WaitlistPilot logo

Privacy Policy

Effective Date: November 18, 2025

1. Introduction and Scope

This Privacy Policy explains how Lionel Wermelinger & Fynn Auerbach, einfache Gesellschaft ("we", "us", or "our") collects, uses, shares, and protects personal data in relation to WaitlistPilot (the "Service").

We are based in Switzerland and primarily follow the requirements of the Swiss Federal Act on Data Protection (FADP). Where we offer our Service to individuals in the European Economic Area (EEA) or the United Kingdom, we also aim to comply with the EU/UK General Data Protection Regulation (GDPR). For California residents, certain rights under the California Consumer Privacy Act (CCPA/CPRA) may also apply.

2. Our Roles in Data Processing

For account owners and customers who sign up to use WaitlistPilot, we act as a data controller for the personal data we collect about you (for example, your profile, billing information, settings, and platform analytics).

Our customers use WaitlistPilot to collect and manage data about their own subscribers. For that subscriber data, the customer is the data controller, and we act as a data processor (or service provider) on their behalf. We process subscriber data only according to their instructions and this Policy.

If you are a waitlist subscriber, please contact the relevant customer (the owner of the waitlist) first for questions about your personal data. We will assist the customer as necessary.

3. Personal Data We Collect

3.1 From Account Owners (Customers)

We may collect and process the following categories of personal data about you:

  • Profile and account data: email address, full name, avatar URL, job title, timezone, language, and notification preferences.
  • Workspace and project data: workspace name and slug, default settings (for example, theme, waitlist copy, form fields, reward tiers), project names, slugs, subdomains and custom domains, template selections, and other configuration metadata.
  • Billing data: Stripe customer ID and related subscription information. We do not store full payment card numbers; Stripe processes payments on our behalf.
  • Usage and settings data: API keys (stored only as hashed values plus prefix and last four characters), webhook endpoint configurations, event logs related to webhooks, and other administrative preferences.
  • Technical data: timestamps of actions, plan tier, usage metrics, and automatically logged information related to use of the Service.

3.2 From Waitlist Subscribers (End Users)

When you join a waitlist hosted on WaitlistPilot, we may process the following data on behalf of the customer:

  • Signup data: email address, optional name, a unique referral code, signup status (for example, pending, confirmed, or blocked), and any additional form fields configured by the customer (for example, company name or project interest).
  • Referral data: relationships between subscribers (inviter and invitee), referral counts, and queue position information.
  • Event data: events associated with the waitlist such as signups, confirmations, referrals, page views, and webhook deliveries, which may be linked to a subscriber.
  • Technical data: a hashed version of your IP address (using SHA-256; the raw IP is not stored by this layer), user agent string, timestamps, and other device or browser characteristics that may be logged when you interact with the waitlist page.

We do not intend to collect special categories of personal data (for example, health information or religious beliefs) or data of children under the age thresholds set by applicable law. Customers are responsible for configuring their forms accordingly.

4. How We Collect Data

We collect personal data directly from you when you create an account, configure a project, or otherwise submit information through the Service; automatically through your use of the Service and waitlist pages (including logs, hashed IP addresses, user agents, and event data); and from third parties such as Stripe (for billing identifiers) or single sign-on providers if you use them (if supported).

We may use first-party cookies or similar technologies where necessary for authentication, security, session management, and basic analytics. Our hosting provider may also set technical cookies.

5. Purposes and Legal Bases for Processing

We process personal data for the following purposes and, where required, on the following legal bases:

  • Providing and operating the Service: to create and manage accounts and workspaces; host waitlists; process signups, referrals, queue logic, analytics, exports, and webhooks. Legal basis: performance of a contract (GDPR Art. 6(1)(b)) and equivalent under Swiss law.
  • Billing and payments: to manage subscriptions, invoices, and payment status via Stripe. Legal basis: performance of a contract and compliance with legal obligations (for example, tax and accounting).
  • Communications: to send transactional emails (for example, signup confirmations, reset links, and waitlist updates) via AWS Simple Email Service (SES) and Supabase templates, and to send administrative messages about account status, changes to the Service, or security incidents. Legal basis: performance of a contract and our legitimate interests in keeping you informed.
  • Security, abuse prevention, and compliance: to enforce access controls and row-level security, hash IP addresses and API keys, monitor logs and events to detect abuse or security incidents, and comply with legal obligations. Legal basis: legitimate interests (protecting our Service, users, and data) and compliance with legal obligations.
  • Analytics and service improvement: to produce aggregated analytics about usage patterns and waitlist performance and to improve templates, product design, and infrastructure. Legal basis: legitimate interests in improving and developing the Service.
  • Optional AI features: when enabled, to send text prompts to OpenAI for copy suggestions or similar functionality, using only the text we decide to include in the request (not direct database access). Legal basis: performance of a contract and legitimate interests in offering advanced features.

For subscriber data processed on behalf of customers, our purposes and legal basis are determined by the customer; we act on their instructions.

6. Sharing of Personal Data

We may share personal data with service providers and subprocessors, including Supabase (database storage and authentication), Stripe (processing payments and managing subscriptions), AWS (SES) (sending transactional emails), Sentry (error monitoring and performance telemetry), Plausible (privacy-friendly web analytics), OpenAI (optional AI features using only text prompts), and cloud hosting providers (such as Vercel or similar) for infrastructure, logging, and content delivery. These providers process data on our behalf under data processing or equivalent agreements.

Account owners (our customers) access their own subscriber data via the dashboard, CSV exports, and webhooks. That data is controlled by the customer and subject to their own privacy practices.

We may also disclose personal data where required to comply with law, court orders, or lawful requests, or to protect our rights or the rights of others. We do not sell personal data in the sense of CCPA/CPRA.

6.1 Cross-Border Transfers

We are based in Switzerland and our subprocessors may be located in other countries, including the United States. Where personal data is transferred from Switzerland or the EEA to a country without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) or equivalent contractual safeguards and, where applicable, on the EU–US Data Privacy Framework and Swiss–US Data Privacy Framework for participating U.S. providers.

7. Security Measures

We take reasonable technical and organizational measures to protect personal data, including database row-level security (RLS) for tenant isolation, hashing of IP addresses and API keys using industry-standard algorithms, use of service-role keys only on the backend, access control and logging for internal systems, and encryption in transit using TLS.

However, no method of transmission or storage is completely secure. You are responsible for safeguarding access to your own systems, credentials, and endpoints, especially if you receive data via webhooks or APIs.

8. Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this Policy, including for account owners for the duration of your account and for a reasonable period thereafter as needed for legal, accounting, or reporting purposes, and for waitlist subscribers as long as the relevant customer's project and account remain active and until the customer or we delete the data.

Our database design includes cascade deletions: deleting a profile or project will usually delete associated data such as workspace settings, API keys, webhook endpoints and deliveries, signups, referrals, events, and custom domains. Backups and hosting logs may retain data for a limited period consistent with our providers' policies.

We do not currently implement automatic time-based deletion (for example, auto-delete after a set number of years), but may add such features in the future.

9. Your Rights

Depending on your location and applicable law (including FADP, GDPR, and CCPA/CPRA), you may have the right to access your personal data, request correction of inaccurate data, request deletion of your data, request restriction of processing, object to certain processing (particularly where based on legitimate interests), receive your data in a structured, commonly used, and machine-readable format, withdraw consent where processing is based on consent (without affecting prior processing), and, for California residents, exercise additional rights such as knowing, deletion, and freedom from discrimination for exercising rights.

For account owners, you can often exercise these rights directly through your account settings. You can also contact us at privacy@waitlistpilot.com.

If you are a waitlist subscriber, please contact the relevant customer (the owner of the waitlist) first, as they are your primary data controller. We will assist the customer as required.

We respond to rights requests within the timeframes required by applicable law, which generally means within one month under GDPR and Swiss law (extendable by up to two additional months for complex requests) and within 45 days (with possible extension) for CCPA/CPRA.

You also have the right to lodge a complaint with a supervisory authority, in particular in Switzerland with the Federal Data Protection and Information Commissioner (FDPIC) and, in the EU/EEA or UK, with your local data protection authority.

10. Children's Privacy

The Service is not intended for children under the age thresholds set by applicable law (typically 16 in the EU, 13 or 16 elsewhere), and we do not knowingly collect personal data from such children.

Customers must not use the Service to target or knowingly collect data from children without appropriate legal safeguards and their own compliance with applicable child protection and data protection laws.

If you believe that we have unintentionally collected personal data from a child, please contact us at privacy@waitlistpilot.com and we will take appropriate steps.

11. Do we use online tracking and online advertising techniques?

We use various techniques on our website that allow us and third parties engaged by us to recognize you during your use of our website, and possibly to track you across several visits. This Section informs you about this.

In essence, we wish to distinguish access by you (through your system) from access by other users, so that we can ensure the functionality of the website and carry out analysis and personalization. We do not intend to determine your identity, even if that is possible where we or third parties engaged by us can identify you by combination with registration data. However, even without registration data, the technologies we use are designed in such a way that you are recognized as an individual visitor each time you access the website, for example by our server (or third-party servers ) that assign a specific identification number to you or your browser (so-called "cookie").

More

Cookies are individual codes (for example a serial number) that our server or a server of our service providers or advertising partners transmits to your system when you connect to our website, and that your system (browser, cell phone) accepts and stores until the set expiration time. Your system transmits these codes to our server or the third-party server with each additional access. That way, you are recognized even if your identity is unknown.

Other technologies may be used to recognize you with some likelihood (i.e. distinguish you from other users), such as "fingerprinting". Fingerprinting combines your IP address, the browser you use, screen resolution, language settings and other information that your system tells each server), resulting in a more or less unique fingerprint. This makes it possible to go without cookies.

Whenever you access a server (for example when you use a website or an app, or because an e-mail includes a visible or invisible image), your visits can therefore be "tracked". If we integrate offers from an advertising partners or a provider of an analysis tool on our website, they may track you in the same way, even if you cannot be identified in a particular case.

We use these technologies on our website and may allow certain third parties to do so as well. However, depending on the purpose of these technologies, we may ask for consent before they are used. You can access your current settings here [MISSING_VALUE – Link to cookie settings]. You can also set your browser to block or deceive certain types of cookies or alternative technologies, or to delete existing cookies. You can also add software to your browser that blocks certain third-party tracking. You can find more information on the help pages of your browser (usually with the keyword "Privacy") or on the websites of the third parties set out below.

We distinguish the following categories of "cookies" (including other technologies such as fingerprinting):

  • Necessary cookies: Some cookies are necessary for the functioning of the website or for certain features. For example, they ensure that you can move between pages without losing information that was entered in a form. They also ensure that you stay logged in. These cookies exist temporarily only ("session cookies"). If you block them, the website may not work properly. Other cookies are necessary for the server to store options or information (which you have entered) beyond a session (i.e. a visit to the website) if you use this function (for example language settings, consents, automatic login functionality, etc.). These cookies have an expiration date of up to [24] months.
  • Performance cookies: In order to optimize our website and related offers and to better adapt them to the needs of the users, we use cookies to record and analyze the use of our website, potentially beyond one session. We use third-party analytics services for this purpose. We have listed them below. Before we use such cookies, we ask for your consent. You can withdraw consent at any time through the cookie settings here [MISSING_VALUE – Link to cookie settings]. Performance cookies also have an expiration date of up to [24] months. Details can be found on the websites of the third-party providers.
  • Marketing Cookies: We and our advertising partners have an interest in targeting advertising as precisely as possible, i.e. only showing it to those we wish to address. We have listed our advertising partners below. For this purpose, we and our advertising partners - if you consent - use cookies that can record the content that has been accessed or the contracts that have been concluded. This allows us and our advertising partners to display advertisements that we think will interest you on our website, but also on other websites that display advertisements from us or our advertising partners. These cookies have an expiration period of a few days to [12] months, depending on the circumstances. If you consent to the use of these cookies, you will be shown related advertisements. If you do not consent to them, you will not see less advertisements, but simply any other advertisement.

In addition to marketing cookies, we use other technologies to control online advertising on other websites and thereby reduce advertising wastage. For example, we may transmit the e-mail addresses of our users, customers and other persons to whom we wish to display advertisements to operators of advertising platforms (for example social media). If these persons are registered with them with the same e-mail address (which the advertising platforms determine by a matching process), the providers display our advertisements specifically to these persons. The providers do not receive personal e-mail addresses of persons who are not already known to them. In case of known e-mail addresses, however, they learn that these persons are in contact with us and the content they have accessed.

We may also integrate additional third-party offers on our website, in particular from social media providers. These offers are deactivated by default. As soon as you activate them (for example by clicking a button), these providers can determine that you are using our website. If you have an account with that social media provider, it can assign this information to you and thereby track your use of online offers. These social media providers process this data as separate controllers.

We currently use offers from the following service providers and advertising partners (where they use data from you or cookies set on your computer for advertising purposes):

  • Plausible Analytics: We use Plausible Analytics to measure and evaluate the use of our website. Plausible is a privacy-focused analytics tool that minimizes data collection.
  • Sentry: We use Sentry for error tracking and performance monitoring to ensure the stability of our application.
  • hCaptcha: We use hCaptcha to protect our website from spam and abuse.
  • [MISSING_VALUE – additional service providers, advertising partners such as Facebook if Custom Audiences is used, some of which have specific requirements on how to inform website users, etc.].

12. What data do we process on our social network pages?

We may operate pages and other online presences ("fan pages", "channels", "profiles", etc.) on social networks and other platforms operated by third parties and collect the data about you described in Section 3 and below. We receive this data from you and from the platforms when you interact with us through our online presence (for example when you communicate with us, comment on our content or visit our online presence). At the same time, the platforms analyze your use of our online presences and combine this data with other data they have about you (for example about your behavior and preferences). They also process this data for their own purposes, in particular for marketing and market research purposes (for example to personalize advertising) and to manage their platforms (for example what content they show you) and, to that end, they act as separate controllers.

More

We receive data about you when you communicate with us through online presences or view our content on the corresponding platforms, visit our online presences or are active on them (for example publish content, submit comments). These platforms also collect technical data, registration data, communication data, behavioral data and preference data from you or about you, among other things (see Section 3 about these terms). These platforms usually perform statistical analysis of the way you interact with us, how you use our online presences and our content or other parts of the platform (what you view, comment on, "like", forward, etc.) and combine this data with other information about you (for example information about your age and your gender and other demographic information). In that way, they create profiles about you and statistics on the use of our online presences. They use this data and profiles to display to you our or other advertisements and other personalized content on the platform and to manage the behavior of the platform, but also for market and user research and to provide us and other parties with information about you and the use of our online presence. We can control the analysis that these platforms generate regarding the use of our online presence to some extent.

We process this data for the purposes set out in Section 4, in particular for communication, for marketing purposes (including advertising on these platforms, see Section 12) and for market research. You will find information about the applicable legal basis in Section 5. We may disseminate content published by you (for example comments on an announcement), for example as part of our advertising on the platform or elsewhere. We or the operators of the platforms may also delete or restrict content from or about you in accordance with their terms of use (for example inappropriate comments).

For further information on the processing of the platform operators, please refer to the privacy information of the relevant platforms. There you can also find out about the countries where they process your data, your rights of access and erasure of data and other data subjects rights and how you can exercise them or obtain further information. We currently use the following platforms:

  • [MISSING_VALUE – list of social media platforms].

13. Can we update this Privacy Notice ?

This Privacy Notice is not part of a contract with you. We can change this Privacy Notice at any time. The version published on this website is the current version.

Last updated: November 18, 2025

14. Contact Us

If you have questions about this Privacy Policy or our data practices, you can contact us at:

Email (privacy & data protection): privacy@waitlistpilot.com

Email (support & general): support@waitlistpilot.com