Privacy Policy

What we collect, why we collect it, how we use and share it, how long we keep it, and what rights you have under US and EU privacy law.

Effective: January 23, 2026 · Version 1.0 · Last updated 2026-05-28

1. Introduction

Whitecap Data LLC ("Whitecap Data," "we," "us," or "our") operates the website at whitecapdata.com, the authentication gateway at login.whitecapdata.com, and the tenant analytics dashboard at cana.whitecapdata.com (collectively, the "Services"). This Privacy Policy describes what personal information we collect, why we collect it, how we use and share it, how long we keep it, and what rights you have.

This policy applies to all visitors to whitecapdata.com and all authorized users of the Whitecap Data dashboard.

If you are a California resident, see Section 12 for additional disclosures required under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). If you are an EU, UK, or Swiss resident, see Section 13b for your rights under the GDPR / UK GDPR / Swiss FADP.

This policy does not apply to information we process solely on behalf of our business customers as a data processor. Those arrangements are governed by a separate Data Processing Agreement (DPA) executed with each customer.

Contact for any privacy question: privacy@whitecapdata.com, or write to Whitecap Data LLC, 19 Columbia Street, Geneva, NY 14456.

2. Information We Collect

We collect information in three ways: information you provide to us, information collected automatically, and information received from third parties.

2a. Information You Provide

CategoryExamplesWhen
Contact-form submissionsName, email, business name, message textMarketing-site contact form
Account credentialsEmail address, password (managed by Clerk — we never see or store passwords)Creating an account
Billing informationBusiness name, billing email, payment method (tokenized by Stripe — we never store raw card data)Subscribing
CommunicationsContent of emails or support messagesWhen you contact us
Customer data (B2B)Data your organization authorizes us to access (e.g., Shopify store data via API)Per the customer agreement

2b. Information Collected Automatically

2c. Information from Third Parties

3. How We Use Your Information

PurposeLawful basis (GDPR)
Providing and operating the ServicesContract (Art. 6(1)(b))
Responding to your inquiriesLegitimate interest (Art. 6(1)(f))
Billing and subscription managementContract
Security, fraud prevention, abuse preventionLegitimate interest
Compliance with legal obligationsLegal obligation (Art. 6(1)(c))
Service improvement (aggregated / de-identified)Legitimate interest

We do not use personal information to make automated decisions that produce legal or similarly significant effects. We do not currently send marketing email; if that changes, we will obtain consent first where required and you will be able to unsubscribe from every message.

4. How We Share Your Information

We do not sell or rent personal information to third parties for their own marketing purposes. We share information in these limited circumstances:

We do not share personal information with advertising networks or data brokers. We do not use cross-context behavioral advertising pixels.

5. Customer Data (Whitecap Data as Processor)

When a business customer grants us access to their systems or uploads data to the dashboard, we process that data strictly on the customer's behalf and under their instructions, as a data processor. Our processing of such customer data is governed by our Data Processing Agreement (DPA), not this Privacy Policy. If you are an individual whose data was shared with us by a Whitecap Data customer, please contact that customer directly regarding your rights.

6. Data Retention

CategoryRetention period
Contact-form submissionsEmailed to our team via Resend and mirrored to a private, staff-only internal Discord channel (#sign-up-notifications) for prompt follow-up; retained in our inbox / that channel for as long as reasonably necessary to respond and follow up. Resend itself does not maintain a separate copy beyond 7-day point-in-time backups.
Account dataDuration of account + 90 days after termination
Billing records7 years (IRS record-keeping obligation)
Edge request logs (Cloudflare)400 days (shipped via Cloudflare Logpush to our R2 storage; lifecycle rule retention-400d enforced)
Server access logs (nginx)14 days rolling
Server mail logs (postfix/rsyslog)28 days rolling
Systemd journalBounded by disk; effective 7–30 days
Error events (Sentry)90 days
Support communications3 years from last interaction
Customer data (B2B)Per DPA — returned or deleted within 30 days of contract termination
Security incident records5 years (NY SHIELD documentation)

7. Security

We implement administrative, technical, and physical safeguards appropriate to the size of our business and the sensitivity of the data we hold. These include:

Our full security program is documented in our Written Information Security Program (WISP), which is available to customers under NDA on request.

No method of transmission over the Internet is 100% secure. If you believe your account has been compromised, contact us immediately at security@whitecapdata.com.

8. Cookies and Tracking

The dashboard (cana.whitecapdata.com) and gateway (login.whitecapdata.com) set Clerk-managed session cookies that are strictly necessary for authentication. The marketing site (whitecapdata.com) shows a consent banner on your first visit; non-essential cookies are blocked until you accept, and declining sets nothing beyond the consent-preference cookie itself. The cookies in use:

CookieProviderPurposeRetention
wcd_consentWhitecap Data (first-party)Remembers your Accept/Decline choice (strictly necessary)1 year
_gaGoogle Analytics 4Distinguishes visitors for aggregate site-usage statistics (only after consent)Up to 13 months
_ga_*Google Analytics 4Maintains session state for analytics (only after consent)Up to 13 months
__session, __client*ClerkAuthentication session on the dashboard/gateway subdomains (strictly necessary)Session / 7 days

You can change your choice at any time: open cookie preferences. Google's use of analytics data is described in its privacy policy.

Global Privacy Control (GPC): If your browser transmits a GPC signal, we honor it as a valid opt-out for California residents under CCPA §1798.135(b)(1) — analytics stays off and the consent banner is not shown unless you explicitly opt in.

9. Children's Privacy

The Services are intended for use by businesses and professionals. We do not knowingly collect personal information from children under 13, and the Services are not directed to children under 13. If you believe a child has provided us with personal information, contact us at privacy@whitecapdata.com and we will promptly delete it.

10. International Transfers

Whitecap Data operates from the United States and our sub-processors are listed at whitecapdata.com/trust/sub-processors. If you access the Services from outside the United States, your information will be transferred to and processed in the United States, where data-protection laws may differ from those in your country.

For European Economic Area (EEA), United Kingdom, and Swiss data subjects: transfers of your personal data from the EEA, UK, or Switzerland to the United States rely on either (a) the EU–US Data Privacy Framework (and its UK Extension and Swiss–US Data Privacy Framework) where the receiving sub-processor is certified under those frameworks (Cloudflare, Stripe, GitHub, Sentry, and others on our sub-processor page are DPF-certified), or (b) the European Commission's Standard Contractual Clauses (SCCs) where DPF certification is unavailable, supplemented by additional technical and contractual safeguards. A copy of the executed SCCs for any specific data flow is available on request to privacy@whitecapdata.com.

We do not currently appoint an EU representative under Article 27 GDPR because our processing of EEA-resident data is occasional, does not include large-scale processing of special-category data, and is unlikely to result in a risk to the rights and freedoms of data subjects. This determination will be revisited if our EEA-facing activities expand.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised policy at this URL with an updated effective date. For material changes, we will provide at least 30 days' advance notice by email to account holders before the change takes effect. Your continued use of the Services after the effective date of any update constitutes your acceptance of the revised policy. Prior versions are archived in our public Git history.

12. California-Specific Rights (CCPA / CPRA)

This section supplements the disclosures above for California residents.

12a. Categories of Personal Information Collected

CCPA CategoryExamplesSourceBusiness Purpose
IdentifiersName, email, IP address, user IDDirectly from you; automaticallyAccount management, security
Commercial informationSubscription tier, billing emailStripe webhookBilling, account management
Internet / network activityPages visited, feature usage, error logsAutomaticallySecurity, service improvement
Professional / employment informationBusiness name (if provided)Directly from youAccount management
Inferences drawn from aboveUsage patterns for service improvementDerivedService improvement

We do not collect: biometric data, geolocation data, audio/visual data, government-issued identifiers, mental-health data, or sensitive personal information beyond the account credentials we manage through Clerk.

12b. Sub-processors

The current sub-processor list is at whitecapdata.com/trust/sub-processors. As of 2026-05-28 it includes Cloudflare, DigitalOcean, Clerk, Stripe, Resend, GitHub, Sentry, and Shopify (B2B data source — customer's account, used under customer authorization only). The deployed Whitecap Data products do not call third-party AI APIs at runtime.

12c. California Consumer Rights

California residents have the right to:

To exercise any of these rights, submit a request to privacy@whitecapdata.com with the subject "California Privacy Rights Request." We will respond within 45 days (extendable to 90 days with notice). We may verify your identity before processing the request. Authorized agents may submit requests on your behalf with your written authorization.

13. Your Rights (General)

Regardless of your location, you may contact us at privacy@whitecapdata.com to:

13b. EU / UK / Swiss Resident Rights (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the EU General Data Protection Regulation, the UK GDPR, or the Swiss Federal Data Protection Act, as applicable:

To exercise any of these rights, email privacy@whitecapdata.com with the subject "EU / UK Privacy Rights Request." We will respond within one month per Art. 12(3), extendable by two additional months for complex requests with notice. We may verify your identity before processing the request.

Data Protection Officer: we are not required to appoint a DPO under Art. 37 GDPR (our processing does not meet the thresholds for mandatory appointment). For data-protection matters, contact privacy@whitecapdata.com directly.

Supervisory authority for EU residents in the absence of an appointed lead supervisory authority: your local national Data Protection Authority. For UK residents: the Information Commissioner's Office (ICO).

14. Contact Us

Whitecap Data LLC
19 Columbia Street
Geneva, NY 14456
Email: privacy@whitecapdata.com
For security disclosures: security@whitecapdata.com