Privacy Notice

Last updated: 29.11.2025

1. Introduction and Scope

This Privacy Policy explains how Wayo (“we”, “us”, “our”) processes personal data when individuals (“you”, “users”) visit our website, contact us, or use our services.

We process personal data in accordance with:

  • the EU General Data Protection Regulation (GDPR),

  • the UK GDPR and the UK Data Protection Act 2018,

  • the Swiss Federal Act on Data Protection (nDSG),

  • and, where applicable, other international data protection laws (e.g. certain U.S. state laws such as the CCPA/CPRA for California residents).

This English Privacy Policy is primarily intended for users outside the DACH region (Germany, Austria, Switzerland).
For users in the DACH region, our German-language Privacy Policy applies.

We do not sell personal data.

2. Data Controller

Wayo Business Unit of PP Path Provider
Owner: Mina Massoudy
Goebenstr. 10
50672 Cologne
Germany

Email: info@wayo-ai.de
Phone: see imprint/legal notice on our website

In this Privacy Policy, Wayo is referred to as the “Controller”.

A data protection officer has not been appointed, as this is not legally required.

3. Categories of Personal Data

Depending on how you use our website and services, we may process the following categories of personal data:

  • Identification data: name, company name (if provided)

  • Contact data: email address, phone number

  • Content data: messages and information you send us via forms, chat, email, or WhatsApp

  • Technical data: IP address, browser type, operating system, access time, referrer URL, log file data

  • Interaction data: communication history, inquiries, support cases, follow-ups

  • Payment-related data (via Stripe): billing details, transaction-related information

We generally do not collect sensitive (special category) data intentionally. If you nonetheless provide such information, it will be processed only to the extent necessary to respond to your request.

4. Purposes and Legal Bases for Processing

We process personal data only where we have a valid legal basis. Depending on the situation, this includes:

  • Performance of a contract or pre-contractual measures
    (Art. 6(1)(b) GDPR or equivalent laws)
    e.g. answering service-related enquiries, preparing offers, managing customer relationships.

  • Legitimate interests
    (Art. 6(1)(f) GDPR or equivalent laws)
    e.g. ensuring IT security, efficient communication, business administration, service improvement.

  • Consent
    (Art. 6(1)(a) GDPR or equivalent laws)
    e.g. when you choose to contact us via WhatsApp or agree to optional cookies/tracking in the future.

  • Legal obligations
    (Art. 6(1)(c) GDPR or equivalent laws)
    e.g. accounting, tax and commercial retention requirements.

Where local law applies (e.g. UK GDPR, Swiss nDSG, U.S. state laws), we follow the corresponding national legal bases in addition.

5. Data Processing Activities

5.1 Website Visit and Log Files

When you visit our website, your browser automatically transmits data to our hosting provider’s server. This data is temporarily stored in log files and may include:

  • IP address of the requesting device

  • date and time of access

  • requested URL / file name

  • referrer URL (previous page)

  • browser type and version

  • operating system of the device

Purpose:
Ensuring a stable connection, technical security, error analysis, and administrative operation of the website.

Legal basis:
Legitimate interests (Art. 6(1)(f) GDPR) in the secure and reliable operation of our website.

Log files are generally deleted after a short period, unless a longer retention is required for security or evidential reasons.

5.2 Contact Forms and Website Chat

When you contact us via a contact form or chat on our website, we process the data you provide, including:

  • name,

  • email address,

  • phone number (if provided),

  • message content,

  • relevant technical metadata (e.g. time, page of submission).

Purposes:

  • responding to enquiries,

  • providing information about our services,

  • preparing or performing contractual relationships.

Legal bases:

  • Contract / pre-contractual measures (Art. 6(1)(b) GDPR);

  • Legitimate interests in efficient communication (Art. 6(1)(f) GDPR);

  • Consent (Art. 6(1)(a) GDPR) where explicitly given.

We retain your enquiries only as long as necessary to process them and in line with applicable retention obligations.

5.3 Communication via WhatsApp Business

We offer communication via WhatsApp Business.
If you use this channel, your data will be processed both by us and by WhatsApp.

Processed data may include:

  • phone number,

  • name (if visible in your WhatsApp profile),

  • message content and attachments,

  • timestamps and metadata of communication.

Provider in the EU:

Meta Platforms Ireland Ltd.
4 Grand Canal Square
Grand Canal Harbour
Dublin 2
Ireland

WhatsApp and Meta may process data on servers in countries outside your jurisdiction, including the United States. These transfers are generally based on Standard Contractual Clauses (SCC) and additional safeguards.

Purposes:

  • handling enquiries and support via WhatsApp,

  • efficient customer communication.

Legal bases:

  • Contract / pre-contractual measures (Art. 6(1)(b) GDPR);

  • Consent (Art. 6(1)(a) GDPR) by choosing to contact us via WhatsApp;

  • Legitimate interests (Art. 6(1)(f) GDPR) in modern and user-friendly communication.

Further details: WhatsApp Privacy Policy (EEA) available at
https://www.whatsapp.com/legal/privacy-policy-eea

If you prefer not to use WhatsApp, you can contact us at any time by email or via our website.

5.4 CRM and Automation Platform

We use a professional Customer Relationship Management (CRM) and automation platform provided by a third-party service provider. This system helps us manage:

  • contact and customer data,

  • enquiry and support processes,

  • follow-ups and reminders,

  • internal workflows and automations.

Processed data may include:

  • identity and contact details,

  • enquiry and communication history,

  • form submissions,

  • interaction data (e.g. timestamps, response status).

Our CRM provider acts as a data processor on our behalf (Art. 28 GDPR).
In some cases, data may be transferred to countries outside the EU/EEA (e.g. the United States). Where this occurs, it is based on Standard Contractual Clauses (SCC) and additional organisational and technical safeguards to ensure an adequate level of protection.

Legal bases:

  • Contract / pre-contractual measures (Art. 6(1)(b) GDPR);

  • Legitimate interests (Art. 6(1)(f) GDPR) in efficient customer management and process automation.

5.5 AI-Based Chat Functions

Our website may provide AI-supported chat features or automated response systems. When you use these features, the following data may be processed:

  • text and information you enter into the chat,

  • contact details you provide (e.g. email, phone number),

  • technical metadata (time, page, context of the request).

Purposes:

  • answering questions and providing support,

  • improving service quality (e.g. recognising frequently asked questions).

Legal bases:

  • Contract / pre-contractual measures (Art. 6(1)(b) GDPR);

  • Legitimate interests (Art. 6(1)(f) GDPR) in efficient support and scalable communication;

  • Consent (Art. 6(1)(a) GDPR) where expressly required for specific AI features.

We do not use AI-based decision-making that produces legal effects or similarly significant impacts without human review.

5.6 Cookies and Tracking Technologies

Our website may use cookies or similar technologies.

At present, we do not actively use any cookies or tracking tools requiring consent (such as analytics or marketing trackers). Only technically necessary processing required for basic website operation may occur.

If, in the future, we implement analytics, marketing or other optional tools, we will:

  • inform you transparently,

  • request your consent via a cookie banner or similar mechanism,

  • only activate such tools after you have opted in.

Legal bases (for future use):

  • Technically necessary cookies: legitimate interests (Art. 6(1)(f) GDPR) and/or equivalent local rules (e.g. § 25(2) TTDSG in Germany);

  • Optional cookies / tracking: consent (Art. 6(1)(a) GDPR).

You can manage your cookie preferences at any time via your browser settings and, where available, through our cookie banner.

6. Recipients of Personal Data

We only share personal data with third parties where this is:

  • necessary to provide our services,

  • permitted by law,

  • based on your consent, or

  • required to comply with legal obligations.

Typical categories of recipients include:

  • WhatsApp / Meta Platforms Ireland Ltd. (if you contact us via WhatsApp),

  • Stripe Payments Europe Ltd. (for payment processing),

  • hosting and infrastructure providers,

  • CRM and automation service providers,

  • email and communication providers,

  • IT service providers and consultants,

  • public authorities or courts where required by law.

Where service providers act as data processors, they are bound by contractual obligations in accordance with Art. 28 GDPR (or equivalent regulations) and may only process data as instructed by us.

7. International Data Transfers

Some of our service providers may process data in countries outside the EU/EEA or your home jurisdiction (for example, in the United States).

In such cases, we ensure an adequate level of data protection by:

  • Standard Contractual Clauses (SCC) adopted by the European Commission, and

  • additional technical and organisational safeguards, where necessary.

You may contact us for more information about the specific safeguards used for individual transfers.

8. Payment Processing with Stripe

For payment processing we may use:

Stripe Payments Europe, Ltd.
1 Grand Canal Street Lower
Grand Canal Dock
Dublin
Ireland

Stripe may process, among others:

  • name,

  • email address,

  • billing address,

  • payment method details (e.g. credit card data usually entered directly into Stripe’s forms),

  • transaction-related data and IP address.

Purposes:

  • secure processing of payments,

  • prevention of fraud and misuse,

  • fulfilment of contractual obligations.

Stripe may transfer data to affiliated entities in other countries, including the U.S. These transfers are based on appropriate safeguards such as Standard Contractual Clauses.

Legal bases:

  • Contract / performance of payment-related services (Art. 6(1)(b) GDPR);

  • Legitimate interests (Art. 6(1)(f) GDPR) in secure and efficient payment processing.

For more details, please refer to Stripe’s own Privacy Policy:
https://stripe.com/privacy

9. Data Retention

We store personal data only for as long as necessary for the purposes described in this Privacy Policy or as required by law.

Retention periods depend on:

  • contractual and legal obligations (e.g. tax and commercial law often 6–10 years),

  • the nature and duration of our business relationship with you,

  • statutory limitation periods,

  • security and evidential requirements.

After the relevant retention period has expired or the purpose no longer applies, data will be deleted, anonymised, or restricted in processing.

10. Your Rights

Depending on the applicable law (in particular under GDPR and equivalent regulations), you may have the following rights:

  • Right of access to obtain confirmation and information about personal data we process about you.

  • Right to rectification to have inaccurate or incomplete data corrected.

  • Right to erasure to request deletion of your data, subject to legal exceptions.

  • Right to restriction of processing in certain circumstances.

  • Right to data portability to receive data in a structured, commonly used and machine-readable format.

  • Right to object to processing based on legitimate interests, including profiling related to such interests.

  • Right to withdraw consent where processing is based on your consent; withdrawal is effective for the future.

To exercise these rights, you can contact us at:

info@wayo-ai.de

Additional rights for some regions (e.g. California, UK, Switzerland)

Residents of certain jurisdictions may have further or slightly different rights under local law (e.g. the right to know, correct or delete under the CCPA/CPRA). We will respect such rights to the extent applicable.

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA member state, the UK or Switzerland where you live, work or where an alleged infringement has occurred.

11. Data Security

We implement appropriate technical and organisational measures to protect personal data against:

  • unauthorised access,

  • loss or destruction,

  • alteration or disclosure.

These measures include, for example:

  • SSL/TLS encryption on our website,

  • access controls and role-based permissions,

  • secure infrastructure and regular updates,

  • organisational policies and internal procedures.

However, no method of transmission over the internet or electronic storage is completely risk-free. We therefore cannot guarantee absolute security.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example if:

  • legal requirements change,

  • we introduce new services, tools or features,

  • we adjust our internal processes or service providers.

The current version of this Privacy Policy is always available on our website.
If changes significantly affect your rights or introduce new processing activities that require consent, we will inform you separately where appropriate (for example via our website or by email to existing customers).