Privacy Policy

w SpA, doing business as wicadu (wicadu, we, our, us), provides a software-as-a-service tool that lets customers to manage their stores online and related services (the Services)

Legal entity: w SpA, a company organized under the laws of Chile. Registered brand: "wicadu" in Chile

Contact: w SpA `77 (dot) 695 (dot) 519 (dash) 7`, Cerro El Plomo 5931 - Office 1213, Región Metropolitana, Chile. Privacy/DPO contact: privacy (at) wicadu (dot) com

This Policy also includes important notices about user-generated content and intellectual property because our service allows users to upload content (for example, item images and product media)

"Personal data" means information that identifies or can reasonably be linked to an individual

"Customer" or "Merchant" is an organization or person who creates a wicadu account to run a store

"End customer" is a person who shops at or interacts with a store operated by a Customer

"Controller": We act as a controller for personal data we collect about prospects, account owners, and website/app users

"Processor/Service Provider": We act as a processor (service provider/contractor) for personal data we process on behalf of Customers about their own End customers in connection with stores built on wicadu. In that case, the Customer is the controller, and we process according to our Data Processing Addendum (DPA) and their documented instructions

Account and profile data: name, business details, email, phone, login identifiers, role/permissions, and communications with us

Billing and payment data: plan details, transaction identifiers, VAT/Tax info, invoice history. Payment instrument details are handled by our payment provider(s) and not stored in full by us

Store and content data: settings, products, themes, templates, media uploads (including images), third-party app connections, and logs

Technical and usage data: device info, IP address, timestamps, pages and features used, diagnostics, crash logs, and security indicators

Cookies and similar technologies: for essential operations, analytics, security, and (where permitted) ads/marketing. See "Cookies and tracking; your choices

Provide and secure the Service: create and maintain accounts; host stores, authenticate users, prevent fraud and abuse; monitor, debug, and improve performance. Legal bases: contract necessity; legitimate interests; compliance

Customer support and communications: respond to inquiries, send service notices, and plan product changes. Legal bases: contract necessity; legitimate interests

Marketing: send newsletters, product updates, and promotions; personalize content and measure performance; show interest-based ads where permitted by law. Legal bases: consent where required; legitimate interests otherwise. You can opt out at any time (see "Your choices")

Compliance and enforcement: meet legal obligations, enforce terms, protect our IP and the rights of others, and address disputes or claims. Legal bases: compliance with law; legitimate interests; establishment/exercise/defense of legal claims

We use: Strictly necessary cookies for security, login, load-balancing, and core features; Analytics cookies to understand usage and improve the Service; and Advertising/marketing technologies to deliver and measure campaigns, where legally permitted

Choices: Cookie banner and settings to manage non-essential cookies; Browser controls to block or delete cookies via your browser; essential features may break if you block essential cookies; and California and certain US state rights: you can opt out of "sale" or "sharing" of personal information used for cross-context behavioral advertising via our "Do Not Sell or Share My Personal Information" link and by enabling Global Privacy Control (GPC), which we honor where required. See "US state disclosures." For definitions and rights under California law, see CA Attorney General and CPPA guidance

Email and in-product messages: We may send you product news and promotions. You can unsubscribe at any time using the link in the message or through account settings. We may still send transactional or service notices

Targeted ads: If we engage in targeted ads, we will provide required disclosures and opt-outs. We do not knowingly serve targeted ads to children

We will not use End customer data we process as a processor for our own independent marketing unless expressly permitted by our Customer in compliance with applicable law

Your responsibility for uploads: You must own or have all rights and licenses necessary to upload any content to wicadu, including images, logos, product photos, videos, text, and data; Do not upload any content that infringes or violates copyrights, trademarks, publicity, privacy, or other rights. You are solely responsible for all content you upload therefore you will bear all consequences, including third-party claims, government investigations, or damages; and We may remove or disable access to any content, suspend or terminate accounts, and report suspected unlawful activity to authorities or rights holders

Takedown process: If you believe content on a wicadu-powered store infringes your rights, contact `copyright (at) wicadu (dot) com` with sufficient detail (URLs, proof of ownership, and your contact info). If you are in the United States, you may send a notice consistent with the DMCA, we will process copyright complaints and, where applicable, notify our Customer and/or remove the content

wicadu software and brand: The wicadu platform, documentation, templates, and all related IP are owned by w SpA or its licensors. We grant Customers a limited, non-exclusive, non-transferable, revocable right to access and use the SaaS while an active plan is in effect. We do not sell our software or any IP. All rights not expressly granted are reserved

Merchant of Record and payments: For some transactions we use Paddle as our Merchant of Record and/or payment provider. Paddle may act as a controller for buyer data it processes to complete purchases and for tax and compliance; Paddle may share necessary buyer data with us to fulfill orders and support. See Paddle's privacy and GDPR materials for details

Identity/authentication and infrastructure: We use reputable vendors as subprocessors, including: Auth0/Okta (identity and authentication), which processes user profile data and maintains a published list of subprocessors; Cloudflare (security, CDN, DDoS mitigation); Amazon Web Services and/or Microsoft Azure (hosting and cloud infrastructure); and OpenAI (AI services)

We will maintain a current list of material subprocessors and notify Customers of material changes as required by our DPA. Customers may object in accordance with the DPA

We are based in Chile and use global service providers. Your data may be transferred to and processed in countries outside your own, including the United States and the European Economic Area

We implement appropriate safeguards for international transfers as required by applicable law (for example, standard contractual clauses where applicable for EU/UK data; contractual and technical measures; and, for Chilean residents, mechanisms recognized under Chile's data protection framework)

Note on Chile: Chile enacted Law 21.719 on the Protection of Personal Data (LPPD), published on December 13, 2024, with full effect after a 24-month vacatio legis (expected December 1, 2026). The LPPD strengthens rights, creates a Data Protection Agency, and regulates cross-border transfers. We will align our practices with the LPPD by its effective date

We share personal data with: Service providers/subprocessors under contract who help us operate, secure, support, and bill for the Service; Payment partners and resellers (e.g., Paddle) to process purchases, handle taxes, prevent fraud, and provide support; Third-party integrations you choose to connect to your store or account; and Professional advisors (lawyers, accountants), authorities, or counterparties when necessary to comply with law, enforce our terms or protect rights, or in connection with corporate transactions (e.g., merger, financing)

We do not sell your personal information for money. Where "sale or "sharing" under US state laws includes certain advertising or analytics disclosures, we provide required opt-outs. See "US state disclosures."

We keep personal data for as long as needed to provide the Service, comply with law (e.g., tax, accounting, fraud prevention), resolve disputes, and enforce agreements. Typical examples: Account data is retained while your account is active and for a reasonable period afterward for recordkeeping and legal compliance; Billing records are retained for up to 7-10 years where required by tax or financial regulations; or Logs and security/diagnostic data are retained for short, necessity-based periods unless needed to investigate issues or fulfill legal obligations

When data is no longer needed, we delete or irreversibly de-identify it, subject to technical constraints and backup retention

We implement appropriate technical and organizational measures, including encryption in transit, access controls, network security, monitoring, vulnerability management, and employee confidentiality obligations. We also leverage infrastructure and security capabilities from providers like Auth0, Cloudflare, AWS, and Azure. No method of transmission or storage is 100% secure, but we strive to protect your data and promptly address incidents in line with legal requirements

Chile: You may have rights of access, rectification, suppression (erasure), opposition, portability, and blocking, among others recognized by Law 21.719 and its regulations. We will honor these rights in accordance with applicable law and timelines. Until the LPPD is fully in force, we will also consider applicable obligations under existing Chilean law

EEA/UK (GDPR): Where GDPR applies, you may have rights of access, rectification, erasure, restriction, portability, and objection; you may withdraw consent where processing is based on consent; and you may lodge a complaint with your supervisory authority. We identify our GDPR legal bases in Section 5

US state disclosures (including California): California consumers have rights under the CCPA as amended by the CPRA, including the rights to know, access, delete, correct, and to opt out of "sale" or "sharing" of personal information and of certain profiling/targeted ads, as applicable. We also honor authorized agents and do not discriminate for exercising rights. We comply with CPRA/CCPA regulations, including recognition of browser-based opt-out signals (GPC) where required. Other US states have enacted privacy laws that provide similar rights; where those laws apply to us, we will facilitate your requests accordingly

Exercising your rights: Use wicadu Help Center or email `privacy (at) wicadu (dot) com`. We will verify your identity (and, where applicable, your authorized agent) before acting on requests

Our Service is not directed to children. In Chile, we do not knowingly allow those under 14 to create accounts without appropriate consent. In the United States, we do not knowingly collect personal information from children under 13. If you believe a child has provided personal data, contact us and we will take appropriate steps to delete such data consistent with applicable law

We process End customer personal data only on documented instructions in our DPA (including to operate, secure, and support the store)

We impose confidentiality and security obligations on our personnel and subprocessors and enter into appropriate contracts with subprocessors (see Section "Our role with payments and providers")

We assist Customers in responding to data subject requests and in meeting obligations for security incidents and impact assessments, where required by law

We will notify Customers of security incidents without undue delay as required by the DPA and applicable law

The Service may link to or integrate with third-party sites and apps. Their privacy practices are governed by their own policies. Please review those policies before enabling integrations or sharing data with them

This Privacy Policy, and any dispute arising from or relating to it or the use of the SaaS, will be governed by and construed in accordance with the laws of Chile, without regard to conflict-of-laws rules. Any claim or proceeding shall be brought exclusively in the courts of Santiago de Chile, and you consent to the jurisdiction and venue of those courts

We may update this Policy from time to time. If we make material changes, we will notify you by posting the revised Policy and updating the "Last updated" date, and, where required, by additional notice or consent

Privacy/Data Protection Officer: `privacy (at) wicadu (dot) com`

Postal: w SpA `77 (dot) 695 (dot) 519 (dash) 7`, Cerro El Plomo 5931 - Office 1213, Región Metropolitana, Chile

For copyright complaints: `copyright (at) wicadu (dot) com`

Effective date: August 21, 2025

Last updated: August 21, 2025