Privacy Policy

1. Introduction

Websta OÜ (“Websta”, “we”, “us”, or “our”) is a private limited company registered in Estonia, operating a local skills marketplace under the slogan “Connecting Communities”. We help service providers publish professional profiles at personal subdomains on websta.bio and help clients discover and book those services.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have under the EU General Data Protection Regulation (“GDPR”) and Estonian data protection law. It applies to our websites, our mobile applications, and all related services (together, the “Services”).

If anything in this policy is unclear, please contact our Data Protection Officer at dpo@websta.ai.

2. Information we collect

We only collect data that is necessary to operate the Services, keep them secure, and improve them over time. Depending on how you use Websta, we may collect the following categories of information:

Account information

• Name, email address, and (optionally) phone number.
• Authentication data such as hashed passwords, OAuth identifiers, and session tokens.
• Preferred language, time zone, and notification settings.

Profile and service content

• Profile photos, gallery images, videos, biographies, and service descriptions.
• Service categories, pricing, availability, and booking rules that you configure.
• Location information (city, region, country) that you publish on your profile.

Booking and transaction data

• Booking requests, messages between providers and clients, and booking status.
• Billing details (company name, VAT number, address) needed to issue invoices under Estonian accounting law.
• Payment identifiers handled by Stripe. We never store full card numbers on our servers — Stripe returns only a tokenised reference.

Usage and device data

• IP address, browser type, operating system, device identifiers, and crash logs.
• Pages visited, features used, search queries, and clickstream events.
• Referrer URLs and campaign parameters when you arrive from marketing links.

Communications

• Emails, support tickets, and in-app messages you send us.
• Feedback, survey responses, and testimonials you voluntarily provide.

3. How we use your information

We process personal data only for clearly defined purposes. Specifically, we use your data to:

• Provide the Services — create your account, host your profile, and process bookings.
• Match clients and providers based on search queries, location, and service categories.
• Send transactional communications such as booking confirmations, invoices, and security alerts. These are not marketing messages and you cannot opt out of them while you hold an active account.
• Send marketing communications where you have explicitly opted in. You may unsubscribe at any time via the footer of any such email.
• Measure performance, diagnose bugs, and improve the reliability of the Services.
• Detect fraud, abuse, and violations of our Terms of Service.
• Comply with legal obligations, including Estonian bookkeeping law, tax reporting, and responses to lawful requests from public authorities.

4. Legal basis for processing

Under Article 6 of the GDPR we rely on the following legal bases:

• Contract (Art. 6(1)(b)) — processing necessary to provide the Services you request, including hosting your profile and facilitating bookings.
• Consent (Art. 6(1)(a)) — processing where you have given clear opt-in, e.g. marketing emails, analytics cookies, or optional profile features.
• Legitimate interest (Art. 6(1)(f)) — limited processing to secure the platform, prevent fraud, and improve product quality, where those interests are not overridden by your rights.
• Legal obligation (Art. 6(1)(c)) — processing required by Estonian or EU law, such as keeping accounting records for seven years.

5. Sharing and disclosure

We do not sell personal data and we never have. We share data only with carefully selected processors who help us operate the Services, and only to the minimum extent necessary. Our main processors are:

• Supabase — database, authentication, and file storage. Hosted in the EU region.
• Vercel — application hosting, edge network, and deployment infrastructure.
• Stripe — payment processing for custom domains and credit top-ups.
• Google Analytics — aggregated usage analytics, loaded only after you grant consent.
• OpenAI and Google (Gemini) — AI features such as content generation and search. Prompts and outputs are processed transiently and are not used to train third-party models.
• Email delivery providers — transactional and marketing emails sent on our behalf.

We may also disclose data where we are legally required to do so, for example in response to a court order, to enforce our Terms of Service, or to protect the rights, property, or safety of Websta, our users, or others.

6. International transfers

Some of our processors are based outside the European Economic Area. Where personal data is transferred to such countries, we rely on the European Commission's Standard Contractual Clauses (“SCCs”) and, where applicable, supplementary safeguards to ensure an essentially equivalent level of protection.

You can request a copy of the relevant transfer mechanism by writing to dpo@websta.ai.

7. Data retention

We keep personal data only as long as we need it:

• Account and profile data: while your account is active, and for up to 30 days after deletion.
• Billing and tax records: seven (7) years after the end of the financial year, as required by the Estonian Accounting Act.
• Security logs: up to 12 months for abuse detection and investigation.
• Marketing consent records: until you unsubscribe, plus three years for proof of consent.
• AI prompt and output logs: up to 30 days, strictly for debugging and abuse prevention.

8. Your rights under GDPR

You have strong rights over your personal data. Specifically, you may:

• Request access to the personal data we hold about you.
• Ask us to correct inaccurate or incomplete data.
• Ask us to erase your data where the legal conditions are met (“right to be forgotten”).
• Ask us to restrict or object to certain processing activities.
• Receive a portable copy of your data in a structured, machine-readable format.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with the Estonian Data Protection Inspectorate (“Andmekaitse Inspektsioon”) or your local supervisory authority.

To exercise any of these rights, email dpo@websta.ai. We will respond within one month, as required by Article 12(3) GDPR.

9. Cookies and tracking

We use cookies and similar technologies to run the Services, remember your preferences, and — only with your consent — to measure usage. For a full list of cookies, their purposes, and their lifetimes, please see our Cookie Policy.

10. Children's privacy

Websta is not intended for children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us and we will delete the information promptly.

11. Data security

We take industry-standard technical and organisational measures to protect your data, including TLS encryption in transit, encryption at rest for sensitive fields, role-based access controls, audit logging, and regular backups. No system is perfectly secure, however, and we encourage you to use a strong, unique password and to enable two-factor authentication where available.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our Services, our practices, or the law. If we make material changes, we will notify you by email or through an in-app notice at least 14 days before the changes take effect. The “Last updated” date at the top of this page always reflects the latest revision.

13. Contact