Back to home
    Legal · GDPR

    Privacy policy.

    Effective date: 28 May 2026

    This Privacy Policy describes how Wenuprocesses personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and applicable national data protection laws.

    1. Data Controller

    The data controller responsible for processing your personal data is:

    Wenu
    Sundevedsgade 1, 3. TV.
    1751 Copenhagen
    Denmark
    Email: [email protected]

    For any questions regarding this Privacy Policy or the processing of your personal data, please contact us at the address above.

    2. Scope of This Policy

    This Privacy Policy applies to personal data that Wenu processes when you visit our website, register for an account, use our NFC tag, QR code, menu, TV display and link-page management services, or otherwise interact with us.

    3. Categories of Personal Data We Process

    We may process the following categories of personal data:

    • Account data: name, email address, organization name, hashed password, role.
    • Authentication data: OAuth provider identifiers (Google, GitHub, Facebook) and basic profile data returned by these providers.
    • Billing data: subscription plan, invoice records, and payment tokens handled by our payment processor (Stripe). We do not store full payment card numbers.
    • Technical data: IP address (truncated/anonymized for analytics), browser type, device type, operating system, session identifiers.
    • Usage and analytics data: NFC tag scans, QR code scans, page views, link clicks, timestamps, approximate geographic location (country / city level), referral source.
    • Content data: menu items, link pages, TV display content, organization settings, branding and media you upload to the platform.
    • Support communications: correspondence, support tickets and related metadata when you contact us.
    • Audit logs: records of administrative actions performed in your organization for security and accountability purposes.

    4. Purposes and Legal Bases of Processing

    We process personal data only where we have a lawful basis under Article 6 GDPR:

    • Performance of a contract (Art. 6(1)(b) GDPR): to create and manage your account, provide the service, process subscriptions, and deliver support.
    • Legitimate interests (Art. 6(1)(f) GDPR): to secure our platform, prevent fraud and abuse, maintain audit logs, produce aggregated analytics, and improve our service. You may object to processing based on legitimate interests at any time.
    • Consent (Art. 6(1)(a) GDPR): for non-essential cookies, direct marketing, and any other processing that requires your explicit consent. You may withdraw consent at any time with effect for the future.
    • Legal obligation (Art. 6(1)(c) GDPR): to comply with tax, accounting, and other statutory obligations.

    5. Where Your Data Is Hosted

    Wenu is a European solution. Our production application and database servers are located in the European Union — specifically in data centers in Germany. Operational data (account data, content data, analytics, audit logs) is stored and processed on infrastructure within the EU/EEA.

    A limited set of sub-processors (for example, payment processing and transactional email) may be located outside the EU/EEA. In those cases we rely on appropriate safeguards as described in Section 8 below.

    6. Recipients and Sub-processors

    We do not sell or rent your personal data. We share personal data only with carefully selected recipients that assist us in providing the service, and only to the extent strictly necessary:

    • Hosting provider (Germany / EU): operates the servers on which Wenu runs.
    • Stripe, Inc.: payment processing for subscriptions.
    • Transactional email provider: delivery of system and account emails.
    • OAuth providers: Google, GitHub and Facebook, when you choose to sign in via these services.
    • Professional advisors and authorities: where legally required or permitted (e.g. court orders, regulatory investigations).

    All sub-processors are bound by a data processing agreement in accordance with Article 28 GDPR and are only permitted to process personal data on our documented instructions.

    7. NFC Scans and Public Page Analytics

    When a guest taps an NFC tag or scans a QR code, Wenu records metadata about the scan (timestamp, device type, approximate location, referral source). IP addresses are anonymized before storage. This data is used to generate aggregated analytics for the organization that owns the tag and to secure the platform against abuse. We do not use this data to build profiles of individual visitors or to engage in cross-site tracking.

    8. International Data Transfers

    Where personal data is transferred to a country outside the EU/EEA (for example, when using Stripe or an OAuth provider), the transfer is protected by one or more of the following safeguards:

    • An adequacy decision of the European Commission pursuant to Article 45 GDPR.
    • Standard Contractual Clauses adopted by the European Commission pursuant to Article 46(2) GDPR.
    • Other appropriate safeguards recognized under Chapter V of the GDPR, including supplementary measures where required.

    You may request a copy of the relevant safeguards by contacting [email protected].

    9. Retention Periods

    We retain personal data only for as long as necessary for the purposes for which it was collected:

    • Account data: for the duration of the account and up to 90 days after deletion, unless a longer retention period is required by law.
    • Billing and invoice records: for the statutory retention period required by applicable bookkeeping law (typically 5 years in Denmark).
    • Analytics data: in anonymized/aggregated form, retained for the lifetime of the product.
    • Audit logs: typically 12 months, unless a longer period is required for security or legal reasons.
    • Support communications: up to 24 months after the ticket is closed.

    10. Your Rights Under the GDPR

    As a data subject you have the following rights under Articles 15–22 GDPR:

    • Right of access (Art. 15): obtain confirmation of whether we process your data and receive a copy.
    • Right to rectification (Art. 16): have inaccurate or incomplete data corrected.
    • Right to erasure (Art. 17): request deletion of your data where one of the grounds in the GDPR applies.
    • Right to restriction of processing (Art. 18): request that processing be limited in certain circumstances.
    • Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format, or have it transmitted to another controller.
    • Right to object (Art. 21): object to processing based on legitimate interests, including profiling.
    • Rights related to automated decision-making (Art. 22): we do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.
    • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time with effect for the future.
    • Right to lodge a complaint: with a supervisory authority — in Denmark, the Danish Data Protection Agency (Datatilsynet, datatilsynet.dk).

    To exercise any of these rights, please contact us at [email protected]. We will respond within one month, as required by Article 12(3) GDPR.

    11. Security Measures

    We implement appropriate technical and organizational measures pursuant to Article 32 GDPR, including:

    • Encryption of data in transit (HTTPS / TLS).
    • Encryption of data at rest on our hosting infrastructure.
    • Strong password hashing (bcrypt).
    • Role-based access control and the principle of least privilege.
    • Anonymization of IP addresses used for analytics.
    • Comprehensive audit logging for administrative actions.
    • Regular security reviews, dependency updates and backups.

    12. Cookies and Similar Technologies

    We use strictly necessary cookies to authenticate your session and secure the platform. Any non-essential cookies — for example, product analytics — are only set with your consent and can be withdrawn at any time. You can also configure your browser to refuse cookies, although parts of the service may not function correctly without essential cookies.

    13. Children's Privacy

    Our services are intended for businesses and their authorized staff. They are not directed at children under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

    14. Changes to This Privacy Policy

    We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. The updated version will be posted on this page with a revised effective date. For material changes we will take reasonable steps to notify you directly.

    15. Contact

    If you have questions, concerns, or requests regarding this Privacy Policy or the way we process your personal data, please contact us at:

    Wenu
    Sundevedsgade 1, 3. TV.
    1751 Copenhagen, Denmark
    Email: [email protected]

    Back to homeEuropean solution · Hosted in Germany