Privacy Policy
Waipal · FLEXI CREDIT s.r.o.
This Privacy Policy explains how FLEXI CREDIT, s.r.o. (the Waipal service) collects, uses, stores and protects your personal data when you use our website and services.
1. Who is the data controller?
The controller, i.e. the entity determining the purposes and means of processing, is the operator of the Waipal service:
FLEXI CREDIT, s.r.o.
Company ID (IČO): 27838358
Registered office: Zelená 1387/14, 735 35 Horní Suchá, Czech Republic
E-mail: info@waipal.com
Website: waipal.com
We have not appointed a Data Protection Officer, as we are not required to do so.
2. What personal data do we process?
Depending on how you use Waipal, we process the following categories of personal data:
- Account and registration data – name, surname, company name and Company ID (for entrepreneurs), e-mail address, and password (stored only in encrypted, hashed form).
- Billing and payment data – billing details and information about ordered services, prices and payments. Card details are entered directly with the payment gateway provider; we have no access to the full card number.
- Content you upload – files uploaded for encrypted storage or to create a Certificate, the name/description of the file, and its digital fingerprint (hash).
- Certificate data – date and time of the record, the file hash, the blockchain record identifier (TX hash), the file name/description, and the owner's identifier (usually e-mail).
- Communication data – messages, e-mails and queries.
- Technical data – IP address, device and browser type, log records of sign-in and account activity, and cookie data.
- Marketing data – e-mail address and data on segmentation and interaction with our e-mails (whether an e-mail was opened, which links were clicked) – see Article 4.
Uploaded files may themselves contain personal data, including special categories of data (e.g. health data). You are responsible for the content you upload and for the lawfulness of its processing. In relation to such data we generally act as a processor acting on your instructions; see also the Terms and Conditions.
3. Purposes and legal basis of processing
Each processing has a specific purpose and a legal basis under Article 6 GDPR:
| Purpose | Data | Legal basis |
|---|---|---|
| Account, providing the service (storing files, issuing and verifying Certificates) | account data, uploaded content, certificate data | performance of contract – Art. 6(1)(b) |
| Payments, issuing and archiving tax documents | billing and payment data | contract and legal obligation – Art. 6(1)(b),(c) |
| Security, fraud prevention, defence of legal claims | technical and account data | legitimate interest – Art. 6(1)(f) |
| Commercial communications to existing customers | e-mail address | legitimate interest – Art. 6(1)(f) + § 7(3) Act 480/2004 |
| Newsletter to non-customers | e-mail, segmentation data | consent – Art. 6(1)(a) |
| Necessary and optional cookies | cookie data | legitimate interest / consent – Art. 6(1)(f),(a) |
4. Newsletter and Mailchimp
To send e-mail commercial communications and our newsletter and to manage and segment contacts, we use Mailchimp, operated by The Rocket Science Group LLC (part of Intuit Inc.), based in the United States.
Within this tool, e-mail contacts are grouped and segmented and interaction with our e-mails is evaluated (whether an e-mail was delivered, opened and which links were clicked). This helps us tailor the content and relevance of our messages.
- Legal basis: consent for non-customers (given when subscribing); legitimate interest for existing customers under § 7(3) of Act No. 480/2004 Coll.
- Unsubscribe: you can unsubscribe at any time free of charge via the link in the footer of every e-mail or by writing to info@waipal.com. Unsubscribing does not affect provision of the Waipal service.
- Transfer to the USA: using Mailchimp involves a transfer of e-mail data to a third country (USA); see Article 7.
5. Who has access to personal data?
We do not share your data with anyone who would process it for their own purposes. To operate the service we use vetted processors acting under contract and our instructions:
| Recipient | Purpose | Location |
|---|---|---|
| Microsoft Azure | website / application hosting | Europe |
| Microsoft Azure | storage of encrypted files | Europe |
| Stripe | payment processing | USA |
| The Rocket Science Group LLC (Mailchimp) | e-mail sending and segmentation | USA |
| Google (Analytics) | website analytics | USA / EU |
| Meta Platforms (Facebook) | marketing | USA / EU |
| XRP Ledger (XRPL) | writing the digital fingerprint of the file | public network |
| Accounting, tax and legal advisors | accounting and legal matters | CZ / EU |
We have a data processing agreement with each processor. We may disclose data to public authorities where required by law.
6. Blockchain and encrypted files
What is written to the blockchain
Only the digital fingerprint (hash) of the file is written to the public blockchain, together with a timestamp – never the content of the file or your personal data. The hash is the result of a one-way cryptographic function from which the file content cannot be reconstructed.
Important – permanence of the record. A blockchain record is permanent and cannot be altered or deleted. By creating a Certificate you acknowledge that the relevant hash will remain in the network even after your account or the service ends – this permanence is the basis of the Certificate's verifiability. The right to erasure therefore cannot apply to a record already written to the blockchain, as it cannot technically be removed and erasure would defeat the purpose of the processing.
Encrypted files
Files uploaded for encrypted storage are stored in encrypted form. Only you, and persons you grant access to, can access their content. You control the encryption key; without it, not even we can access the content of your files.
7. International transfers
Some providers (in particular Mailchimp, Google and Meta) process data in the United States. Any such transfer is safeguarded under Chapter V GDPR, in particular:
- an adequacy decision of the European Commission (the EU–U.S. Data Privacy Framework), where the recipient is certified, and/or
- the European Commission's Standard Contractual Clauses, supplemented by appropriate additional measures.
8. How long do we keep the data?
| Category | Retention |
|---|---|
| Account data and uploaded content | for the duration of the account; after cancellation no longer than 5 years, then deleted |
| Certificate data | as long as needed for verifiability; the hash on the blockchain permanently (see Art. 6) |
| Billing and tax documents | 10 years (VAT and Accounting Acts) |
9. What rights do you have?
Under the GDPR you have the rights of: access; rectification; erasure ("right to be forgotten", subject to the exceptions in Art. 6 and statutory retention); restriction of processing; data portability; objection to processing based on legitimate interest, including direct marketing; withdrawal of consent; and to lodge a complaint with the supervisory authority.
To exercise your rights, contact info@waipal.com. We will respond without undue delay, no later than within one month.
The supervisory authority is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.gov.cz.
10. Cookies
We use necessary cookies and, with your consent, optional analytical (e.g. Google Analytics) and marketing cookies. You give and manage consent via the cookie banner and can change it at any time. See our cookie policy.
11. Security
All communication runs securely over HTTPS. Sensitive files are stored in encrypted form and access to data is controlled through a verified account. We take reasonable technical and organisational measures to protect data against unauthorised access, loss, misuse or damage.
12. Changes to the Policy
We may update this policy from time to time. The current version is always available on this page. This version is effective from 25 June 2026.