GDPR Compliance

Section 1

Overview

The General Data Protection Regulation (GDPR) is a regulation of the European Union that governs how personal data of individuals in the European Economic Area (EEA) must be collected, processed, and stored. As a company registered and operating in Spain, GDPR compliance is both a legal obligation and a core commitment for WeblyChat.

This page provides a focused summary of our GDPR compliance position. For the full detail of what data we collect, why, and how long we keep it, please refer to our Privacy Policy.

Section 2

Data Controller

Under the GDPR, a "data controller" is the entity that determines the purposes and means of processing personal data. For the WeblyChat service, the data controller is:

• Company: WeblyChat
• Email: hola@weblychat.eu

As data controller we are responsible for ensuring that all personal data processing activities carried out by WeblyChat comply with the GDPR and applicable Spanish data protection law (Ley Orgánica 3/2018, LOPDGDD).

Section 3

Legal Basis for Processing

Every processing activity at WeblyChat has a defined legal basis under Article 6 of the GDPR. We do not process personal data without a valid legal basis.

Performance of a contract — Article 6(1)(b)

The majority of data we process is necessary to provide the WeblyChat service to you. This includes your email address and display name (to create and manage your account), your Telegram user ID and message content (to operate the bot and track change requests), and your session token (to keep you signed in). Without this data we cannot provide the service.

Legitimate interests — Article 6(1)(f)

We retain server logs — including IP addresses and request timestamps — for security monitoring, debugging, and fraud prevention. We have assessed that our legitimate interest in securing the platform outweighs the minimal privacy impact, given that these logs are not used for profiling and are deleted after 30 days. You have the right to object to this processing at any time (see Section 4).

What we do not rely on

We do not rely on consent as a legal basis for processing data that is necessary for the service. We do not use your personal data for advertising or profiling. We do not share your data with third-party advertising networks.

Section 4

Your Rights

If you are located in the European Economic Area, you have the following rights under the GDPR:

Limitation — Telegram messages

When you exercise your right to erasure, we will delete all personal data we hold about you. However, we are unable to delete copies of messages from Telegram's servers. Telegram operates as an independent platform and does not provide us with the technical capability to remove individual messages from their infrastructure. To manage your Telegram message history, please use Telegram's own privacy controls or contact Telegram directly.

Section 5

How to Exercise Your Rights

To exercise any of your GDPR rights, email us at hola@weblychat.eu with a clear description of your request. Please include:

• Your full name and the email address associated with your WeblyChat account
• The specific right you wish to exercise (e.g. "I request a copy of my personal data" or "I request deletion of my account")
• Any additional context that would help us locate your data

We will acknowledge your request within 5 business days and complete it within 30 days as required by Article 12 of the GDPR. In complex cases we may extend this by a further two months, in which case we will notify you of the extension and the reason.

We may need to verify your identity before fulfilling the request. We will not charge a fee for reasonable requests.

Section 6

International Data Transfers

WeblyChat stores and processes personal data on infrastructure located within the European Union. Our primary data store is hosted on EU servers.

Cloudflare

The static websites we build for clients are hosted on Cloudflare Pages, a CDN that routes requests through a global network. Cloudflare, Inc. is a US company that has self-certified under the EU–US Data Privacy Framework, providing an adequate safeguard for transfers of personal data to the United States. Cloudflare acts as a data processor on our behalf under its Data Processing Addendum.

Telegram

Telegram (Telegram FZ-LLC) is incorporated in the United Arab Emirates and routes data through servers that may be located outside the European Economic Area. Using the WeblyChat bot involves transferring your message content and Telegram user ID through Telegram's infrastructure. Telegram does not offer a standard Data Processing Agreement, so it operates as an independent third-party platform under its own terms. This transfer is an inherent part of using Telegram as a communication channel and is necessary to provide the service.

Google OAuth

Authentication is handled via Google OAuth. Google LLC is a US company operating under the EU–US Data Privacy Framework. When you sign in, your name and email address are transmitted to our servers from Google's authorisation service. We do not receive your Google password or other account data.

Section 7

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

• Session tokens: Expire automatically after 7 days. Deleted on sign-out.
• Trial account data: Deleted 30 days after trial expiry if no subscription is taken.
• Active subscription data: Retained for the duration of the subscription. Account-level data deleted within 30 days of account closure.
• Change request content: Stored for the duration of the account. Deleted on account deletion or upon a valid erasure request.
• Server logs: Retained for up to 30 days for security and debugging, then deleted automatically.

Where a legal obligation requires us to retain data for a longer period (for example, financial records required under Spanish tax law), we will comply with that obligation and delete the data as soon as the legal retention period expires.

For full details, see the Data Retention section of our Privacy Policy.

Section 8

Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or alteration, in accordance with Article 32 of the GDPR. Our measures include:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS.
• Access controls: Access to production systems and personal data is restricted to authorised personnel only.
• Self-hosted fonts: Our website uses self-hosted fonts — no external font requests are made to Google Fonts or other third-party CDNs when you visit our site.
• No third-party tracking: We do not embed third-party advertising pixels, analytics scripts, or social media widgets on our marketing website.
• EU infrastructure: Personal data is stored on servers located within the European Union.

If you discover a security vulnerability, please report it to us via our security disclosure page.

Section 9

Supervisory Authority

If you believe we are not handling your personal data in compliance with the GDPR, you have the right to lodge a complaint with a data protection supervisory authority. As a Spanish company, our lead supervisory authority is:

• Agencia Española de Protección de Datos (AEPD)
• Website: www.aepd.es
• Address: C/ Jorge Juan, 6, 28001 Madrid, Spain

If you are resident in another EU member state, you also have the right to contact your national supervisory authority directly.

We would always prefer to resolve any concern you have directly before you escalate to a regulator. Please contact us first at hola@weblychat.eu — we will do our best to resolve it promptly.

Section 10

Contact

For any GDPR-related questions, data subject requests, or concerns, please contact us:

• Email: hola@weblychat.eu
• Company: WeblyChat

We aim to acknowledge all GDPR-related enquiries within 5 business days.

For the complete picture of how we handle your personal data, please read our full Privacy Policy.