Privacy Policy
Last Updated: December 1, 2025
Waitcenter ("we," "us," or "our") respects your privacy and is committed to protecting the personal data we process. This Privacy Policy explains how we look after your personal data when you visit our website, use our SaaS platform, or integrate with our API.
1. WHO WE ARE (DATA CONTROLLER)
For the purpose of the General Data Protection Regulation (GDPR), the Data Controller for your Account Data (defined below) is:
Blockfactory Sp. z o.o.
ul. Stablewskiego 13/2
60-213 Poznań, Poland
Contact Email: privacy@waitcenter.com
Note on Roles:
- For Account Data: We are the Controller (we decide how to use your signup info).
- For Service Data (Status Updates): We are the Processor. You (our Customer) are the Controller.
2. THE "NO PII IN PAYLOADS" POLICY
Critical Notice:
Our architecture is designed as a metadata engine, not a record of individuals. You are strictly prohibited from entering Personally Identifiable Information (PII) into Status Names, Workflows, Metadata fields, or Internal Notes.
- Order IDs, Ticket Numbers
- Vehicle IDs
- Timestamps
- Generic Statuses ("In Progress")
- Patient Names, Home Addresses
- Personal Phone Numbers
- Medical Diagnosis text
- Any direct PII
If you mistakenly upload PII into the system, we process it only incidentally and you retain full liability for that data as the Data Controller.
3. DATA WE COLLECT
We collect data in two distinct categories:
A. Account Data (Your Data)
This is data about YOU (the business owner/employee) required to run the service.
- Identity Data: Email address, Full Name (of the employee/admin).
- Billing Data: Transaction history, Plan selection (Stored via Stripe; we do not store full credit card numbers).
- Technical Data: IP address, browser type, login timestamps, and device info used to access the Dashboard.
B. Service Data (The Statuses)
This is the data you send to our API or enter into the Dashboard to track your workflows.
- Entity Identifiers: UUIDs, Order Numbers, Ticket IDs.
- Workflow Data: Status labels, transitions, timestamps.
- Geolocation Data: If using the Live Map feature, we process transient GPS coordinates (Lat/Long) of your assets/drivers.
- End-User Contact Methods: If you use our Notification system, we process the destination Phone Number (for SMS) or Email (for Email alerts) strictly to deliver the message. This data is hashed or transiently processed where possible.
4. HOW WE USE YOUR DATA
We use your data for the following legal bases:
| Purpose | Type of Data | Legal Basis |
|---|---|---|
| To provide the Service (Login, Dashboard access) | Account Data | Performance of a Contract |
| To bill you (Subscriptions, Overage) | Billing Data | Performance of a Contract |
| To send Status Notifications (Email/SMS) | Service Data | Performance of a Contract (On your behalf) |
| To secure our platform (Preventing DDoS, API abuse) | Technical Data | Legitimate Interest |
| To analyze usage trends (Improving the product) | Technical Data | Legitimate Interest |
5. DATA SHARING & SUBPROCESSORS
We do not sell your data. To provide the Service, we share data with trusted third-party infrastructure providers ("Subprocessors").
| Subprocessor | Purpose | Location |
|---|---|---|
| Vercel | Hosting & Infrastructure | USA / Global (DPA in place) |
| Stripe | Payment Processing | USA (DPA in place) |
| Resend | Email Delivery | USA (DPA in place) |
| Clerk | Authentication | USA (DPA in place) |
6. GEOLOCATION & MAP DATA
If you use our Real-Time Geolocation features:
- We process GPS coordinates sent by your drivers/employees via the API.
- This data is ephemeral. We cache the latest location in memory (Redis) to serve the live map.
- We do not build long-term historical movement profiles of individuals unless explicitly configured in your "Audit Log" settings.
7. COOKIES AND TRACKING
We use cookies to:
- Essential: Keep you logged in (Session Tokens).
- Functional: Remember your Dashboard preferences.
- Analytics: (Optional) Understand which features you use most.
You can block cookies in your browser, but the Dashboard will not function correctly (you will not be able to log in).
8. DATA RETENTION
- Account Data: Retained as long as your account is active, plus 6 years for tax/accounting purposes (required by Polish law).
- Service Data (Active): Retained while the order is "In Progress."
- Service Data (Completed): We retain completed order history for a default period of 90 days to allow for reporting. After this, data may be archived or deleted.
- Logs: API Access logs are retained for 30 days for security auditing.
9. YOUR RIGHTS (GDPR)
Under the GDPR, you have the right to:
- Request access to your personal data.
- Request correction of your personal data.
- Request erasure of your personal data ("Right to be forgotten").
- Object to processing of your personal data.
- Request data portability (Export your data).
To exercise these rights, email us at privacy@waitcenter.com.
10. SECURITY
We implement industry-standard security measures, including:
- Encryption in transit (TLS 1.3/HTTPS).
- Encryption at rest (Database volume encryption).
- Strict Role-Based Access Control (RBAC) for our internal staff.
- Regular automated backups.
11. INTERNATIONAL TRANSFERS
If we transfer data outside the European Economic Area (EEA), we ensure a similar degree of protection is afforded to it by using specific contracts approved by the European Commission (Standard Contractual Clauses) with our providers (e.g., Stripe, Resend).
12. CHANGES TO THIS POLICY
We may update this privacy policy from time to time. We will notify you of any significant changes via email or a dashboard notification.