Wayby Privacy Policy

Last updated: 23.2.2026

This Privacy Policy describes how Digital Labs Oy (“Wayby”, “we”, “us”, or “our”) processes personal data
in connection with the Wayby personalization and A/B testing service.

Wayby is operated by:

Digital Labs Oy
Business ID: 3001169-1
Heikkiläntie 103
42560 Pohjoisjärvi
Finland
Email: support(at)wayby.io

1. Scope of This Policy

This Privacy Policy applies to:

  • Personal data relating to our customers (website operators using Wayby).
  • Personal data processed through the Wayby personalization service on behalf of our customers.

When providing the Wayby service, Digital Labs Oy acts as a data processor on behalf of its customers,
who act as data controllers with respect to visitor data collected on their websites.

2. Categories of Personal Data

2.1 Customer Account Data (Controller Role)

When organizations register for and use Wayby, we process:

  • Company name
  • Contact person name
  • Email address
  • Billing information
  • Website ID
  • Contractual and service usage information
  • Communication records

We act as the data controller for this data.

2.2 Website Visitor Data (Processor Role)

When Wayby is implemented on a customer’s website, we process limited visitor-related data strictly on behalf
of the customer.

This may include:

  • Website ID
  • Page URL
  • Campaign identifier
  • Variant assignment (A/B test group)
  • Interaction events (e.g., impressions, clicks)
  • Truncated IP address (where used for security or approximate geolocation)
  • Browser and device metadata (e.g., user agent)

Wayby:

  • Does not store full IP addresses
  • Does not assign persistent visitor identifiers
  • Does not track users across sessions
  • Does not track users across campaigns
  • Does not link visitor behavior between different websites
  • Does not process special categories of personal data under Article 9 GDPR

All campaign tracking is isolated per campaign and per session.

3. Purpose of Processing

3.1 Customer Account Data

We process customer data to:

  • Provide and maintain the Wayby service
  • Manage customer accounts
  • Provide support
  • Invoice and manage billing
  • Communicate service updates
  • Ensure service security

3.2 Visitor Data (Processed on Behalf of Customers)

We process visitor data solely to:

  • Deliver personalization experiences
  • Conduct A/B testing
  • Measure campaign performance
  • Provide anonymized performance metrics
  • Maintain technical security

We do not use visitor data for advertising networks, cross-site tracking, or resale.

4. Legal Basis for Processing

4.1 Customer Account Data

Processing is based on:

  • Performance of a contract (Article 6(1)(b) GDPR)
  • Legitimate interest (Article 6(1)(f) GDPR), including service improvement and business communication
  • Legal obligations (e.g., accounting requirements)

4.2 Visitor Data

Website operators (our customers) determine the legal basis for processing visitor data on their websites.

Wayby processes visitor data strictly under a data processing agreement with the customer, in accordance with
Article 28 GDPR.

Depending on the customer’s implementation and jurisdiction, the legal basis may include:

  • Legitimate interest
  • Consent

Customers are responsible for ensuring compliance with applicable data protection and ePrivacy laws.

5. Cookies and Tracking Technologies

Wayby:

  • Does not use cookies for personalization
  • Does not assign persistent identifiers
  • Does not perform cross-session tracking
  • Does not perform cross-campaign tracking
  • Does not perform cross-site tracking

Wayby does not store or access information on a visitor’s device for tracking purposes beyond what is
technically necessary to deliver a campaign experience.

Website operators are responsible for determining whether consent mechanisms are required under applicable law.

6. Data Retention

6.1 Customer Account Data

Customer data is retained:

  • For the duration of the customer relationship
  • As required by accounting and legal obligations
  • For a reasonable period after termination for contractual and legal purposes

6.2 Visitor Data

Visitor-level campaign data is retained only for the period necessary to:

  • Measure campaign performance
  • Generate aggregated metrics
  • Maintain service integrity

Aggregated and anonymized statistical data may be retained for longer periods for analytical purposes.

We do not retain persistent visitor profiles.

7. Data Transfers

Wayby is hosted in Finland. Personal data processed by Wayby is stored within the European Union.

We do not transfer personal data outside the EU or EEA unless required by law or necessary for essential
service infrastructure under appropriate safeguards in accordance with GDPR.

8. Subprocessors

Where necessary, we may use carefully selected service providers for:

  • Hosting infrastructure
  • Cloud storage
  • Security monitoring
  • Email delivery
  • Payment processing

All subprocessors are bound by data processing agreements and appropriate confidentiality and security obligations.

An up-to-date list of subprocessors is available upon request.

9. Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption in transit (TLS)
  • Access control and authentication mechanisms
  • Role-based access restrictions
  • Secure hosting within the EU
  • Monitoring and logging of system access
  • Data minimization principles

Access to personal data is restricted to personnel whose job duties require it.

10. Data Subject Rights

Under the GDPR, individuals have the right to:

  • Access their personal data
  • Rectify inaccurate data
  • Request erasure
  • Restrict processing
  • Object to processing
  • Data portability (where applicable)
  • Lodge a complaint with a supervisory authority

Visitor Data Requests

Because Wayby acts as a data processor for visitor data:

  • Visitors should primarily contact the website operator (data controller).
  • Wayby will assist customers in fulfilling data subject requests where required by law.

Customer Account Data Requests

Requests concerning customer account data may be directed to:

support@wayby.io

We may request identity verification before fulfilling a request.

11. Automated Decision-Making

Wayby provides campaign-based personalization and A/B testing functionality.

Wayby does not perform automated decision-making that produces legal effects or similarly significant effects
within the meaning of Article 22 GDPR.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in legal requirements or service functionality.

The latest version will always be available at:

https://super-site.com/en/privacypolicy/

13. Contact

If you have questions about this Privacy Policy or our data processing practices, please contact:

Digital Labs Oy
Email: support(at)wayby.io