Privacy Policy

We collect information in the following categories:

Information you provide directly

• Identifiers — name, email address, phone number, business name.
• Commercial information — project details, service preferences, and inquiry contents.
• Payment information — billing address and payment method, processed exclusively by Stripe. We never store full card numbers on our servers.
• Communications — emails, messages, and feedback you send us.

Information collected automatically

• Internet / network activity — IP address, browser type and version, operating system, referring URLs, pages visited, time on page, and clickstream data.
• Device information — device identifiers and screen resolution.
• Cookies and similar technologies — see Section 07 for full details.

Information from third parties

• If you contact us via social media or a referral partner, we may receive basic profile information in accordance with that platform's privacy settings.

We do not collect sensitive personal information such as Social Security numbers, driver's license numbers, precise geolocation, racial or ethnic origin, health data, or biometric identifiers.

We use the personal information we collect for the following business and commercial purposes:

• To respond to inquiries and provide quotes or proposals
• To deliver, manage, and improve our web design and development services
• To process payments and send invoices, receipts, and order confirmations
• To communicate about your project — status updates, revision requests, and delivery notifications
• To send service-related administrative notices (we do not send unsolicited marketing emails)
• To analyze website usage and improve site performance and user experience
• To detect, investigate, and prevent fraudulent or unauthorized activity
• To comply with applicable legal obligations and enforce our agreements

We will not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects without your explicit consent.

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases as defined by GDPR Article 6:

Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interests at any time — see Section 06.

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

Service providers (processors)

• Stripe — payment processing. Stripe is PCI DSS Level 1 certified. Your card data flows directly to Stripe and never passes through our servers. Stripe Privacy Policy →
• Supabase — secure cloud database for storing project submissions and client records. Data is stored in encrypted form with Row Level Security. Supabase Privacy Policy →
• Google Analytics — anonymous, aggregated website analytics. We have enabled IP anonymization. Google Privacy Policy →
• Email service provider — for transactional emails such as project confirmations and invoices.

Legal requirements

We may disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, prevent fraud, or ensure the safety of others.

Business transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the successor entity. We will notify you via email and/or a prominent notice on our website at least 30 days before such a transfer takes effect.

All third-party service providers are bound by data processing agreements and are contractually prohibited from using your data for any purpose other than providing services to us.

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

Right to Know (Access)

You have the right to request that we disclose: (1) the categories of personal information we have collected about you; (2) the categories of sources; (3) the business or commercial purpose for collecting it; (4) the categories of third parties with whom we share it; and (5) the specific pieces of personal information we have collected about you.

Right to Delete

You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., completing a transaction, legal obligations, or security purposes).

Right to Correct

You have the right to request that we correct inaccurate personal information we maintain about you.

Right to Opt-Out of Sale or Sharing

We do not sell personal information, nor do we share it for cross-context behavioral advertising. You therefore do not need to opt out. If this practice changes, we will update this policy and provide a “Do Not Sell or Share My Personal Information” link on our homepage.

Right to Limit Use of Sensitive Personal Information

We do not collect or process sensitive personal information as defined by the CPRA beyond what is strictly necessary to provide the services you have requested.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny services, charge different prices, or provide a different quality of service based on your exercise of these rights.

How to Submit a Request

To submit a verifiable consumer request, contact us at support@wevyst.com with the subject line “California Privacy Request.” We will respond within 45 days. If we need more time, we will inform you of the reason and extension (up to 90 days total). You may designate an authorized agent to make a request on your behalf; we will require written proof of authorization.

Shine the Light (California Civil Code § 1798.83)

California customers may request information about disclosures of personal information to third parties for their direct marketing purposes. We do not make such disclosures. To make a request under this law, email us at support@wevyst.com.

Categories collected in the past 12 months

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the GDPR (and UK GDPR respectively):

• Right of access (Art. 15) — obtain a copy of your personal data and information about how it is processed.
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
• Right to erasure / “right to be forgotten” (Art. 17) — request deletion of your data where there is no compelling reason for continued processing.
• Right to restriction of processing (Art. 18) — request that we limit processing in certain circumstances.
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format and transmit it to another controller.
• Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing at any time.
• Right to withdraw consent (Art. 7(3)) — where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
• Rights related to automated decision-making (Art. 22) — not be subject to solely automated decisions that significantly affect you.

International data transfers

Our primary service providers (Stripe, Supabase) may process data in the United States. Where we transfer personal data outside the EEA or UK, we ensure appropriate safeguards are in place — including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on adequacy decisions where applicable.

How to exercise your rights

Submit requests to support@wevyst.com with the subject line “GDPR Data Request.” We will respond within 30 days (extendable by two further months for complex requests). We may need to verify your identity before fulfilling your request.

Right to lodge a complaint

You have the right to lodge a complaint with your local supervisory authority. In the EU, you can find your authority at edpb.europa.eu. In the UK, contact the Information Commissioner's Office (ICO).

We use cookies and similar technologies (web beacons, pixels) on our website. A cookie is a small text file placed on your device.

You can control cookies through your browser settings. To opt out of Google Analytics specifically, use the Google Analytics Opt-out Browser Add-on. Note that disabling certain cookies may impact site functionality.

For EEA/UK visitors, we will request your consent before placing non-essential cookies.

We retain personal information only for as long as necessary to fulfil the purposes outlined in this policy, unless a longer retention period is required by law.

You may request earlier deletion at any time (subject to legal retention requirements) by contacting support@wevyst.com.

We implement appropriate technical and organisational measures to protect your personal information against accidental loss, unauthorised access, alteration, disclosure, or destruction. These include:

• TLS/HTTPS encryption for all data in transit
• Encryption at rest for database records via Supabase
• Row Level Security (RLS) policies restricting database access
• PCI DSS-compliant payment processing via Stripe
• Access controls and staff confidentiality obligations

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR Article 33–34.

No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

Our services are not directed to individuals under the age of 16 (or under 18 in jurisdictions that require a higher age for consent). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@wevyst.com and we will delete it promptly.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the “Last updated” date at the top of this page
• Notify active clients by email at least 14 days before changes take effect
• Where required by law, obtain your consent before the new policy applies to you

We encourage you to review this policy periodically. Your continued use of our services after changes become effective constitutes acceptance of the revised policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For GDPR-related matters, you may also contact us as the data controller. If you are unsatisfied with our response, you have the right to contact your local data protection authority.