Wepuca

Privacy Policy

March 14, 2025

1. Data Controller

The controller of your personal data is:

Wepuca, Lda.
Email: geral@wepuca.com
Portugal

2. Data We Collect

2.1 Registration and Account Data

  • Full name
  • Email address
  • Password (stored encrypted)
  • Profile image (when using Google login)
  • Company and phone (optional)
  • Country

2.2 Payment Data

Payment data (credit card, etc.) is processed directly by Stripe. Wepuca does not store card data. We only store the Stripe customer identifier and subscription status for billing management.

2.3 Google Integration Data

When you link your Google account (OAuth 2.0), we collect and store:

  • Access and refresh tokens (to access Google Merchant Center and Google Ads)
  • Product, campaign, metrics data (impressions, clicks, conversions, costs, ROAS) synced from your Google account
  • Merchant Center and Google Ads account identifiers

This data is necessary for Labelizer, Products AI, Title Optimizer, Price Benchmark and PMax Insights features.

2.4 Usage Data

  • Date and time of last login
  • Number of logins
  • Activity logs (platform actions)
  • Notification preferences
  • Technical data: IP address, user-agent, country (inferred)

2.5 Cookies and Similar Technologies

We use cookies for session, language and country preferences, and cookie consent. See our Cookie Policy for details.

2.6 Newsletter

If you subscribe to the newsletter, we collect your email. Processing may be done jointly with Resend or another email provider.

3. Purposes and Legal Basis (GDPR)

PurposeLegal Basis
Service provision, account managementContract performance
Billing and paymentsContract performance
Google integration (Merchant Center, Ads)Contract performance / Consent
Service communications (transactional emails)Contract performance
Platform improvement, analyticsLegitimate interest
Marketing, newsletterConsent
Legal complianceLegal obligation
Fraud and abuse preventionLegitimate interest

4. Recipients and International Transfers

Your data may be shared with:

  • Stripe (USA) — payment processing. Adequacy: EU Standard Contractual Clauses
  • Google (USA) — OAuth, Merchant Center, Google Ads. Adequacy: Privacy Shield certification or equivalents
  • Vercel (USA) — application hosting. Adequacy: DPA and standard clauses
  • Supabase/PostgreSQL — database. May be in the EU
  • Resend (if used) — transactional email sending
  • OpenAI (if used for Products AI, Title Optimizer) — prompt processing. Data may be sent to the API

For transfers to countries outside the EEA, we ensure adequate measures (standard contractual clauses, adequacy decisions) in compliance with the GDPR.

5. Data Retention

  • Active account: Data is retained while the account is active.
  • After cancellation: Data is deleted or anonymised within 90 days, except when law requires longer retention (e.g. billing, tax obligations).
  • Logs and backups: May be retained for longer periods for technical and security reasons.
  • Payment data: Billing records are retained as required by law (generally 7-10 years in Portugal).

6. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the right to:

  • Access: Obtain confirmation of whether we process your data and a copy of it
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data («right to be forgotten»)
  • Restriction: Request restriction of processing in certain circumstances
  • Portability: Receive your data in a structured, commonly used format
  • Objection: Object to processing for direct marketing or when the basis is legitimate interest
  • Withdraw consent: When processing is based on consent

To exercise these rights, contact: geral@wepuca.com. We will respond within 30 days.

You also have the right to lodge a complaint with your country's supervisory authority (in Portugal: CNPD).

7. Additional Rights (CCPA, LGPD)

California Residents (CCPA/CPRA)

If you reside in California, you have the right to: know what categories of personal data we collect; request deletion; opt out of the sale of your data (Wepuca does not sell personal data); not be discriminated against for exercising your rights.

Brazil Residents (LGPD)

Under the Brazilian General Data Protection Law, you have the right to confirmation, access, correction, anonymisation, portability, deletion and information about sharing of your data. You may revoke consent at any time.

8. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS/HTTPS), secure password storage (bcrypt hash), restricted access control and security monitoring. In case of a data breach that poses a risk to your rights, we will notify the supervisory authority and, where applicable, data subjects, within legal deadlines.

9. Minors

The Service is not intended for minors under 18. We do not intentionally collect data from minors. If you become aware that a minor has provided us with personal data, contact us so we can delete it.

10. Changes

We may update this Privacy Policy. Substantial changes will be communicated by email or through a notice on the Platform. The date of the last update is at the top of the document. Continued use of the Service after changes constitutes acceptance of the new version.

11. Contact

For privacy questions or to exercise your rights: geral@wepuca.com