Loading the page...

Privacy and Security Contact

Wonderchat Security Team

📧 [email protected]

Make a data request

Submit Request  â†’

Data Processing Agreement (DPA)

View DPA  â†’

Compliance Checklist

Lawful Basis and Transparency
Status Task Description
Completed Have a legal justification for your data processing activities.

Processing of data is illegal under the GDPR unless you can justify it according to one of six conditions listed in Article 6. Our legal grounds for justification of our data processing activities can be found in our privacy policy Privacy Policy. Our GDPR page also documents our approach to navigate the GDPR Wonderchat and the GDPR, including giving data subjects the ongoing opportunity to revoke consent.

Completed Provide clear information about your data processing and legal justification in your privacy policy.

Information about how Wonderchat collects your data and why we collect your data can be found here (Wonderchat and the GDPR). You should explain how the data is processed, who has access to it, and how you're keeping it safe. Our legal grounds for justification of our data processing activities can be found in our privacy policy Privacy Policy

Data Security
Status Task Description
Completed Take data protection into account at all times, from the moment you begin developing a product to each time you process data.

We adhere to the principles of "data protection by design and by default," including implementing "appropriate technical and organizational measures" to protect data. The processing of personal data on Wonderchat adheres to the data protection principles outlined in Article 5. We take technical measures including encryption, and organizational measures such as limiting the amount of personal data we collect or deleting data we no longer need to ensure data protection is something we keep in mind.

Completed Have a process in place to notify the authorities and your data subjects in the event of a data breach.

If there's a data breach and personal data is exposed, we have a security protocol in place in accordance to to notify the supervisory authority in your jurisdiction within 72 hours. Our protocol involves notifying the Office of the Data Protection Commissioner in Ireland in the most immediate timeline possible. We will also notify and communicate data breaches to our data subjects unless the breach is unlikely to put them at risk (for instance, if the stolen data is encrypted).

Completed Encrypt, pseudonymize, or anonymize personal data wherever possible.

Our core database and software providers encrypt all information related to personal data. end-to-end encryption. We do not store passwords for our users. The GDPR requires organizations to use encryption or pseudeonymization whenever feasible.

Accountability and Governance
Status Task Description
Completed Designate someone responsible for ensuring GDPR compliance across your organization.

We have a designated individual within the organization repsonsible for GDPR compliance. You may reach out to them at [email protected] for more information.

Completed Sign a data processing agreement between your organization and any third parties that process personal data on your behalf.

We have data processing agreements signed with third party organizations that provide personal data on our behalf. This includes any third-party services that handle the personal data of your data subjects, including analytics software, email services, cloud servers, etc. The vast majority of services have a standard data processing agreement available on their websites for you to review. They spell out the rights and obligations of each party for GDPR compliance.

Privacy Rights
Status Task Description
Completed It's easy for your customers to request and receive all the information you have about them.

All our customers can request for a copy of the information we store about them, with a right to know how long you plan to store their information and the reason for keeping it that length of time. THe first copy of this information will be available for free but subsequent copies will be charged at a fee. Before you request for a copy of your information, kindly ensure that your identity can be verified before we can process your data request. All such requests will be complied to within a month. More information can be found in our page Wonderchat and GDPR and how you're using it. They also have a right to know how long you plan to store their information and the reason for keeping it that length of time. You have to send them the first copy of this information for free but can charge a reasonable fee for subsequent copies. Make sure you can verify the identity of the person requesting the data. You should be able to comply with such requests within a month.

Completed It's easy for our customers to request to have their personal data deleted.

All our customers have the right have their personal data deleted. Kindly contact us if you wish to delete your data and we will proceed to do so within a month as long as you can verify your identity as the true owner of the personal data.

Completed It's easy for your customers to ask you to stop processing their data.

Our data subjects can request to restrict or stop processing of their data if certain grounds apply, mainly if there's some dispute about the lawfulness of the processing or the accuracy of the data. We will honor their request within about a month. While processing is restricted, we will still be allowed to keep storing their data. Our data subjects will be notified before we begin processing their data again.

Completed It's easy for your customers to object to you processing their data.

For the processing their data for the purposes of direct marketing, our customers all have the ability to unsubscribe to our emails.


In order to provide its services, Wonderchat may engage third parties or other members of the Wonderchat corporate group (affiliates) to carry out data-processing activities that involve access to customer data. These organizations, called “subprocessors,” are identified below with their locations and the types of services they provide to Wonderchat.

Name Country Description Type of Service Mandatory
Paddle United States B2B and B2C software companies around the globe use Paddle to offload operational complexities so they can focus on growth. Paddle provides more than just the plumbing for your revenue. As a merchant of record, we take care of fraud, sales tax compliance, billing support and more. Technology Required
Postmark App United States Postmark App is an email service provider. You can read more about its GDPR compliance here. https://postmarkapp.com/eu-privacy Email Provider Required
BentoNow Australia BentoNow is an email service provider. You can read more about its GDPR compliance here https://bentonow.com/legal/privacy Email Provider Required
Render Web Hosting United States Render is a hosting provider with servers located in Frankfurt, Germany. Read more about their GDPR Compliance policy here: https://trust.render.com/ Cloud Hosting Provider Required
Supabase United States Supabase is an open source Firebase alternative database provider. Read more about their GDPR Compliance policy here: https://supabase.com/privacy Cloud Hosting Provider Required
Retool Inc. United States Software Customization and Development. Read more about their privacy policy here: https://docs.retool.com/legal/privacy-policy Technology Required
Open AI LLC. United States Provision of natural language processing and generation services Technology Required
Keywords AI United States Provision of natural language processing and generation services Technology Optional
Anthropic PBC United States Provision of natural language processing and generation services Technology Optional
Cohere Inc Canada Provision of natural language processing and generation services Technology Optional


Please see our frequently asked questions below. Please keep in mind that this is not legal advice and we recommend consulting with your internal compliance team or privacy attorney for guidance on compliance matters. Wonderchat is committed to helping our customers comply with applicable laws, but we cannot guarantee that your use of our products will be fully compliant. As always, we recommend seeking professional legal counsel for any specific questions or concerns.

Should I get consent from a customer to collect their personal data?

While it is always good practice to receive explicit consent from your customer, certain laws and regulations (such as the GDPR) require consent prior to collecting personal data of certain individuals (such as those in the EU).

It is also important to note that under GDPR, consent is one of a number of legitimate interests for processing data. Others include the need to process for the performance of a contract, the need to process in order to comply with a legal obligation, and the need to process in order to protect the vital interests of the data subject or another natural person. Full details can be found in Article 6 of GDPR.

Can I modify a customer’s personal data?

Yes, you can modify all data to correct personal data as required by GDPR when you receive a Subject Access Request, or for other reasons. Simply contact us and we will work with you to make the adjustments.

Can I delete personal data?

Yes, you can delete any data, including data that contains personal data, as required by GDPR. You can also remove all other requested customer data by sending us a data request.

Is personal data permanently deleted when I remove it?

A deleted data or person is initially flagged for deletion, and may be recovered by our team upon request. After 7 days, the deletion becomes permanent and unrecoverable.

How long is personal data retained in Wonderchat if I don’t delete it?

Wonderchat’s philosophy is that customers own and control all the data they collect. Any retention period required by law or your company policy is controlled by you.

You should ensure that all people and personal data are deleted prior to stopping your usage of Wonderchat, especially if required by policy, law, or regulation.

Does my data get included in backups, and if so, for how long?

Yes. Wonderchat backs up all customer data, and retains the backups for 7 days. After 7 days, the backup is deleted.

Can I delete customer’s personal data from Wonderchat backups?

No. The backup dataset contains all customer data, and is used for disaster recovery purposes only. This is required for legal and compliance reasons related to availability obligations. Any personal data in these backups will be permanently deleted after 7 days.

If my data centre is located in the EU, does Wonderchat transfer my personal data outside the EU at any point?

No. We do not transfer personal data outside of the EU as our servers and processors are all based in Germany.

Does Wonderchat ensure that my data is accessed only by employees with reasonable justification for doing so?

As required by GDPR, only qualified Wonderchat employees with a specific need are permitted to access your account. The typical reason for accessing your account would be upon your specific request for support.

Does Wonderchat use sub-processors that process my data?

Wonderchat presently uses sub-processors to provide the service. As required by GDPR, Wonderchat maintains a list of those sub-processors here.

If a data breach occurs with the Wonderchat platform that affects my data, how and when will I be notified?

If a confirmed data breach occurs that is caused by Wonderchat’s actions or inactions, we will, without undue delay, notify the account owner. Information about the breach will be released as it becomes available, as allowed by GDPR. The account owner will be the main point of contact for all notifications, and will be kept aware of the investigation and remediation efforts as they progress.

How can I comply with a Subject Access Request and portability as required by GDPR?

As you know about the data you are collecting, you are responsible for handling any Subject Access Request (SAR). Wonderchat only provides the platform and wouldn’t know the details about your customizations, properties, or your customers.

A SAR means that a customer is asking about information being collected about him or her. If you collected personal data of an EU citizen or a person residing in the EU, you may have a legal obligation to respond to a SAR.

Data may be downloaded in industry-standard formats for data portability to comply with GDPR.

If Wonderchat receives a SAR, it will do its best to contact the owner. It may not always be possible to know what who the rightful owner is.

How do I comply with a Subject Access Request to “be forgotten?”

Similar to the above, you know what data you have. If you collected personal data of an EU citizen or a person residing in the EU, you may have a legal obligation to respond and comply with a request to delete all identifiable data.

As previously stated, you have the ability to delete a customer's data.

How does Wonderchat comply with its GDPR obligations to return or destroy all EU personal data?

Wonderchat provide easy ways to download all your data in industry-standard formats. And, as previously described, you may easily delete data, and entire chatbots and chat histories for your customers.

How does Wonderchat comply with its GDPR obligations to encrypt personal data?

All data stored in our primary databases and backups are encrypted using an industry standard strong cipher. All data transmitted to the Wonderchat platform are encrypted using the industry standard TLS protocol.

How can I ensure my customers that Wonderchat security meets applicable law and the GDPR (Article 32)?

Wonderchat is committed to safeguarding your data. We use sophisticated controls during processing to maintain the confidentiality, integrity, availability, and resilience of your data. Our Security page outlines the details of our application security, network security, policies, and more.

As related to Article 28 in the GDPR, Wonderchat will only process personal data according to your instructions. In other words, the commands you use in the product are the “instructions,” and Wonderchat does not use personal data for any other means. In addition, it does not transfer personal data to a third party without your consent.

Wonderchat has developed recovery procedures to minimize downtime related to a disaster, with the ability to restore access to personal data in a timely manner in the event of a physical or technical incident.

We regularly test, assess and evaluate the effectiveness of our technical and organizational measures to ensure the security of the processing.

GDPR compliance powered by ComplyDog