Privacy Policy
WellDesk — welldesk.ai
1. Who We Are
WellDesk ("we", "us") operates the WellDesk platform at welldesk.ai — an online service that lets customers create an account and book appointments and services with independent businesses ("Shops").
We are established in Spain and operate as a sole trader (autónomo).
| Data Controller | WellDesk |
| Privacy contact | [email protected] |
This Privacy Policy explains how we collect, use, share, and protect your personal data when you use the WellDesk platform, and what rights you have under the EU General Data Protection Regulation (GDPR) and Spanish Organic Law 3/2018 on Data Protection and Digital Rights (LOPDGDD).
Please also read our Terms & Conditions, Legal Notice, and Cookie Policy, which together govern your use of the platform.
2. Our Role as Platform Operator vs. Shops
WellDesk is the data controller for your platform account and identity data, and for the operation of the platform itself.
Each Shop you book with is an independent data controller for the personal data it processes in order to fulfil and manage your booking and its own customer relationship with you. When you make a booking, we share the relevant booking details with that Shop so they can provide the service. How the Shop then uses your data is governed by that Shop's own privacy policy — we encourage you to read it.
3. What Personal Data We Collect
3.1 Account and identity data
- Full name
- Email address
- Phone number
- Password (stored in hashed form — we never store your plain-text password)
3.2 Booking data
- Services booked, date and time, and which Shop
- Any optional notes you provide when making a booking
3.3 Payment data
Payments on the platform are processed by Stripe. When you pay, your card details are entered directly with Stripe and are not transmitted to or stored by WellDesk. We retain only payment metadata: amount, currency, payment status, the last four digits of the card used, and Stripe's own transaction identifiers.
3.4 Technical and usage data
- IP address
- Device type and browser information
- Log data (pages visited, timestamps, errors)
- Cookies and similar technologies (see Section 9 and our Cookie Policy)
3.5 What we do NOT collect
We do not collect or store special-category (sensitive) personal data such as health information, medical notes, or allergies.
4. Why We Process Your Data and on What Legal Basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Creating and managing your account | Art. 6(1)(b) — performance of a contract |
| Processing and managing your bookings | Art. 6(1)(b) — performance of a contract |
| Sharing booking details with the relevant Shop | Art. 6(1)(b) — performance of a contract |
| Processing payments via Stripe | Art. 6(1)(b) — performance of a contract |
| Sending transactional emails (booking confirmations, reminders) | Art. 6(1)(b) — performance of a contract |
| Maintaining accounting and tax records | Art. 6(1)(c) — legal obligation |
| Anti-money-laundering compliance | Art. 6(1)(c) — legal obligation |
| Security, fraud prevention, and abuse detection | Art. 6(1)(f) — legitimate interests |
| Improving and monitoring platform performance | Art. 6(1)(f) — legitimate interests |
| Non-essential cookies and analytics | Art. 6(1)(a) — consent |
| Marketing communications (if opted in) | Art. 6(1)(a) — consent |
You may withdraw consent at any time for processing based on consent (Art. 6(1)(a)) by contacting us at [email protected] or using the unsubscribe link in any marketing email. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
5. Who We Share Your Data With
We do not sell your personal data. We share it only as described in this policy.
| Recipient | Role | Purpose |
|---|---|---|
| Stripe Payments Europe, Ltd. | Processor | Payment processing via Stripe Connect |
| Twilio SendGrid | Processor | Transactional email delivery (booking confirmations, etc.) |
| Cloudflare R2 | Processor | File and object storage, CDN |
| DigitalOcean | Processor | Application hosting — data hosted in the EU (Amsterdam region) |
| Processor | Map embeds displayed on Shop and booking pages | |
| Relevant Shop(s) | Independent controller | Fulfilment and management of your booking |
We require all processors to process your data only on our instructions and in accordance with applicable data protection law. Each Shop, as an independent controller, is responsible for its own compliance.
6. International Transfers
Some of our service providers — including Stripe, Twilio SendGrid, Cloudflare, and Google — may process personal data outside the European Economic Area (EEA), including in the United States. Where this occurs, we rely on appropriate safeguards, including:
- EU Standard Contractual Clauses (SCCs) approved by the European Commission; and/or
- The EU-US Data Privacy Framework, where the recipient is certified.
Our application infrastructure (DigitalOcean) is hosted within the EU (Amsterdam region, AMS3), so your core account and booking data is stored in the EEA.
You can request further information about the safeguards in place by contacting us at [email protected].
7. How Long We Keep Your Data
| Data category | Retention period |
|---|---|
| Account and booking data | For as long as your account is active |
| Account and booking data after closure | Deleted or anonymised, unless retention is required by law |
| Tax and accounting records | Up to 6 years, as required under Spanish commercial and tax law |
| Payment metadata | As required by applicable financial regulations |
| Log and technical data | Up to 12 months (rolling) |
When retention periods expire, data is securely deleted or irreversibly anonymised.
8. Your Rights
Under GDPR and LOPDGDD you have the following rights regarding your personal data:
- Access — request a copy of the data we hold about you
- Rectification — ask us to correct inaccurate or incomplete data
- Erasure — ask us to delete your data ("right to be forgotten"), subject to legal retention obligations
- Restriction — ask us to limit processing while a dispute is resolved
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — at any time for consent-based processing, without affecting prior processing
To exercise any of these rights, contact us at [email protected]. We will respond within one calendar month. We may ask you to verify your identity before acting on a request.
Right to lodge a complaint: If you are not satisfied with our response, you have the right to lodge a complaint with the Spanish supervisory authority:
Agencia Española de Protección de Datos (AEPD)
www.aepd.es
C/ Jorge Juan, 6, 28001 Madrid, Spain
9. Cookies
We use cookies and similar tracking technologies on the platform. Essential cookies are necessary for the platform to function and are placed without consent. Non-essential cookies (analytics, preferences) are only placed with your prior consent.
For full details of the cookies we use, their purposes, and how to manage your preferences, please read our Cookie Policy.
10. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encrypted data transmission (HTTPS/TLS), hashed password storage, access controls, and regular security monitoring.
No method of transmission over the internet is completely secure. If you believe your account has been compromised, please contact us immediately at [email protected].
11. Children
The WellDesk platform is not directed at children under the age of 14. Under LOPDGDD Art. 7, users under 14 may only use the platform with the consent of a parent or person holding parental responsibility. If we become aware that we have collected personal data from a child under 14 without the appropriate consent, we will delete that data promptly. If you believe a child's data has been collected without proper consent, please notify us at [email protected].
12. Automated Decision-Making
We do not carry out any automated decision-making or profiling that produces legal effects or similarly significant effects on you.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by a prominent notice on the platform, and we will update the "Last updated" date at the top of this document. We encourage you to review this policy periodically.
Continued use of the platform after changes take effect constitutes acceptance of the updated policy, to the extent permitted by applicable law.
14. Contact
For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:
WellDesk
Email: [email protected]
This Privacy Policy should be read together with the WellDesk Terms & Conditions, Legal Notice, and Cookie Policy.