Last updated: 2026-05-14. This Privacy Policy describes how Wanabal Corporation collects, uses, and shares Personal Information. It is written in clear, straightforward language as required by Quebec Law 25 §8.2 and aligns with our commitments under CCPA/CPRA, PIPEDA, and the GDPR.
This Privacy Policy describes how Wanabal Corporation ("Wanabal," "we," "us," or "our") collects, uses, and shares Personal Information in connection with our financial-platform Services. Capitalized terms not defined in this Privacy Policy have the meanings given to them in our Terms of Service.
Wanabal Corporation is a Delaware C-Corporation. Our principal place of business is 131 Continental Dr Suite 305, Newark, DE 19713. You can reach our privacy team at info@wanabal.com for any data-subject request, privacy-rights request, or question about this Privacy Policy.
This Privacy Policy applies to:
This Privacy Policy does not cover information that a Customer or a Customer's End Customers provide directly to Third-Party Services we integrate with, including bank-data aggregators, accounting platforms, and crypto exchanges. Information you provide to those Third-Party Services is governed by their own privacy policies. This Privacy Policy describes how we treat data that the Customer routes to us through such integrations once it reaches our Services.
For most Customer Content processed through the Services, Wanabal acts as a "service provider" (under U.S. state privacy laws) or "processor" (under Canadian and other applicable privacy laws) on behalf of the Customer, who is the "business" or "controller" of that data. For account-management data, including the Customer's billing contact details and Authorized User profile information, Wanabal acts as the "business" or "controller" and processes that data for our own purposes as described in this Privacy Policy. [per CCPA/CPRA; Quebec Law 25; PIPEDA]
As required by Quebec Law 25 §3.1, Wanabal designates its Chief Executive Officer as the Privacy Officer responsible for Wanabal's compliance with applicable Canadian privacy law. You can contact the Privacy Officer at info@wanabal.com. [per Quebec Law 25 §3.1]
This Privacy Policy is effective as of 2026-05-14 and was last updated on 2026-05-14. We may update this Privacy Policy from time to time; for details on how we communicate changes and when updates take effect, see the Changes to This Policy section below.
Wanabal collects information in the categories below to provide, secure, and improve the Services, comply with applicable law, and communicate with you. The categories are intended to satisfy the disclosure requirements of the California Consumer Privacy Act, as amended by the California Privacy Rights Act [per CCPA Cal. Civ. Code §1798.100 and §1798.140], and analogous laws in other US states, Canada, and Quebec.
When you create an account, configure your organization, or use the Services, you and your Authorized Users provide information directly to us:
The Services let you connect external accounts so financial data can flow into Wanabal. We only receive this information after you (or an Authorized User) grants explicit OAuth consent to the relevant third party, and only within the scopes you authorize:
For the current list of named third-party services, see our Subprocessors page.
When you visit our website or use the Services, we and our service providers automatically collect information about your device and your interactions:
Certain information we handle is considered "sensitive personal information" under CCPA/CPRA and similar laws [per CCPA Cal. Civ. Code §1798.140(ae)]. Categories we may handle include:
We use sensitive personal information only for the purposes described in the How We Use Information section and only as reasonably necessary to provide, secure, and support the Services. We do not use or disclose it to infer characteristics about you. See the Your CCPA/CPRA Rights section for your right to limit our use of sensitive personal information.
The Services are intended for business use and are not directed to individuals under the age of 18. We do not knowingly collect Personal Information from anyone under 18. See the Children's Privacy section for more information.
Wanabal handles financial data only to provide the Services that Customer requests. We do not sell financial data. We do not use financial data for advertising. We do not share financial data with third parties for those parties' own marketing purposes. Financial data is shared only as set out in How We Share Information, with the categories of subprocessors listed on our Subprocessors page, or where required by Applicable Law.
When Customer links a bank account, our service provider Plaid Inc. ("Plaid") securely retrieves account, balance, and transaction information from the financial institution and provides it to Wanabal. Plaid manages the bank login flow; Wanabal does not receive or store Customer's online banking credentials.
We use bank data only to:
Disconnection. Customer may unlink any account inside Wanabal at any time. Customer may also review and revoke Plaid connections directly at https://my.plaid.com. After disconnect, Wanabal stops requesting new transactions from that institution; previously synced transactions remain in Customer's general ledger until Customer or Wanabal deletes them in accordance with the Data Retention section.
Reauthorization. Under Section 1033 of the Dodd-Frank Act, linked accounts may require periodic reauthorization (typically at least every twelve (12) months) to remain connected [per Plaid Section 1033 guidance].
Plaid's End User Privacy Policy describes how Plaid handles data it collects in connection with bank-account linking and is available at https://plaid.com/legal/#end-user-privacy-policy [per Plaid Developer Policy].
Customer is the controller of its general ledger ("GL") data, including chart of accounts, journal entries, books, sub-ledgers, inter-company entries, ownership graph, and inventory and supply-chain records. Wanabal processes GL data on Customer's behalf to provide the Services.
We do not share GL data with third parties except:
Where Customer connects a Gemini Exchange account via OAuth, we retrieve balances, orders, staking activity, rewards, and transaction history from Gemini. Wanabal does not custody, hold, or move Customer's crypto or fiat assets. Use of this data is limited to providing the Services, including recording transactions in the GL, surfacing the status of Customer-configured automations, and reflecting balances in dashboards. Customer may revoke Wanabal's Gemini access at any time inside the Services and within Gemini's own account-management surface.
Tax-related data Customer provides or generates in the Services - including tax rates, jurisdiction settings, nexus determinations, exemption certificates, estimated payment records, material-participation logs, and compliance-event logs - is processed only to provide tax-compliance tooling. Wanabal does not file tax returns and does not transmit tax data to any tax authority. Customer remains solely responsible for tax filings and for the accuracy of information submitted to any tax authority.
Documents Customer uploads or generates in the Services - including bank statements, service level agreements, promissory notes, audit packages, and compliance exports - are stored with our file-storage subprocessor (Supabase Storage today; see the Subprocessors page for the current vendor) and accessed only as needed to provide the Services. AI-assisted extraction of bank-statement line items uses our LLM subprocessor under the terms described in AI / Fynn Data Handling.
OAuth tokens issued by Plaid, Gemini, QuickBooks Online, and other connected services, together with sensitive vendor bank-account fields (such as routing and account numbers), are encrypted at rest using AES-256. Financial data is transmitted between Customer's browser, Wanabal, and our subprocessors over HTTPS using TLS 1.2 or higher. Additional safeguards are described in the Security section.
Wanabal maintains audit logs of changes to financial-data tables, including before-and-after snapshots and the identity of the acting user, to support Customer's internal compliance obligations and Wanabal's security operations. Audit-log retention follows the Data Retention section.
This section describes how Wanabal Corporation ("Wanabal") handles data submitted to or generated by Fynn, our embedded AI assistant. It supplements, and should be read together with, the "How We Share Information" section of this Privacy Policy, the "Customer Data and Ownership" and "AI Features (Fynn)" sections of our Terms of Service, and our Subprocessors page.
When Customer or its Authorized Users invoke Fynn, the prompts sent to Fynn may include data Customer or its Authorized Users select for analysis. This can include financial data, general ledger entries, transaction text, and the contents of documents Customer uploads (for example, bank statement PDFs or inputs used to draft a Service Level Agreement). Fynn's outputs are AI-generated text, including drafts of documents, suggested transaction categorizations, and extracted line items.
Fynn relies on third-party large language model and embedding providers to generate its outputs. Today, we use Anthropic (Claude API) for SLA and promissory-note draft generation, bank-statement extraction, categorization suggestions, and Fynn's natural-language Q&A. We use Voyage AI for the semantic embeddings that ground Fynn's answers in Customer's data through retrieval. The current list of LLM subprocessors, along with their function and location, is maintained on our Subprocessors page.
Wanabal does not train any model — internal or third-party — on Customer Content or on prompts submitted to, or outputs generated by, Fynn. Our LLM subprocessors are engaged on enterprise or business API tiers that contractually prohibit training on customer data. Specifically, Anthropic's Commercial Terms, and (if OpenAI is added as a subprocessor in the future) OpenAI's May 2025 Business Terms, both prohibit training on customer prompts and completions [per Anthropic Commercial Terms; OpenAI May 2025 Business Terms]. We do not authorize our LLM subprocessors to use Customer Content for any purpose other than processing the request and returning the response to Wanabal.
Under Anthropic's published data-handling terms, API inputs and outputs are retained by default for up to 7 days for abuse-monitoring purposes and then automatically deleted [per Anthropic API Data Retention; effective Sept 14, 2025]. Content flagged by Anthropic's Trust & Safety classifiers as a Usage Policy violation may be retained for up to 2 years (with classifier scores retained for up to 7 years). Anthropic does not use commercial API inputs or outputs to train its models [per Anthropic Commercial Terms]. Voyage AI's retention is governed by its own terms. We will update this disclosure if these terms change. Separately, Wanabal stores Fynn outputs that Customer accepts — for example, approved SLA documents or categorized journal entries that an Authorized User has applied — as part of Customer Content, and those records are retained on Wanabal systems consistent with the rest of this Privacy Policy.
Fynn does not create, update, or delete any of Customer's records on its own. Every action that changes Customer data requires explicit human approval by an Authorized User on Customer's team. Fynn proposes; an Authorized User reviews, edits if needed, and accepts or rejects. This boundary is described further in the AI Features (Fynn) section of our Terms of Service.
Customer may not use Fynn outputs to develop, train, or improve any artificial intelligence model that competes with Anthropic's, OpenAI's, or any other LLM subprocessor's models [per Anthropic Commercial Terms; OpenAI Business Terms]. Customer must independently verify all material Fynn outputs before relying on them. Fynn outputs are AI-generated and may be inaccurate, incomplete, or fabricated, and they are not a substitute for review by qualified accounting, tax, or legal professionals.
Where Customer or its Authorized Users (including a Partner's End Customers, in white-label deployments) interact with Fynn outputs in contexts in which a person could reasonably be confused about whether the content was generated by AI, Customer is responsible for disclosing to those individuals that the content is AI-generated [per Anthropic Commercial Terms passthrough].
Customer should not submit to Fynn any data Customer is not authorized to disclose to Wanabal and our LLM subprocessors. This includes third-party Personal Information for which Customer does not have the necessary rights or consents to share with our LLM subprocessors. Customer remains responsible under the "Customer Data and Ownership" section of our Terms of Service for the lawfulness of the inputs it provides to Fynn.
We use the information described in the Information We Collect section for the following specific purposes. Where Applicable Law requires us to identify a discrete purpose for each category of personal information, the purposes below are intended to satisfy that requirement [per CCPA/CPRA notice-at-collection requirements; PIPEDA Principle 2 (Identifying Purposes); Quebec Law 25 purpose-specification requirements].
For individuals located in jurisdictions whose laws require us to identify a lawful basis for processing personal data (including the EU/UK GDPR and analogous frameworks), we rely on the following bases:
This section applies if you are an individual located in the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland, or if the General Data Protection Regulation ("GDPR") (or its UK or Swiss equivalent) otherwise applies to our processing of your Personal Information. Wanabal Corporation ("Wanabal") does not actively market the Services in the EEA, UK, or Switzerland; our target markets are the United States and Canada. We publish this section as a matter of completeness for individuals whose Personal Information may be processed by us incidentally (for example, an EEA-based employee or contact of a US or Canadian Customer). If we determine that GDPR does not apply to a given processing activity, the other sections of this Privacy Policy continue to govern.
Where GDPR applies, we rely on the following legal bases for processing Personal Information [per GDPR Art. 6]:
Wanabal does not knowingly process special-category Personal Information [per GDPR Art. 9] (such as data revealing health, racial or ethnic origin, political opinions, religious beliefs, trade-union membership, or biometric data) through the Services. If special-category data incidentally appears in Customer Content, the processing relies on the Customer's lawful basis as controller and is restricted to what is necessary to provide the Services.
Personal Information of EEA, UK, and Swiss data subjects is transferred to the United States, where the Services are hosted. We rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable) to safeguard such transfers [per GDPR Chapter V]. Customers may request a copy of our Standard Contractual Clauses by emailing info@wanabal.com.
Because the EEA is not Wanabal's target market and our processing of EEA Personal Information is incidental, we have not appointed a representative in the European Union or the United Kingdom under Article 27 of the GDPR. We will reassess this position if our EEA-facing or UK-facing activities expand. For data-subject rights specific to GDPR (including access, rectification, erasure, restriction, objection, and portability), see the GDPR Rights section of this Privacy Policy.
We share Personal Information only as described below. We do not sell Personal Information. We do not share Personal Information for cross-context behavioral advertising. See also Your CCPA/CPRA Rights for the rights this gives you and how to exercise them.
To exercise rights related to the sharing described above, including the right to opt out of sale or sharing under California law, see Your CCPA/CPRA Rights.
Wanabal operates from the United States, and Personal Information you provide to us, or that we collect through the Services, is hosted and processed in the United States. This section should be read together with our How We Share Information, Subprocessors, and Security sections.
Wanabal hosts Personal Information in the United States. Our primary infrastructure providers, including our application hosting provider, our managed Postgres database provider, and our file storage provider, all operate in the United States. Certain subprocessors that support the Services, including our AI model provider, embeddings provider, subscription billing provider, and bank-data provider, are also US-based. The current list of subprocessors, their functions, and their hosting locations is maintained on our Subprocessors page.
If Customer or any of its Authorized Users is located in Canada, Personal Information will be transferred to and processed in the United States. The US legal framework permits, in certain circumstances, US government agencies to access data held by US-based service providers, including under the CLOUD Act, FISA Section 702, and Executive Order 12333. We mitigate these risks through technical safeguards (encryption at rest and in transit, role-based access controls, and audit logging, as described in our Security section) and through contractual safeguards (data processing addenda with our subprocessors that include comparable protection commitments) [per PIPEDA accountability principle].
Quebec Law 25 §17 disclosure. We have completed a Privacy Impact Assessment ("PIA") for the cross-border transfer of Personal Information of Quebec residents from Quebec to the United States. The PIA assessed the sensitivity of the Personal Information involved, the purposes for which it is used, the protection measures we have implemented (including encryption, contractual data-protection terms with subprocessors, and access restrictions), and the legal framework of the United States as the receiving jurisdiction. Based on this assessment, we determined that adequate protection is provided through the combined technical and contractual safeguards described in this Privacy Policy and our subprocessor agreements [per Quebec Law 25 §17].
A summary of the PIA's findings is available on request to Quebec residents and to Customers with Quebec-resident data subjects, by writing to info@wanabal.com.
If you are located in the European Economic Area, the United Kingdom, or Switzerland, please see our Legal Bases for Processing (GDPR) section for our reliance on Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable) as the transfer mechanism for Personal Information sent to the United States.
Where Customer is the controller of Personal Information and Wanabal acts as a service provider or processor on Customer's behalf, Customer remains responsible for lawfully transferring Personal Information of its own data subjects to Wanabal. Customer's privacy notices and consents to those data subjects must accurately reflect the cross-border transfer of their Personal Information to the United States and Wanabal's role in processing it.
We do not transfer Personal Information of Canadian residents to jurisdictions outside the United States or Canada except (a) to subprocessors located in the United States that support the Services, or (b) where required by Applicable Law. If we add a subprocessor located in another jurisdiction, we will update our Subprocessors page and assess any additional cross-border transfer requirements at that time, including, where applicable, conducting an updated PIA for transfers involving Quebec residents.
Customers who require data residency in Canada or another specific jurisdiction should contact us at info@wanabal.com to discuss available alternatives. Today, Wanabal does not offer Canada-resident hosting; all production data resides in the United States.
Wanabal and our service providers use cookies, local storage, pixels, and similar technologies (collectively, "cookies") to operate the Services, remember your preferences, secure your account, and understand how the Services are used. This section describes the categories of cookies we use, the third parties that may set cookies during your use of the Services, and the choices available to you. For background on what data we collect generally, see "Information We Collect" elsewhere in this Privacy Policy.
Some cookies are set by third parties acting as our service providers or as the operator of an integration you choose to connect:
Separately from cookies, we collect server-side logs (including IP address, request path, status code, and latency) for security, debugging, and abuse-monitoring purposes. These logs are not "cookies" but are mentioned here for completeness; their handling is described further in "Information We Collect."
Cookie list and expiry. A current list of the cookies we set and their expiry is available on request and will be published at /cookies once finalized.
Wanabal retains Personal Information only as long as necessary for the purposes described in this Privacy Policy and as required by Applicable Law, including books-and-records, tax-record retention, audit, and statute-of-limitations requirements that apply to Wanabal or to Customer's use of the Services. Where multiple retention obligations apply to the same record, we apply the longest applicable period.
While a Customer's subscription is active, Wanabal retains Customer Content for the duration of the relationship plus the period necessary to provide and support the Services, including operating audit trails required for Customer's compliance posture. Personal Information about Authorized Users is retained while their access is active.
Customers and individuals may request deletion of their Personal Information as described in the "Your Rights" sections of this Privacy Policy. Wanabal honors verifiable deletion requests subject to the legal-retention exceptions above. Where we cannot fully delete a record because of an applicable retention obligation, we will explain the basis and limit our use of the retained data to the purpose that requires retention.
Where we anonymize Personal Information so that the data no longer identifies an individual and cannot be re-identified using reasonably available means, that data is no longer Personal Information for purposes of this Privacy Policy. Wanabal may retain and use such anonymized data indefinitely, including for product analytics, benchmarking, and service improvement, consistent with our subprocessor obligations and Applicable Law.
Wanabal maintains administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, alteration, disclosure, loss, or destruction. The controls below reflect Wanabal's current practices and may evolve over time.
Personal Information is encrypted in transit using HTTPS with TLS 1.2 or higher. Sensitive data at rest, including OAuth tokens for Plaid, QuickBooks Online, Gemini Exchange, and PropelAuth, as well as vendor bank-account fields, is encrypted using AES-256 [per Wanabal engineering standards].
Wanabal supports role-based access (Owner, Admin, and Member roles) configured by Customer. Multi-factor authentication is available through PropelAuth. Internal access by Wanabal personnel is granted on a least-privilege basis and limited to those who need it to operate or support the Services. Administrative actions are recorded in audit logs.
Wanabal is a multi-tenant service. Every database table is scoped by an organization identifier, and queries enforce isolation between Customer accounts so that one Customer's data is not returned to another Customer.
Tables that hold financial data maintain audit logs containing before-and-after snapshots of changes. Administrative actions log the originating IP address and user agent. These records support investigation of unauthorized or anomalous activity.
Production systems are hosted in the United States. Web and application services run on Render; the primary database is hosted on Neon; file storage is provided by Supabase Storage. A current list of subprocessors, their functions, and their hosting locations is maintained at /subprocessors.
Wanabal monitors and patches third-party dependencies, reviews code for security issues as part of its development process, and follows standard secure-development practices.
Wanabal evaluates the security posture of subprocessors before onboarding and on a periodic basis thereafter.
Wanabal does not currently hold SOC 2, ISO 27001, or PCI certifications. Wanabal is committed to pursuing SOC 2 Type II certification as part of its growth roadmap, and intends to evaluate ISO 27001 and other appropriate certifications as the business matures. Wanabal will update this section to reflect material progress, including engagement of an auditor or completion of an audit.
Customer remains responsible for the security of its own systems, devices, credentials, and Authorized User access. Customer should choose strong, unique passwords, enable multi-factor authentication, restrict role assignments to the minimum required, and promptly revoke access for individuals who no longer need it. Customer is also responsible for the security of third-party accounts it connects to the Services.
Customers and security researchers are encouraged to report suspected vulnerabilities or security incidents to info@wanabal.com. Wanabal will acknowledge reports and investigate in good faith.
No system is perfectly secure. Wanabal does not warrant that the Services are free from all vulnerabilities and cannot guarantee absolute security. See the "Breach Notification" section of this Privacy Policy for Wanabal's incident notification obligations, and the "Acceptable Use" section of the Terms of Service for Customer obligations regarding use of the Services.
This section applies to California residents whose Personal Information Wanabal Corporation ("Wanabal") processes. Because the CCPA's business-to-business and employee exemptions sunset on January 1, 2023, the rights below apply equally to business contact, employee, and end-user Personal Information.
If you are a California resident, you have the following rights:
You may designate an authorized agent to submit a request on your behalf. The agent must provide written authorization signed by you, and Wanabal may require the agent to verify their own identity and the authority granted to them. Wanabal may also require you to verify your identity directly or to confirm that you authorized the agent [per CCPA Regs §7063].
Wanabal honors Global Privacy Control (GPC) signals as a valid request to opt out of "sale" or "sharing" of Personal Information for cross-context behavioral advertising, consistent with our position that we do not sell or share for that purpose [per CCPA Regs §7025].
Wanabal does not currently offer financial incentives, price differences, or service-level differences in exchange for the collection, retention, sale, or sharing of Personal Information. If Wanabal introduces such a program, we will provide a notice of financial incentive as required by CCPA/CPRA before enrolling you [per Cal. Civ. Code §1798.125(b); CCPA Regs §7016].
For the categories of Personal Information Wanabal collects, the sources, the business and commercial purposes, and the categories of third parties to whom we disclose it for a business purpose, see the "Information We Collect" and "How We Share Information" sections. Wanabal does not sell Personal Information and does not share Personal Information for cross-context behavioral advertising, and has not done so in the preceding 12 months. For the statutory categories enumerated under Cal. Civ. Code §1798.140, see the chart at the end of this Privacy Policy.
For questions about your CCPA/CPRA rights or this section, contact Wanabal at info@wanabal.com.
This section applies to Personal Information that Wanabal collects, uses, or discloses in the course of commercial activities subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), including most cross-border processing of Canadian Personal Information.
Under PIPEDA, you have the following rights with respect to your Personal Information:
Wanabal applies the ten fair-information principles set out in Schedule 1 to PIPEDA:
Wanabal transfers Canadian Personal Information to the United States, where our Services are hosted. The accountability principle requires us to ensure comparable protection through contractual and technical safeguards (see the International Data Transfers section) [per PIPEDA accountability principle, Schedule 1, Principle 4.1.3].
Wanabal will notify the Office of the Privacy Commissioner of Canada and affected individuals as soon as feasible if a breach of security safeguards involving Personal Information under our control creates a real risk of significant harm. We will maintain a record of every such breach for at least 24 months from the date we become aware of it, and will provide that record to the OPC on request [per PIPEDA §10.1; PIPEDA Breach of Security Safeguards Regulations, SOR/2018-64].
If you are a resident of Quebec, additional rights apply to you under Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25 — including rights of portability, de-indexation, and the right to object to decisions based exclusively on automated processing. See the next section, "Your Quebec Law 25 Rights," for details.
This section applies to you if you are a resident of the Province of Quebec, Canada, or if your Personal Information is otherwise subject to An Act respecting the protection of personal information in the private sector ("Quebec Law 25"). Where this section gives you rights that differ from the rest of this Privacy Policy, this section controls.
As required by Quebec Law 25 §3.1, Wanabal Corporation ("Wanabal") designates its Chief Executive Officer as the person in charge of the protection of Personal Information (the "Privacy Officer"). The Privacy Officer is responsible for Wanabal's compliance with Quebec Law 25 and for handling related requests and complaints. You may contact the Privacy Officer at info@wanabal.com [per Quebec Law 25 §3.1].
Subject to the conditions and exceptions in Quebec Law 25, you have the following rights:
Send a written request to the Privacy Officer at info@wanabal.com, with enough detail to identify you and describe what you are asking for.
Wanabal hosts Personal Information in the United States. Before communicating Personal Information about Quebec residents outside Quebec, Wanabal conducts a Privacy Impact Assessment ("PIA") that considers the sensitivity of the information, the purposes of use, the protection measures (including contractual measures), and the legal framework of the receiving jurisdiction (including U.S. laws such as the CLOUD Act, FISA Section 702, and Executive Order 12333) [per Quebec Law 25 §17]. We only transfer Personal Information when the assessment establishes that it will receive adequate protection. See the International Data Transfers section of this Privacy Policy for further detail. A summary of the §17 PIA findings is available on request to info@wanabal.com.
If a confidentiality incident involving Personal Information presents a risk of serious injury, Wanabal will notify the CAI and the affected individuals with diligence and take reasonable measures to reduce the risk of injury and prevent recurrence [per Quebec Law 25 §3.5]. Wanabal maintains a register of confidentiality incidents and retains entries in that register for at least 5 years.
Where Quebec Law 25 requires your consent to collect, use, or communicate Personal Information about you, including for purposes that are not necessary to provide the Services the Customer has requested, or for sensitive use of Personal Information, Wanabal will request consent that is clear, free, informed, and given for specific purposes. Consent is requested separately from any other information provided to you.
This Privacy Policy is published in English. Wanabal does not currently provide an authoritative French-language version. Quebec residents may contact Wanabal's Privacy Officer at info@wanabal.com to request clarification, in French, of any provision of this Privacy Policy; Wanabal will respond in good faith. Wanabal is evaluating publication of an authoritative French translation as part of its expansion in Canada and will update this section when one is available. (Note: Quebec Law 25 does not itself require this Privacy Policy to be drafted in French; the Quebec Charter of the French Language may impose related obligations that counsel will assess for Wanabal's B2B Services.)
Wanabal's target market is the United States and Canada. We do not actively offer the Services to individuals in the European Economic Area ("EEA"), the United Kingdom, or Switzerland. This section is provided for the limited cases in which an individual in those regions interacts with the Services or in which European data protection law otherwise applies.
This section applies if you are an individual in the EEA, the United Kingdom, or Switzerland, or if your Personal Information is otherwise subject to the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection, or analogous laws. Where this section conflicts with another section of this Privacy Policy with respect to such Personal Information, this section controls.
Subject to applicable conditions and exceptions, you have the following rights under GDPR Articles 15-22:
To exercise any of these rights, submit a request to info@wanabal.com. We will take reasonable steps to verify your identity before fulfilling the request. We will respond within one month of receipt of the request; that period may be extended by up to two further months where necessary, taking into account the complexity and number of requests, and we will inform you of any such extension within one month of receipt and the reasons for the delay [per GDPR Art. 12(3)]. There is no fee for exercising these rights, except where requests are manifestly unfounded or excessive.
Legal bases. The legal bases on which we rely to process Personal Information are described in the "Legal Bases for Processing (GDPR)" section of this Privacy Policy.
International transfers. The Services are hosted in the United States. Where we transfer Personal Information from the EEA, the United Kingdom, or Switzerland to the United States or to other jurisdictions that have not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum or the Swiss equivalent, where applicable) as the transfer mechanism, together with supplementary measures where appropriate. Further detail is set out in the "International Data Transfers" section of this Privacy Policy [per GDPR Chapter V].
Because the EEA is not Wanabal's target market and our processing of EEA Personal Information is incidental rather than systematic, Wanabal has not appointed a representative in the Union under Article 27 of the GDPR. We will reassess this position if our EEA-facing activities expand.
If you believe our processing of your Personal Information infringes the GDPR, you have the right to lodge a complaint with the supervisory authority in the EEA member state of your habitual residence, place of work, or place of the alleged infringement, or with the United Kingdom Information Commissioner's Office or the Swiss Federal Data Protection and Information Commissioner, as applicable. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. We would, however, appreciate the opportunity to address your concerns before you contact a supervisory authority; please reach us at info@wanabal.com.
This section applies to residents of US states (other than California) that have enacted comprehensive consumer privacy laws. As of the date of this Privacy Policy, this includes Virginia [per VCDPA], Colorado [per CPA], Connecticut [per CTDPA], Utah [per UCPA], Iowa [per ICDPA], Indiana [per ICPA], Tennessee [per TIPA], Texas [per TDPSA], Oregon [per OCPA], Montana [per MCDPA], Delaware [per DPDPA], New Hampshire [per NHCDP], New Jersey [per NJDPA], Maryland [per MODPA], Minnesota [per MCDPA], Rhode Island [per RIPDA], and others as enacted.
If you reside in California, see Your CCPA/CPRA Rights (California). Canadian residents should see Your PIPEDA Rights and, in Quebec, Your Quebec Law 25 Rights. EEA, UK, and Swiss residents should see Your GDPR Rights. For cookies, see Cookies and Tracking.
The following rights are commonly granted across these state laws, subject to state-specific variations and exceptions:
Some state laws require opt-in consent to process sensitive Personal Information (for example, financial-account information and government identifiers such as SSN or EIN). Wanabal collects sensitive Personal Information only as necessary to provide the Services the Customer requests. Where opt-in consent is required, it is obtained through the Customer's account-creation flow or as part of the Customer's instructions to Wanabal.
Where state law allows, you may designate an authorized agent to submit requests on your behalf. We may require written authorization and reasonable verification of the agent's authority and your identity before responding.
Wanabal honors the Global Privacy Control (GPC) and similar universal opt-out preference signals as a request to opt out of "sale," "sharing," or "targeted advertising" where state law requires; this is consistent with our position that we do not engage in those practices.
Notice for residents of states added in the future: Wanabal will update this section as additional state privacy laws take effect. Where a new state law grants rights, those rights apply on the law's effective date whether or not this section has been updated.
If Wanabal experiences a confirmed security incident affecting Personal Information that triggers notification requirements under Applicable Law, we will notify affected individuals and applicable regulators in accordance with those laws. Our approach varies by jurisdiction:
Where Wanabal acts as a service provider or processor for a Customer that controls the affected Personal Information, Wanabal will cooperate with that Customer to support its notification obligations.
Reporting an incident. Customers and security researchers who suspect a security incident or vulnerability should report it to info@wanabal.com. We do not pursue good-faith researchers who follow responsible disclosure practices.
The Services are intended for business use by individuals who are at least eighteen (18) years of age. Wanabal does not knowingly collect Personal Information from individuals under 18.
We do not direct the Services to children, do not collect Personal Information from children for marketing, and do not engage in activities regulated by the Children's Online Privacy Protection Act ("COPPA"). If you become aware that a child under 18 has provided Personal Information to Wanabal, please contact info@wanabal.com so we can delete it.
For California residents under the age of 16, the right to opt out of the "sale" or "sharing" of Personal Information defaults to opt-in: we will not sell or share their Personal Information without affirmative authorization [per CCPA/CPRA §1798.120(c)]. In any event, Wanabal does not sell Personal Information and does not share it for cross-context behavioral advertising, regardless of age.
Wanabal may update this Privacy Policy from time to time. The "Last updated" date at the top of this Policy reflects the most recent change.
For material changes — meaning changes that materially expand the categories of Personal Information we collect, or materially change the purposes for which we use or disclose Personal Information — we will provide reasonable advance notice, typically at least 30 days before the change takes effect. Notice will be sent by email to the billing and administrative contacts on file for each Customer and posted prominently within the Services.
Continued use of the Services after the effective date of an updated Policy constitutes acceptance of the changes, except where Applicable Law requires affirmative consent — in which case we will request and obtain that consent before the change applies to you.
Older versions of this Policy are available on request to info@wanabal.com.
For privacy questions, requests, complaints, or to exercise your rights under Applicable Law, contact us at:
For data-subject access, deletion, correction, portability, opt-out, or other rights requests, please see the relevant rights section above — Your CCPA/CPRA Rights, Your PIPEDA Rights, Your Quebec Law 25 Rights, Your GDPR Rights, and Your Rights Under Other US State Privacy Laws — for the procedures that apply to your jurisdiction.
If we have not satisfactorily addressed a complaint regarding our handling of your Personal Information, you may also contact the relevant supervisory authority: