Legal

Privacy Policy

Last updated: May 2026

This Privacy Policy explains what personal data Wanddy (operated by Wanbuffer) collects, how it is used, and the choices you have. We designed Wanddy so that the data you bring stays yours — this document tells you how we keep that promise.

1. Data we collect

Account data

When you sign up we store your name, email address, a hashed password, and the timestamps of account events (sign-up, sign-in, password change).

Integration credentials

If you connect third-party services (Shopify, Odoo, Gmail, HubSpot, etc.) we store the access tokens or API keys you provide. Credentials are encrypted at rest. We only use them to execute the requests you or your Buddies initiate.

Conversation content

Messages you send to Wanddy and the Buddies, along with their responses and any files you attach, are stored so you can review your history. You can delete any conversation at any time from the dashboard.

Usage & diagnostics

We record basic telemetry — feature counts, request latencies, error events — so we can improve reliability. This data is associated with your account but is not sold or shared with third parties.

2. How we use your data

  • To provide and operate the Service, including routing requests between Buddies.
  • To authenticate you and secure your account (login sessions, rate limits).
  • To send transactional email (verification, ticket confirmations, demo bookings) via Resend.
  • To answer support requests. Ticket content is accessible to a small support team.
  • To comply with legal obligations (tax records, law-enforcement requests backed by valid process).

3. AI processing

Wanddy uses third-party large-language-model providers to power Buddy responses. The content of your conversations is sent to those providers strictly to generate a response. We select providers that contractually agree not to train their public models on API traffic.

4. Data sharing

We share data only with the processors needed to run Wanddy:

  • Hosting & database — infrastructure providers in the EU/US.
  • LLM providers — for generating AI responses.
  • Email — Resend (resend.com) for transactional messages.
  • Payments — payment processors for subscription billing (if applicable).

We do not sell personal data. Ever.

5. Retention

Account and conversation data are retained while your account is active. On deletion, we remove personal data from production systems within 30 days. Encrypted backups are rotated out within 90 days. We retain invoices for the periods required by applicable tax law.

6. Your rights

Depending on your jurisdiction (EU/UK GDPR, California CCPA, etc.) you can:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and associated data.
  • Export a machine-readable copy of your data.
  • Object to certain processing or withdraw consent for optional features.

To exercise any right, email [email protected] from the address on file. We reply within 30 days.

7. Security

  • TLS in transit, AES-256 encryption at rest for integration credentials.
  • Role-based access control for internal staff; audit logs on privileged actions.
  • Regular dependency updates and security reviews on change.

8. Connected platforms — Meta & Instagram

When you connect Instagram from Dashboard → Connectors → Instagram, Wanddy uses Meta's Instagram Business Login flow to request a narrow set of permissions on your Instagram Business or Creator account. This section describes exactly what we access, how we use it, and how to remove it.

Permissions requested

  • instagram_business_basic — read your Instagram account username, profile, and the list of media you have published, so we can display your account in the dashboard and identify which account you connected.
  • instagram_business_content_publish — publish posts, reels, or stories on your behalf, but only at the moment you (or a Buddy acting on your explicit instruction) click Publish in the Wanddy interface. Wanddy never auto-posts without your direct action.

What we store

We store only your encrypted Instagram access token, the Instagram Business User ID that owns it, and the username for display. We do not mirror or cache your Instagram media, comments, direct messages, or follower data on our servers. Content you draft inside Wanddy is held in your conversation history until you delete it.

What we do not do

  • We do not sell, rent, or trade your Instagram data to any third party.
  • We do not use your Instagram data to train any machine-learning model.
  • We do not access Instagram content beyond what is strictly required to fulfil the action you initiated in Wanddy.
  • We do not share your Instagram data with advertising networks or data brokers.

Disconnect & data deletion

You can disconnect Instagram at any time from Dashboard → Connectors → Instagram → Disconnect. Disconnecting immediately revokes the stored access token and removes it from our database.

If you remove the Wanddy app from your Instagram account settings instead, Meta notifies us via the deauthorize callback at /api/webhooks/instagram/deauthorize and we delete the corresponding tokens.

For a full erasure of all data we hold related to your Instagram account, submit a data-deletion request to /api/webhooks/instagram/data-deletion or email [email protected]. We confirm deletion within 30 days and return a tracking confirmation code.

Platform compliance

Wanddy's use of information received from Meta APIs adheres to the Meta Platform Terms and Meta Developer Policies, including the Limited Use requirements applicable to information obtained via Instagram Login.

9. Children

Wanddy is not directed at children under 16. If you believe a child has provided us personal data, email us and we will delete it.

10. Changes

We'll update this page when our practices change and note the revision date above. Material changes are communicated in-product or by email.

11. Contact

Privacy questions: [email protected].