Privacy Policy
Last updated: 26 June 2026
This Privacy Policy describes how WhenTap ("we", "us", "our") collects, uses, and protects your personal data when you use our Webflow Marketplace App ("Service").
1. Controller
WhenTap (operated as a sole proprietorship in the Netherlands) Amsterdam, the Netherlands Chamber of Commerce: available on request Email: hello@whentap.com Data requests: dpa@whentap.com
2. What we collect
| Category | Examples | Lawful basis (GDPR) |
|---|---|---|
| Account data | Email, Webflow user ID | Contract performance |
| Site data | Webflow site IDs, CMS item content, page content | Contract performance |
| Usage data | Feature usage, API call counts | Legitimate interest (analytics, abuse prevention) |
| Billing data | Stripe customer ID, payment method (handled by Stripe) | Contract performance |
| Support data | Email content, attachments you send us | Contract performance |
| Technical data | IP address, browser user-agent, session timestamps | Legitimate interest (security) |
3. How we use it
- To provide the Service (run translations, sync data, render dashboards)
- To bill you and handle payments (via Stripe)
- To send transactional emails (welcome, billing notices, security alerts)
- To respond to support requests
- To improve the Service (aggregate, anonymized analytics)
- To comply with legal obligations
We do NOT sell your data. We do NOT use your data for advertising. We do NOT use your data to train AI models.
4. Sub-processors
We use the following third parties to operate the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | VPS hosting | EU (Germany or Finland) |
| Cloudflare, Inc. | DNS, email routing, edge cache | Global (data at rest in EU) |
| Resend, Inc. | Transactional email | EU region selected |
| Stripe Payments Europe Ltd. | Payment processing | EU (Ireland) |
| Webflow, Inc. | Source of data we process on your behalf | US (with EU adequacy mechanism) |
| Webflow, Google, Microsoft, Stripe, Twilio, Resend, Hetzner | CMS sync, calendars, payments, email and SMS, hosting | EU / US |
A current list with DPAs is available at https://whentap.com/legal/dpa.
5. Data retention
- Account + site data: retained while your subscription is active. Deleted within 30 days of account deletion.
- Billing data: retained per Dutch tax law (7 years for invoices).
- Support data: retained 2 years for quality and audit purposes.
- Webhook event logs: retained 90 days for debugging and abuse prevention.
6. Your rights (GDPR)
- Access: request a copy of all data we hold about you (one-click export from the panel)
- Rectification: correct inaccurate data
- Erasure: delete your account and all associated data (one-click from Account dialog; processed within 30 days)
- Portability: receive your data in machine-readable JSON
- Objection: object to processing based on legitimate interest
- Restriction: limit how we process your data
- Complaint: file a complaint with your local data protection authority (e.g., Autoriteit Persoonsgegevens in the Netherlands)
To exercise any right, email dpa@whentap.com. We respond within 30 days.
7. International transfers
Where data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions. See the DPA for specifics.
8. Security
We use AES-256-GCM encryption for stored OAuth tokens. All connections are HTTPS-only. Access to production systems is restricted to authorized personnel via SSH keys and multi-factor authentication.
Vulnerability reports: security@whentap.com (RFC 9116 security.txt at https://whentap.com/.well-known/security.txt)
9. Cookies and tracking
The marketing site (https://whentap.com) uses Plausible Analytics, a privacy-focused analytics service that does not use cookies and does not track individuals. The app panel uses one essential cookie for session authentication.
10. Children
The Service is not directed at children under 16. We do not knowingly collect data from children.
11. Changes
Material changes to this policy will be communicated via email at least 30 days in advance.
12. Contact
General privacy questions: hello@whentap.com GDPR data requests + DPA: dpa@whentap.com