Privacy Policy

This Privacy Policy explains how WOM (“WOM”, “we”, “us”, “our”) collects, uses, and protects personal data when you use our platform. We are committed to handling all personal information in accordance with the General Data Protection Regulation (GDPR) and applicable data protection law.

1. Who We Are

WOM is the data controller for personal data processed on the Platform. If you have any questions about how we handle your data, please contact us at privacy@usewom.com.

2. Who This Policy Applies To

This Policy covers three types of individuals:

• Merchants — businesses that register and use WOM to manage referral programmes
• Advocates — individuals who submit referrals via a Merchant's WOM page
• Leads — individuals whose contact details are submitted in a referral

3. Data We Collect

From Merchants

• Name and email address (via authentication)
• Business name, website URL, and phone number
• Brand preferences (colours, logo)
• Subscription and billing information (processed by our payment provider)
• Referral and lead data generated via your account

From Advocates

• Full name and email address
• Any notes or qualifying information entered alongside the referral

From Leads

• First name, last name, and email address
• Phone number (optional, if provided by the Advocate)
• Consent status and timestamp

Lead data is collected and processed on the basis of consent. Before a Lead's details are shared with a Merchant, the Lead receives an email and must explicitly consent to being introduced. No Lead data is shared without that consent.

Automatically Collected Data

• Authentication session data (managed by Supabase)
• Strictly necessary cookies (see our Cookie Policy)
• Basic server-side logs for security and error monitoring

4. Legal Bases for Processing

We rely on the following legal bases under GDPR:

• Contract — processing necessary to deliver the service to Merchants (account management, referral delivery, email notifications)
• Legitimate interests — fraud prevention, platform security, business analytics, and product improvement
• Consent — processing Lead personal data; Leads may withdraw consent at any time by contacting us
• Legal obligation — compliance with applicable law

5. How We Use Your Data

• To create and manage your account
• To operate the referral and consent flow
• To send transactional emails (consent requests, referral notifications, account updates)
• To verify your business identity and maintain platform integrity
• To detect and prevent fraud and abuse
• To process subscription payments
• To respond to support requests
• To comply with legal obligations

We do not sell your personal data to third parties. We do not use your data for advertising.

6. Third-Party Processors

We use the following trusted sub-processors to deliver the Platform:

• Supabase — database hosting and authentication. Data is stored on servers located in the EU. Supabase Privacy Policy
• Resend — transactional email delivery. Resend Privacy Policy
• Twilio — optional SMS phone verification. Only used if you opt in to phone verification during onboarding. Twilio Privacy Policy

All sub-processors are contractually required to handle data in accordance with GDPR and are subject to appropriate data processing agreements.

7. Data Retention

• Merchant account data — retained for the duration of the account and for 2 years following closure, unless a shorter period is required by law
• Referral data — retained for the duration of the Merchant's account
• Lead data (pre-consent) — retained for 30 days pending consent; deleted if no consent is given
• Lead data (post-consent) — retained until the Merchant account is closed or the Lead requests deletion
• Advocate data — retained while their referral history exists; deleted upon request

8. Your Rights

Under GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your data, subject to legal obligations
• Restriction — request that we limit processing of your data
• Portability — receive your data in a portable, machine-readable format
• Object — object to processing based on legitimate interests
• Withdraw consent — at any time, where processing is based on consent (Leads)

To exercise any of these rights, contact us at privacy@usewom.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Merchant Responsibilities as Data Controller

When a Lead provides consent and a Merchant accepts a referral, the Merchant becomes a data controller for that Lead's personal data. Merchants are independently responsible for ensuring their use of that data complies with GDPR, including having a lawful basis for any further processing and providing Leads with their own privacy notice.

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include encryption in transit and at rest, access controls, and authentication safeguards. However, no internet-based service can guarantee absolute security.

11. Children

The Platform is not directed at or intended for use by persons under the age of 18. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active Merchants of material changes by email. The “Last updated” date at the top of this page reflects the most recent revision.

13. Contact Us

For privacy-related enquiries, contact us at privacy@usewom.com. For general support, visit our Support page.