Wambesh ("we", "us", "our") is the data controller responsible for your personal data.

Contact email: privacy@wambesh.com

When you use Wambesh, we collect and process the following personal data:

• Account data — email address, username, display name, first/last name, password hash (bcrypt), timezone, preferred locale
• Authentication data — OAuth provider identifiers (Google, GitHub), provider email and display name, two-factor authentication configuration
• Security data — IP address, approximate geolocation (country/city via MaxMind GeoIP, processed locally on our server), user agent string, device fingerprint (SHA-256 hash of browser attributes)
• Profile data — avatar image (if uploaded), profile completeness metrics
• Activity data — audit log entries (login events, security changes, account actions), session metadata
• Preferences — language preference, cookie notice acknowledgment

• Account management — creating and maintaining your account, verifying your identity, managing sessions
• Service delivery — running the platform, applying your preferences, sending email and SMS notifications
• Security — detecting suspicious activity, preventing unauthorized access, rate limiting, IP-based threat detection
• Analytics — aggregate usage statistics (user growth, demographics, engagement) for service improvement. Analytics use anonymized or pseudonymized data.

Under the GDPR, we process your data on these legal bases:

• Consent (Art. 6(1)(a)) — for account creation and accepting our terms. You can withdraw consent anytime by deleting your account.
• Contract performance (Art. 6(1)(b)) — processing needed to provide our service, manage your account, and deliver features you request.
• Legitimate interest (Art. 6(1)(f)) — security monitoring, fraud prevention, rate limiting, and aggregate analytics. We balance our interests against your rights.

• Active accounts — data kept for the lifetime of your account
• Sessions — duration controlled by the server (currently 1 hour inactivity timeout); deleted on logout or expiry
• Audit logs — kept 7 years for security and compliance; email addresses pseudonymized 90 days after account deletion
• Guest fingerprints — SHA-256 device hashes stored in Redis with 35-day TTL; purged automatically
• Trusted devices — 30-day cookie; device trust record deleted after expiry
• Deleted accounts — 30-day grace period, then data anonymized (username, email, display name replaced with "DELETED" values; associated records purged)
• Verification tokens — expire automatically; unused tokens purged by cleanup jobs

We share personal data only with these service providers, strictly for operating the platform:

• Resend — transactional email delivery (receives your email address and message content)
• Twilio — SMS for phone verification and 2FA (receives your phone number)
• Google / GitHub — OAuth authentication (we receive your provider email and display name; we don't share Wambesh data back)
• Cloudflare — CDN, DNS, and frontend hosting (processes IP addresses and request data for content delivery)
• MaxMind GeoIP — IP geolocation database, downloaded and queried locally on our server. Your IP is never sent to MaxMind.

We do not sell your data. We do not work with advertising networks or data brokers.

Our backend is hosted in the United States (DigitalOcean). If you access Wambesh from outside the US, your data is transferred to and processed in the US.

Our service providers (Resend, Twilio, Cloudflare) maintain appropriate safeguards for international transfers, including Standard Contractual Clauses (SCCs) where applicable.

Under the GDPR, you have these rights:

• Access (Art. 15) — request a copy of all personal data we hold about you
• Rectification (Art. 16) — correct inaccurate data
• Erasure (Art. 17) — request deletion of your data
• Data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON)
• Withdraw consent — at any time, by deleting your account
• Lodge a complaint — with your local data protection authority

You can exercise most rights directly on the platform:

• View and edit your data — Profile Settings
• Export your data — Export My Data (JSON download)
• Delete your account — Delete Account (30-day grace period)

For anything you can't do through the platform, email us at privacy@wambesh.com. We'll respond within 30 days as required by the GDPR.

You must be at least 13 to use Wambesh. We don't knowingly collect data from children under 13. During registration, users confirm they meet the age requirement.

If we learn we've collected data from a child under 13, we'll delete it promptly. If you believe a child under 13 has signed up, please contact privacy@wambesh.com.

We do not use automated profiling to make decisions that produce legal effects or similarly significant consequences for you.

Content recommendations (when available) are non-binding suggestions — they don't affect your access to features or content. We don't run any algorithmic penalty or scoring system that impacts your account standing.

We take reasonable steps to protect your data, including:

• Encryption in transit — all connections use TLS (HTTPS)
• Password hashing — bcrypt with per-user salts (we never store plain-text passwords)
• Rate limiting — protects against brute-force attacks on login, registration, and verification endpoints
• Session security — session fixation protection, concurrent session limits, automatic expiry
• IP threat detection — suspicious IPs are monitored and can be blocked
• Two-factor authentication — optional TOTP-based 2FA with trusted device support

No system is 100% secure. If we ever discover a data breach that affects your personal information, we'll notify you and the relevant authorities as required by law.

We may update this Privacy Policy from time to time. When we make important changes, we'll update the version number and date at the top.

We encourage you to check this page periodically. Continued use of Wambesh after changes means you accept the updated policy.

Questions about this Privacy Policy or our data practices?

• Email: privacy@wambesh.com