Privacy Policy

1. Who we are

The data controller is WEBBERSHIP SRL, a limited-liability company registered in Romania (CUI/CIF available on request), with its registered office in Timișoara, Romania. You can reach our data protection contact at privacy@webbership.app.

The Webbership platform provides local businesses (cafés, bakeries, barbers, restaurants, etc.) with a digital loyalty-card system for Apple Wallet and Google Wallet. As an end user of the platform (a Member), you become a customer of that business — not of WEBBERSHIP SRL, which acts as a processor on behalf of the controller (the business client).

This policy applies to data processed directly by WEBBERSHIP SRL as controller: data collected through its administration platform, the registration process, and access to its own website.

2. Data we collect

2.1 Data provided directly

• Email address (when registering an administrator account)
• Password (stored encrypted via bcrypt)
• Billing details (for customers on a paid subscription)

2.2 Data collected automatically

• IP address and user-agent (for security and auditing)
• Access logs (server log files with timestamp, route, HTTP status code)
• Technical and attribution data from the marketing website: anonymous visitor and session identifiers, pages viewed, page view events, CTA clicks such as demo or trial clicks, CTA target URL, timestamp, external referrer, landing path, and campaign or click ID parameters received in the URL (for example UTM, gclid, fbclid, msclkid, ttclid)

2.3 Member data (end-users)

Members are customers of businesses that use the Webbership platform. Their data (email address or Apple/Google Wallet device token — used to update cards and deliver wallet notifications — and stamp history) is processed by Webbership as a processor on behalf of the business, following its instructions. Requests regarding Member data must be directed to the relevant business.

3. How we use data

• Service delivery: providing the administration platform, issuing and updating wallet cards (including push notifications) via Apple's Push Notification service (APNs) and the Google Wallet API, and sending transactional emails through Resend.
• Security: detecting unauthorised access, preventing abuse.
• Billing: processing payments through our payment provider (Viva Wallet).
• Service improvement: aggregated, anonymised analysis of platform usage.
• First-party marketing analytics: measuring which pages, campaigns, and CTAs lead to demos, trials, registration, checkout, and paid subscriptions, and preserving attribution context between the marketing website and the registration flow.
• Conversion exports: for campaigns where we enable destinations in Webbership Tracking, we send selected conversions server-to-server to platforms such as Meta Conversions API, Google Analytics 4 Measurement Protocol, and Google Ads conversion uploads. These exports are used for campaign measurement and optimisation and are limited to conversion and attribution data, such as event name, event ID, timestamp, source URL, value, currency, order/subscription ID, click IDs or attribution identifiers, and hashed identifiers where available.

We do not sell personal data to third parties. We do not use data for behavioural advertising.

4. Retention

Administrator account data is retained for the duration of the subscription and 30 days after termination, after which it is deleted or anonymised. Access logs are retained for 90 days. Billing data is retained in accordance with statutory accounting obligations (5 years).

First-party marketing data is kept only as long as needed for acquisition reporting, security, and debugging. Raw events are then aggregated, anonymised, or deleted according to our internal retention schedules. Identifiers and attribution stored in the browser remain until the applicable session expires or until the visitor clears cookies or local storage.

5. Your rights

Under the GDPR (Regulation (EU) 2016/679), you have the right to: access, rectification, erasure, restriction of processing, data portability, and objection. To exercise any of these rights, send a request to privacy@webbership.app. We respond within 30 days.

If you are a Member of a loyalty programme (a customer of a partner business), please contact that business directly — it is the controller of your data in that relationship.

6. Cookies, local storage, and first-party tracking

The administration platform uses a strictly necessary session cookie for authentication (SameSite=Strict, HttpOnly, Secure). The marketing website (webbership.app) does not load third-party analytics cookies, advertising pixels, or tracking scripts from advertising networks in the browser. Your consent preference may be stored in localStorage under the webbership_consent_v1 key, so we do not ask on every page.

The marketing website may load our own Webbership Tracking system from the first-party subdomain c.webbership.app. It may send events such as page_view, cta_click, content_view, content_engaged, and content_cta_clicked for pages, guides, comparisons, and demo or trial links. It may use anonymous visitor and session identifiers to connect a visit with a trial, registration, or billing event.

In the browser, we may store attribution and content touchpoint data in localStorage, including keys such as wb_attribution_v1, wb_content_touchpoints_v1, wb_visitor_id, and wb_session_v1. Internal landing-capture links may set or use a first-party wb_touch_id cookie before the registration page loads, so attribution and content touchpoints are not lost between the website and the app.

This tracking does not read form field values, email addresses, phone numbers, or message text from the marketing website. We do not sell this data. For campaigns where conversion exports are enabled, Webbership Tracking sends only conversion and attribution events to the configured destinations, for example signup, billing_checkout_started, subscription_started, or purchase; we do not send passwords, card data, billing addresses, raw names, raw emails, raw phone numbers, or form message text.

7. Contact