ConnectWyze

Privacy Policy

Last updated: May 9, 2026

1. Who we are

ConnectWyze ("ConnectWyze", "we", "us", "our") provides a creative automation platform that turns customer data feeds into branded images, videos, and other marketing assets. This policy explains what personal data we collect, why we collect it, and the rights you have over it.

For questions about this policy or to exercise any of the rights described below, contact [email protected].

2. The data we collect

We collect personal data in three distinct contexts:

2.1 Account data

  • Identity & contact: name, email address, avatar (if you upload one or sign in with Google), workspace name, role within a workspace.
  • Authentication: hashed password (bcrypt) for email/password accounts, or your Google account identifier if you sign in with Google. We never see your Google password.
  • Email verification & password reset: short-lived single-use tokens we issue and send to you.
  • Billing: billing address and tax fields you enter, plus the Stripe customer ID and subscription status we receive from Stripe. We do not store full card numbers — Stripe handles that directly.

2.2 Workspace content

  • Data feeds: if you connect an API, upload a CSV, or build a manual feed, the rows you bring in (which may include personal data about your customers) are stored in our database to render images and run automations.
  • Templates & assets: templates you build, images and videos you upload, and the generated output files.
  • Job & usage logs: records of which templates were rendered against which feed items, credits used, and errors that occurred.

2.3 Technical data

  • IP address, user-agent, and request metadata captured by our servers and CDN.
  • Application errors and performance traces collected via Sentry so we can debug issues.
  • Session cookies set by NextAuth for keeping you signed in (see Cookie Policy).

3. How we use the data

We process personal data to:

  • Operate the service: render images, deliver generated assets to your storage, run scheduled automations, charge for credits.
  • Authenticate you and protect your account: sign-in, multi-workspace switching, email verification, password reset.
  • Bill subscriptions and charges through Stripe; generate invoices and receipts.
  • Send transactional emails (sign-up confirmation, verification, password reset, job completion, ticket replies, workspace invitations) via Resend.
  • Send opt-in operational notifications to a Slack workspace if you connect one.
  • Investigate abuse, fraud, and security incidents.
  • Comply with legal obligations and respond to lawful requests.

The legal bases we rely on (under the GDPR and analogous laws) are: contract (running the service you signed up for), legitimate interests (preventing abuse, improving the product), consent (where required, e.g. analytics cookies if/when we add them), and legal obligation (tax, accounting, lawful requests).

4. Third-party processors

We share data only with sub-processors strictly necessary to run the service. Each operates under its own privacy commitments.

  • Stripe — payment processing, subscription billing, customer portal. Stripe receives billing details and charges your card directly.
  • Google (OAuth) — if you choose "Continue with Google", Google authenticates you and shares your name, email, and profile picture with us.
  • Resend — sends our transactional emails.
  • Cloudflare R2, Google Cloud Storage, AWS S3, Firebase Storage — depending on your workspace configuration, generated assets and uploaded media are stored in one or more of these providers. You may bring your own storage credentials.
  • Sentry — captures application errors and performance traces (no full request bodies; PII is scrubbed where feasible).
  • Slack — if you connect Slack, we send operational notifications to the channel you choose.
  • Hetzner Cloud (Germany) — our application servers and primary database run on Hetzner infrastructure in the EU.

We do not sell personal data and we do not share it with advertisers or data brokers.

5. International transfers

Our primary infrastructure is in the European Union (Germany). Some sub-processors (Stripe, Google, Resend, AWS, GCS) operate globally. Where data is transferred outside the EEA/UK, we rely on the recipient's Standard Contractual Clauses or equivalent safeguards.

6. Retention

We retain personal data for as long as your account is active. When a workspace is deleted, we remove its content within 30 days, except where we must keep records to comply with tax, accounting, or legal obligations (typically up to 7 years for billing records). Backups are rotated and the last backup is kept for up to 30 days.

7. Security

We protect data with defence-in-depth measures: TLS in transit, encryption at rest for credentials and storage tokens (AES-256-GCM), bcrypt password hashing, role-based access in the application, least-privilege production access, automated daily database backups, and a managed error-tracking pipeline. No system is perfectly secure; if you discover a vulnerability, contact [email protected].

8. Your rights

Subject to applicable law (GDPR, UK GDPR, CCPA / CPRA, and similar regimes), you have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate data;
  • request deletion of your account and the personal data linked to it, subject to retention obligations;
  • request a portable export of your data;
  • object to or restrict certain processing;
  • withdraw consent at any time where processing is based on consent;
  • lodge a complaint with your local supervisory authority if you believe we have mishandled your data.

To exercise any of these rights, email [email protected] from the address tied to your account. We will respond within 30 days.

9. Customer data in your workspace

When you push customer data into a feed, you are the controller of that data and ConnectWyze is the processor. You are responsible for ensuring you have a lawful basis to share that data with us. Enterprise customers may request a Data Processing Agreement (DPA) before sending personal data of EU/UK residents.

10. Children

ConnectWyze is not directed at children under 16 and we do not knowingly collect personal data from them. If you believe a child has signed up, contact us and we will delete the account.

11. Changes to this policy

We may update this policy as the product evolves. Material changes will be announced via in-app banner or email at least 14 days before they take effect. The "Last updated" date at the top always reflects the current version.

12. Contact

ConnectWyze
Email: [email protected]