Privacy Notice
Version 1.0 | Effective 12 June 2026 | WeProof B.V., Voshage 21, 5258 XN Berlicum, the Netherlands | KvK 42031773
Important note. This Privacy Notice is intended to explain how WeProof handles personal data in connection with its website and review platform. It is designed to work alongside the WeProof Terms and Conditions and the WeProof Data Processing Agreement. Where the customer acts as controller for project and review data, WeProof generally acts as a processor on that customer's behalf.
1. Who this Privacy Notice covers
This Privacy Notice applies to the following categories of individuals:
- visitors to weproof.studio and related product pages;
- individuals who create or use a WeProof account as part of an organisation;
- external reviewers who access assets through personal invitation links;
- representatives of prospective or existing business customers who communicate with WeProof.
2. Who we are
Controller for website and account-level data. For personal data processed for WeProof's own business purposes, such as account administration, support, billing preparation, service security, and legal compliance, the controller is WeProof B.V., a private limited liability company incorporated under the laws of the Netherlands, with its registered office at Voshage 21, 5258 XN Berlicum, the Netherlands, registered with the Dutch Chamber of Commerce (KvK) under number 42031773. Privacy contact details are set out in section 14 of this Privacy Notice.
Processor for customer content. When business customers use WeProof to upload assets, invite reviewers, collect comments, and manage approvals, the customer is generally the controller of the project-related personal data and WeProof acts as processor under the applicable Data Processing Agreement.
3. What personal data we collect
Depending on how you interact with WeProof, we may process the following categories of personal data.
| Category | Examples | Typical source |
|---|---|---|
| Account data | Full name, work email address, hashed password, organisation role, login verification details | Provided by the user or organisation admin |
| Reviewer data | Name, email address, invitation status, review decisions, comment authorship | Provided by the inviting customer and the reviewer |
| Organisation data | Organisation name, organisation logo, subscription status, trial end date, internal admin notes | Provided by the customer or generated within the service |
| Project and file data | Uploaded files, filenames, file type, size, timestamps, version numbers, thumbnails, stream status for video | Uploaded by the customer or its users |
| Feedback and collaboration data | Comments, threaded replies, visual annotations, timestamps, approvals, request-changes decisions | Created by users and reviewers |
| Usage and log data | Review page visits, user activity summaries, project status changes, technical request metadata that may include IP address or device information | Generated automatically when the service is used |
| Payment and subscription data | Plan type, billing status, future Stripe customer ID, invoice history and payment status | Generated by WeProof and payment providers |
4. Why we process personal data
We process personal data only where we have a valid legal basis under applicable data protection law. The main purposes and legal bases are set out below.
| Purpose | Examples of processing | Legal basis typically relied upon |
|---|---|---|
| Providing and securing the service | Account creation, authentication, permission management, review workflows, comments, invitations, file handling, anti-abuse and service integrity controls | Performance of a contract; legitimate interests in maintaining a secure business service |
| Customer support and account management | Responding to support requests, diagnosing incidents, handling admin requests, maintaining customer records | Performance of a contract; legitimate interests in operating and improving the service |
| Reviewer communications | Sending invitation emails, notifying reviewers of new versions, notifying owners of review decisions | Performance of a contract; legitimate interests in enabling the review workflow requested by the customer |
| Service analytics and improvement | Internal reporting on project progress, member activity, feature usage, bug fixing, service planning | Legitimate interests in improving and managing the platform |
| Billing and financial administration | Managing plans, trials, subscription status, invoices, VAT handling, payment reconciliation | Performance of a contract; legal obligations; legitimate interests in business administration |
| Legal compliance and dispute handling | Complying with legal requests, enforcing contracts, keeping records needed for legal or tax purposes | Legal obligation; legitimate interests in defending legal claims |
No sale of personal data. WeProof does not sell personal data and does not use project or reviewer data for advertising purposes.
5. Special note for invited reviewers
Reviewers are often invited by a WeProof customer without creating a full account. In that context:
- the customer determines who is invited and for which project or file;
- WeProof processes reviewer identity and review activity primarily to provide the review workflow requested by the customer;
- review decisions, comments, and annotations are visible to the customer users who manage the relevant review process;
- the customer remains responsible for its own legal basis for inviting reviewers and for any customer-side notices that may apply.
6. How we share personal data
We may share personal data with service providers that support the operation of WeProof. These providers act as processors or subprocessors under contractual safeguards, as applicable. These currently include:
- Vercel for hosting and deployment (compute pinned to the EU, Frankfurt region);
- Supabase for database infrastructure;
- Cloudflare R2 for file storage (EU jurisdiction);
- Cloudflare Stream for video transcoding and playback;
- Resend for transactional emails;
- GitHub for source code hosting and collaboration;
- Stripe, once billing goes live, for payment processing, customer billing data, invoicing, and tax support.
We may also disclose personal data where required by law, necessary to protect rights or security, or in connection with a corporate transaction such as a merger, financing, or asset sale, subject to appropriate confidentiality measures.
7. International transfers
Some of the providers used in connection with WeProof may process personal data outside the European Economic Area, including in the United States, or may operate global infrastructure. Where personal data is transferred internationally, WeProof will rely on an approved transfer mechanism where required, such as the European Commission's Standard Contractual Clauses, adequacy decisions, or another lawful transfer basis.
EU regional measures. WeProof has implemented EU regional controls for its core infrastructure: application compute is pinned to an EU region (Frankfurt), the primary database is hosted in the EU (Ireland), and file storage uses Cloudflare R2 with EU jurisdiction. Certain providers, such as Cloudflare Stream for video transcoding and Resend for transactional email, may involve processing outside the EEA, in which case the transfer mechanisms described above apply.
8. How long we keep personal data
We keep personal data only for as long as necessary for the purposes described in this Privacy Notice, taking into account contractual needs, support needs, legal obligations, dispute risk, and security requirements. Retention periods may differ depending on the data type and the customer plan.
- account and organisation records are generally retained while the customer relationship remains active and for a limited period afterwards where needed for support, billing, legal, or security reasons;
- project files, reviewer comments, annotations, and approval records are retained in line with the customer's service use and any deletion settings or contractual retention windows;
- where a customer account is cancelled, WeProof may apply a short post-termination retention window before deletion in order to allow recovery requests, export, or operational processing; the exact production retention settings remain to be finalised;
- backup data may persist for a limited additional period until overwritten in the ordinary backup cycle;
- where law requires longer retention, for example for tax or accounting purposes, relevant records may be retained for that period.
9. Security
WeProof uses technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, or disclosure. Measures currently in place include encrypted transport over HTTPS, encryption at rest provided by relevant infrastructure providers, hashed passwords (bcrypt), role-based access controls with centralised server-side permission checks, database row-level security, session invalidation on password reset and account suspension, personal reviewer invitation links with server-side reviewer authorisation, and strict separation between internal feedback and client-facing review views.
WeProof continues to mature its security controls as the platform develops. Planned enhancements include multi-factor authentication for privileged users, more formal monitoring and incident handling procedures, security header hardening, and rate limiting.
10. Your privacy rights
Depending on your location and the circumstances of the processing, you may have rights to request access to your personal data, rectification, erasure, restriction, objection, portability, or to withdraw consent where consent is the legal basis. You may also have the right to lodge a complaint with a supervisory authority.
Where WeProof acts as a processor for a customer, requests relating to project or reviewer data may need to be directed to the relevant customer first. WeProof may assist the customer as required under the applicable Data Processing Agreement.
11. Cookies and similar technologies
WeProof uses technically necessary cookies or similar technologies to keep users signed in, maintain session security, remember essential preferences, and support basic service functionality. WeProof does not use advertising or marketing cookies. If non-essential analytics or marketing cookies are introduced in the future, this Privacy Notice and any required cookie disclosures or consent mechanisms will be updated before those technologies go live.
12. Children
WeProof is a business service and is not directed to children. We do not knowingly seek to collect personal data directly from children through the service.
13. Changes to this Privacy Notice
We may update this Privacy Notice from time to time to reflect changes in the service, legal requirements, or operational practices. The latest version should be published at a fixed URL, such as weproof.studio/privacy, together with its effective date. Where legally required, material changes will be communicated through an appropriate channel.
14. Contact details
For privacy questions, requests, or complaints, please contact:
| Company | WeProof B.V. |
| Registered office | Voshage 21, 5258 XN Berlicum, the Netherlands |
| Business address | Voshage 21, 5258 XN Berlicum, the Netherlands (KvK 42031773) |
| privacy@weproof.studio | |
| Supervisory authority | Dutch Data Protection Authority (Autoriteit Persoonsgegevens), autoriteitpersoonsgegevens.nl |
Privacy Notice | WeProof B.V. | Version 1.0 | Effective 12 June 2026