🛡️ GDPR Compliance & Privacy

At WackyPod, we believe privacy is a fundamental right. We've built our platform from the ground up to comply with the strictest data protection regulations including GDPR, CCPA, and other privacy frameworks.

Our commitment: You own your data. You control your data. You can export or delete it anytime.

📄

Data Export

Download all your data in one click. Complete JSON export in seconds.

🗑️

Right to Deletion

Permanently delete your account and all associated data anytime.

🔒

Data Security

Encryption at rest and in transit. Secure authentication with JWT.

📋

Audit Logs

Complete tracking of all actions on your account for transparency.

Your GDPR Rights

Under GDPR, you have specific rights regarding your personal data. WackyPod makes exercising these rights simple and transparent:

1. Right to Access (Article 15)

You can access all personal data we hold about you at any time through your Profile page. We provide complete transparency into what data we store.

2. Right to Data Portability (Article 20)

One-Click Data Export includes:

✅ Complete profile information (name, email, tier, settings)
✅ All podcast episodes with metadata
✅ Scripts and audio file references
✅ Usage statistics and quota information
✅ Audit log (last 1000 events)
✅ Subscription and payment history

Format: Machine-readable JSON that you can import into any compatible system

Location: Profile → Privacy & Data Export → "Export My Data (GDPR)"

3. Right to Erasure / "Right to be Forgotten" (Article 17)

What gets deleted:

🗑️ Your account and profile
🗑️ All episodes and scripts
🗑️ All audio files from storage
🗑️ Usage history and statistics
🗑️ API keys and authentication tokens

What we retain (legally required):

📝 Deletion event in audit log (for compliance)
📝 Financial records (tax law requirement, 7 years)

Timeline: Immediate database deletion. Storage deletion within 24 hours. Backup purge within 30 days.

Location: Profile → Account Actions → "Delete Account"

4. Right to Rectification (Article 16)

Update your personal information anytime through your Profile page. Changes take effect immediately.

5. Right to Restriction of Processing (Article 18)

Contact us at [email protected] to temporarily restrict processing of your data while we verify accuracy or address your concerns.

6. Right to Object (Article 21)

We don't use your data for marketing or profiling. All processing is strictly for service delivery. You can object to any processing by contacting us.

Data We Collect

Data Type	Purpose	Legal Basis
Email address	Authentication, service notifications	Contract performance
Password (hashed)	Account security	Contract performance
Name (optional)	Personalization	Consent
Content uploads	Podcast generation	Contract performance
Episode metadata	Service delivery	Contract performance
Usage statistics	Quota enforcement, analytics	Legitimate interest
IP address, user agent	Security, audit logging	Legitimate interest
Payment information	Billing (stored by Stripe)	Contract performance

Data Processing & Storage

Where Your Data is Stored

Database: Neon PostgreSQL (US or EU regions available)
Audio Storage: Cloudflare R2 (globally distributed, region-lockable)
Application: Vercel (serverless, multi-region)

🌍 Data Residency: We can configure EU-only deployments for European customers. Contact us to set this up for your account.

Third-Party Processors

We use carefully selected sub-processors who are also GDPR compliant:

Service	Purpose	Location	DPA
Neon	Database hosting	US / EU	✅ Available
Cloudflare	Storage (R2) & CDN	Global	✅ Available
Vercel	Application hosting	Global	✅ Available
Google (Gemini)	AI script generation	US	✅ Available
Modal	TTS audio generation	US	✅ Available
Stripe	Payment processing	US / EU	✅ Available

✅ Self-Hosting Option: For maximum control, deploy WackyPod on your own infrastructure and use your own AI providers. This eliminates all third-party data sharing. View deployment guide →

Security Measures

We protect your data with:

🔐 Encryption at rest: All database and storage encrypted
🔒 Encryption in transit: HTTPS/TLS for all connections
🔑 Secure authentication: JWT tokens with bcrypt password hashing
⏱️ Token expiration: Access tokens expire in 15 minutes
🚫 Rate limiting: Protection against brute-force attacks
📋 Audit logging: All sensitive actions logged with timestamps and IP
✅ SQL injection prevention: Parameterized queries throughout
🛡️ XSS protection: Input sanitization and output encoding

Cookies & Tracking

We use minimal cookies and NO third-party tracking.

Cookie Name	Purpose	Duration	Type
access_token	Authentication	15 minutes	Essential
refresh_token	Session management	7 days	Essential

❌ We do NOT use:

Google Analytics
Facebook Pixel
Advertising cookies
Cross-site tracking
User profiling

Contact & Data Protection

For any privacy questions, GDPR requests, or data protection concerns:

📧 Email: [email protected]

📍 Data Controller: WackyPod

⏱️ Response Time: We respond to all data requests within 30 days (GDPR requirement)

💡 Most actions are self-service: You can export or delete your data instantly from your Profile page. No need to wait for email responses!

Updates to This Policy

We may update this compliance page as our practices evolve or regulations change. We'll notify you of significant changes via:

Email notification (for material changes)
In-app notification
"Last Updated" date at bottom of page