← Back to Home
GDPR Compliance
Last Updated: January 2025
WAIMI is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR). This page explains how we meet GDPR requirements and protect the rights of individuals in the European Union (EU) and European Economic Area (EEA).
1. What is GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to organizations that:
- Are established in the EU/EEA
- Offer goods or services to individuals in the EU/EEA
- Monitor the behavior of individuals in the EU/EEA
GDPR gives individuals greater control over their personal data and imposes strict obligations on organizations that process personal data.
2. Our Commitment to GDPR
WAIMI is fully committed to GDPR compliance. We have implemented technical and organizational measures to ensure that personal data is:
- Processed lawfully, fairly, and transparently
- Collected for specified, explicit, and legitimate purposes
- Adequate, relevant, and limited to what is necessary
- Accurate and kept up to date
- Kept only as long as necessary
- Processed securely with appropriate safeguards
3. Your Rights Under GDPR
As an individual in the EU/EEA, you have the following rights regarding your personal data:
🔍 Right to Access
You have the right to request a copy of the personal data we hold about you.
✏️ Right to Rectification
You can request correction of inaccurate or incomplete personal data.
🗑️ Right to Erasure
You can request deletion of your personal data ("right to be forgotten").
⛔ Right to Restriction
You can request that we restrict processing of your personal data in certain circumstances.
📦 Right to Data Portability
You can request your data in a structured, commonly used, machine-readable format.
🚫 Right to Object
You can object to processing of your personal data for direct marketing or other purposes.
🤖 Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing.
📝 Right to Withdraw Consent
You can withdraw consent at any time where we rely on consent to process your data.
4. How to Exercise Your Rights
To exercise any of your GDPR rights, please contact us:
We will respond to your request within 30 days (or 60 days for complex requests). We may ask you to verify your identity before processing your request.
5. Legal Basis for Processing
We process your personal data based on the following legal grounds:
Consent
When you provide explicit consent for specific processing activities, such as:
- Marketing communications
- Newsletter subscriptions
- Optional data collection
Contract Performance
When processing is necessary to fulfill our contract with you, such as:
- Providing our AI business planning services
- Processing payments
- Delivering purchased services
Legitimate Interests
When we have a legitimate interest that doesn't override your rights, such as:
- Improving our services
- Fraud prevention and security
- Internal analytics
Legal Obligation
When we must process data to comply with legal requirements, such as:
- Tax and accounting obligations
- Responding to legal requests
- Regulatory compliance
6. Data We Collect
We collect and process the following categories of personal data:
- Identity Data: Name, username, title
- Contact Data: Email address, phone number, business address
- Business Data: Company name, industry, business goals
- Financial Data: Payment information (processed by third-party processors)
- Technical Data: IP address, browser type, device information
- Usage Data: How you use our website and services
- Communication Data: Chat conversations, emails, support tickets
7. How We Protect Your Data
We implement appropriate technical and organizational measures to protect your personal data:
Technical Measures
- Encryption of data in transit (TLS/SSL)
- Encryption of data at rest
- Secure authentication and access controls
- Regular security testing and audits
- Firewall and intrusion detection systems
- Secure backup and disaster recovery
Organizational Measures
- Data protection policies and procedures
- Employee training on data protection
- Confidentiality agreements with staff
- Data processing agreements with third parties
- Regular privacy impact assessments
- Incident response procedures
8. Data Retention
We retain personal data only as long as necessary for the purposes for which it was collected:
- Account Data: Retained while your account is active, plus 3 years after closure
- Business Plans: Retained for 7 years for tax and legal purposes
- Chat Conversations: Retained for 90 days unless you request deletion
- Marketing Data: Retained until you unsubscribe or request deletion
- Analytics Data: Anonymized after 26 months
9. International Data Transfers
Your personal data may be transferred to and processed in countries outside the EU/EEA, including the United States. We ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions for certain countries
- Binding Corporate Rules where applicable
- Your explicit consent for specific transfers
10. Third-Party Processors
We work with carefully selected third-party processors who are GDPR-compliant:
- Cloud Hosting: AWS, Google Cloud (with SCCs)
- Payment Processing: Stripe, PayPal (PCI-DSS compliant)
- Email Services: SendGrid, Mailchimp (with DPAs)
- Analytics: Google Analytics (with anonymization)
- AI Services: Google Gemini (with data processing agreements)
All processors are bound by Data Processing Agreements (DPAs) that ensure GDPR compliance.
11. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms:
- We will notify the relevant supervisory authority within 72 hours
- We will notify affected individuals without undue delay if the breach poses a high risk
- We will provide information about the nature of the breach and steps taken
- We will document all breaches and our response
12. Children's Privacy
Our services are not directed to children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it immediately.
13. Automated Decision-Making and Profiling
We use AI to generate business plans and recommendations. However:
- No decisions with legal or significant effects are made solely by automated means
- AI-generated content is reviewed and can be customized
- You have the right to request human review of AI decisions
- We do not use profiling for discriminatory purposes
14. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority if you believe we have violated GDPR. The lead supervisory authority for WAIMI is:
- California Attorney General's Office (for US operations)
- Your local EU Data Protection Authority (for EU residents)
However, we encourage you to contact us first so we can address your concerns directly.
15. Updates to GDPR Compliance
We regularly review and update our GDPR compliance measures. This page will be updated to reflect any changes in our practices or legal requirements.
16. Contact Our Data Protection Officer
For GDPR-related inquiries, you can contact our Data Protection Officer:
← Back to Home
