Back to Home

Privacy Policy

Last Updated: November 11, 2025

Our Commitment to Privacy: We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you visit our website. We use minimal, privacy-respecting technologies and do not sell or share your data with third parties for marketing purposes.

1. Who We Are

Data Controller:

WildWavyStudio

Address: Sint Maartenslaan 36A, 6221 AZ Maastricht

Email: [email protected]

Chamber of Commerce number (KVK): 91911435

VAT ID: NL004923965B02

For the purposes of the General Data Protection Regulation (GDPR), we are the data controller responsible for your personal data.

The terms "we," "us," and "our" refer to WildWavyStudio. The terms "user," "you," and "your" refer to site visitors, customers, and any other users of the site.

2. What Information We Collect

2.1 Information You Provide to Us

We may collect the following information that you voluntarily provide:

  • Contact Information: If you contact us via email or contact form, we collect your name, email address, and message content
  • Account Information: If our website requires registration, we collect username, email, and password (encrypted)
  • User-Generated Content: Any content, data, or files you create, upload, or store through our services
  • Communication Preferences: Your preferences for receiving communications from us

This information is stored securely using Supabase, our backend service provider, which is detailed in Section 4.

2.2 Information Automatically Collected

When you visit our website, we automatically collect certain technical information:

Data CategoryWhat We CollectPurposeLegal Basis
Analytics Data• Page views
• Referrer sources
• Browser type & version
• Device type
• Operating system
• Country (from IP address)
• Visit duration		Understand website usage, improve content, and optimize user experienceLegitimate interest or Consent
Technical Data• IP address (processed, not stored)
• Browser fingerprint (hashed)
• Request headers		Security, performance optimization, and abuse preventionLegitimate interest
Cookie Data• Essential cookies (Cloudflare)
• Session data		Website functionality, security, and protection against malicious trafficLegitimate interest

2.3 What We Do NOT Collect

Important: We do not collect or store:

  • • Personally identifiable information (PII) through analytics
  • • Precise geolocation data (only country-level)
  • • Cross-site tracking data
  • • Social media profiles or identities
  • • Financial information (unless you make a purchase)
  • • Health information or sensitive personal data

3. How We Use Your Information

We process your personal data for the following purposes:

PurposeLegal Basis (GDPR Article 6)
Providing and maintaining our websiteLegitimate interest (Article 6(1)(f))
Website security and fraud preventionLegitimate interest (Article 6(1)(f))
Analyzing website usage and improving servicesLegitimate interest (Article 6(1)(f)) or Consent (Article 6(1)(a))
Responding to your inquiries and communicationsLegitimate interest (Article 6(1)(f)) or Contract (Article 6(1)(b))
Complying with legal obligationsLegal obligation (Article 6(1)(c))
Sending marketing communications (if opted in)Consent (Article 6(1)(a))

4. Third-Party Services

We use the following third-party services to operate our website:

4.1 Umami Analytics

Purpose: Privacy-focused website analytics

Data Processed: Anonymous usage statistics (page views, referrers, browser type, device type, country)

Data Retention: Aggregated data retained indefinitely; no personal identifiers stored

Privacy Features:

  • • No cookies required (cookieless tracking)
  • • IP addresses are not stored
  • • No cross-site tracking
  • • Data is anonymized and aggregated
  • • GDPR compliant by design

Data Location: EU (European Union)

More Information: Umami Privacy Policy

4.2 Supabase

Purpose: Backend infrastructure, database, authentication, and storage services

Data Processed:

  • • User account information (email, username, encrypted passwords)
  • • Authentication tokens and session data
  • • Application data stored in the database
  • • User-generated content and files (if applicable)
  • • IP addresses and request metadata

Data Retention: Data retained according to your application's data lifecycle; deleted upon account deletion or as configured

Security Features:

  • • End-to-end encryption for data in transit (SSL/TLS)
  • • Encryption at rest for stored data
  • • Row Level Security (RLS) policies
  • • Regular security audits and updates
  • • SOC 2 Type II compliant

Data Location: EU Central 1 (Frankfurt, Germany) - data remains within the European Union

Data Processing Agreement: Supabase acts as a data processor on our behalf and has signed a Data Processing Agreement (DPA) that includes Standard Contractual Clauses

More Information: Supabase Privacy Policy | Security

4.3 Cloudflare

Purpose: Content delivery network (CDN), DDoS protection, and security

Data Processed: IP addresses, system configuration information, HTTP headers, cookies

Data Retention: Log data retained for up to 30 days; cookies as specified in our Cookie Notice

Security Features:

  • • DDoS attack mitigation
  • • Bot management
  • • Web Application Firewall (WAF)
  • • SSL/TLS encryption

Data Location: Global network with servers worldwide

More Information: Cloudflare Privacy Policy

5. Legal Basis for Processing

Under GDPR, we must have a legal basis for processing your personal data. We rely on the following:

  • Legitimate Interest (Article 6(1)(f)): We have a legitimate interest in ensuring our website is secure, functional, and optimized for users. This includes using analytics to understand how our website is used and implementing security measures to protect against attacks.
  • Consent (Article 6(1)(a)): Where required, we obtain your explicit consent before processing certain data, such as for non-essential cookies or marketing communications. You can withdraw consent at any time.
  • Contract (Article 6(1)(b)): If you create an account or use our services, processing is necessary to fulfill our contractual obligations.
  • Legal Obligation (Article 6(1)(c)): We may process data to comply with legal requirements, such as tax or accounting obligations.

6. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), UK, or Switzerland, you have the following rights:

RightDescription
Right of Access
(Article 15)		You can request confirmation of whether we process your personal data and obtain a copy of that data
Right to Rectification
(Article 16)		You can request correction of inaccurate or incomplete personal data
Right to Erasure
(Article 17)		You can request deletion of your personal data under certain circumstances ("right to be forgotten")
Right to Restriction
(Article 18)		You can request restriction of processing of your personal data under certain circumstances
Right to Data Portability
(Article 20)		You can request transfer of your data to another controller in a structured, commonly used format
Right to Object
(Article 21)		You can object to processing based on legitimate interests or for direct marketing purposes
Right to Withdraw Consent
(Article 7(3))		You can withdraw consent at any time where processing is based on consent
Right to Lodge a Complaint
(Article 77)		You can lodge a complaint with your local data protection authority

How to Exercise Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month.

Note: Due to the privacy-focused nature of our analytics (Umami), we collect minimal personal data. In most cases, we cannot identify individual users from analytics data, which means certain rights (like access or erasure) may not be applicable to anonymized analytics information.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this privacy policy:

Data TypeRetention PeriodReason
Analytics Data (Umami)Indefinitely (aggregated and anonymized)Statistical analysis and website improvement
Server Logs (Cloudflare)Up to 30 daysSecurity and troubleshooting
User Account Data (Supabase)Until account deletion or as configuredService provision and account management
Application Data (Supabase)As per your data lifecycle policiesService functionality and user requirements
Contact Form SubmissionsUntil purpose fulfilled + 3 yearsCommunication record and legal compliance
Account InformationUntil account deletion + 30 daysService provision and legal compliance
CookiesAs specified in Cookie NoticeVaries by cookie type and purpose

8. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including:

  • Supabase: Your data is stored in EU Central 1 (Frankfurt, Germany) and remains within the European Union. As the data stays within the EEA, no international data transfer safeguards are required for Supabase. Supabase is SOC 2 Type II compliant and provides a Data Processing Agreement (DPA)
  • Umami: Your analytics data is hosted within the European Union and remains within the EEA. No international data transfer safeguards are required for Umami
  • Cloudflare: Operates a global network with data centers worldwide. Cloudflare complies with GDPR and has implemented appropriate safeguards including Standard Contractual Clauses (SCCs)

We ensure that all international data transfers are protected by appropriate safeguards as required by GDPR Chapter V, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions for certain countries
  • Additional technical and organizational measures

9. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

  • Encryption: All data transmitted between your browser and our website is encrypted using SSL/TLS
  • Access Controls: Limited access to personal data on a need-to-know basis
  • Security Monitoring: Cloudflare provides DDoS protection and security monitoring
  • Regular Updates: Security patches and updates applied regularly
  • Data Minimization: We collect only the minimum data necessary
  • Anonymization: Analytics data is anonymized and aggregated

Security Notice: While we implement robust security measures, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security but continuously work to protect your data.

10. Children's Privacy

Our website is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us, and we will delete such information.

11. Do Not Track Signals

Our website respects "Do Not Track" (DNT) browser signals. When DNT is enabled:

  • Umami analytics will not track your visit
  • We will not collect analytics data from your session
  • Essential security cookies (Cloudflare) may still be used for website functionality and security

12. Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or our data practices, please contact us:

Data Controller: WildWavyStudio

Address: Sint Maartenslaan 36A, 6221 AZ Maastricht

Email: [email protected]

Chamber of Commerce number (KVK): 91911435

VAT ID: NL004923965B02

13. Supervisory Authority

If you are located in the EEA and have concerns about how we handle your personal data, you have the right to lodge a complaint with your local data protection supervisory authority:

Document Version: 1.0

Effective Date: November 11, 2025

This privacy policy is designed to comply with the EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection laws.