W
WooshPayment

Privacy Policy

Last updated: May 14, 2026

1. Who we are

WooshPayment (the "Service", "we", "us") is operated by WooshPayment LLC, a company incorporated under the laws of Delaware, USA.

Data Controller:
WooshPayment LLC
8 The Green, Suite A
Dover, DE 19901
United States
Email: noreply@wooshpayment.com

During the Service's beta phase, no EU representative under Art. 27 GDPR has been appointed yet. For GDPR-related requests, contact us directly at the email above; we'll respond within 30 days.

2. Data we collect

2.1 Merchant data

  • Email, password (bcrypt hashed), store name
  • Shopify / WooCommerce domain, access token (AES-256 encrypted)
  • IP address, user agent, login timestamps
  • Checkout configurations, shipping rules, markets, and languages

2.2 End-customer data

When a customer purchases through a WooshPayment merchant, we collect name, email, phone, shipping and billing address to process the order. Payment data (card details) is handled by Whop Payments and never passes through our servers.

3. Legal basis

  • Contract performance (Art. 6.1.b GDPR): to provide the checkout service.
  • Legal obligation (Art. 6.1.c GDPR): invoicing, anti-fraud.
  • Legitimate interest (Art. 6.1.f GDPR): aggregate analytics, security.
  • Consent (Art. 6.1.a GDPR): marketing pixels, promotional emails to end customers (managed by the merchant).

4. Where we store data

Data is stored in a PostgreSQL database managed by Supabase on EU infrastructure (Frankfurt). Backups are encrypted (AES-256) and retained for 30 days on rotation. Some sub-processor services are based in the USA (see section 5): in those cases we rely on Standard Contractual Clauses (SCCs) approved by the EU Commission as international transfer mechanism.

5. Who we share with (sub-processors)

  • Whop Inc. — payment processor (USA, SCCs in place)
  • Shopify / WooCommerce — your e-commerce platform for order creation
  • Supabase — PostgreSQL database and backups (EU - Frankfurt)
  • Vercel Inc. — frontend/edge hosting (EU - Paris + USA, SCCs in place)
  • Resend — transactional email delivery (EU eu-west-1 + USA, SCCs in place)
  • GoDaddy — DNS and mail authentication (SPF/DKIM)
  • Meta (Facebook/Instagram), TikTok, Google Analytics 4 — only if the merchant activates the corresponding marketing pixels

We do not sell or share data with third parties for their own advertising purposes.

6. How long we retain data

  • Merchant data: for the account's lifetime, +90 days after cancellation.
  • Order data: 10 years (Italian tax obligation).
  • Access logs: 12 months.
  • Unrecovered abandoned carts: 30 days.

7. Your rights

Under the GDPR you can exercise the following rights by contacting noreply@wooshpayment.com: access, rectification, erasure, restriction, portability, objection, withdrawal of consent. We'll respond within 30 days.

You also have the right to lodge a complaint with the Italian Data Protection Authority (garanteprivacy.it) or your local supervisory authority.

8. Cookies

We use strictly necessary cookies (session, CSRF). Analytics/marketing cookies are optional and activated only with prior consent. See our Cookie Policy for details.

9. Security

  • Encryption in transit (TLS 1.3) and at rest (AES-256-GCM)
  • Passwords stored with bcrypt (cost 12)
  • Rate limiting on public APIs
  • HSTS, CSP, X-Frame-Options DENY
  • Daily encrypted backups with 30-day rotation

10. Changes

We reserve the right to update this policy. Material changes will be notified via email at least 30 days before they take effect.

Privacy Policy · WooshPayment