rights, email hello@waydly.com. We respond within the time required by applicable law and will let you know if a permitted extension is necessary. We will not discriminate against you for exercising your rights.

California notice (CCPA/CPRA)

In the preceding 12 months, we collected the categories of personal information described in §3 of this Privacy Policy, from you directly, from your use of the Service, from visitors interacting with content you configure in the Service, and from service providers such as Stripe. We use those categories for the business and commercial purposes described in §§4–5. We disclose personal information only to the service providers (sub-processors) listed in §6 for those purposes. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act / California Privacy Rights Act. We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA/CPRA and, based on how the Service operates, we do not use sensitive personal information to infer characteristics about consumers.

10. Security

We use industry-standard technical and organizational measures to protect personal data, including TLS in transit, encryption at rest, scoped credentials, the principle of least privilege, password hashing with PBKDF2-SHA256 (a one-way salted hash; we cannot recover or read your password), email verification on signup, per-IP and per-email rate limiting on authentication endpoints, temporary account lockout after repeated failed sign-ins, CSRF protection on hosted forms, and a small, audited surface area. No system is perfectly secure; if we experience a personal-data breach affecting you, we will notify you and the relevant supervisory authority as required by law.

11. Cookies

See our Cookie Policy for a full description of how we use cookies and similar technologies, including how to manage your preferences. You can also revisit your cookie choices at any time via the "Cookie preferences" link in the footer.

12. Children

Waydly is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data, contact hello@waydly.com and we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by email to active account holders at least 14 days before they take effect. The current version is always available at https://waydly.com/privacy with the effective date at the top.

14. Contact

For any privacy question, data-subject request, or to obtain a copy of the current sub-processor list or a Data Processing Addendum, contact us at hello@waydly.com.

PolarCurve LLC, c/o Registered Agents Inc, 30 N Gould St, Ste R, Sheridan, WY 82801, United States.