logo
  • Services
  • Why Waipal
  • Who it's for
  • Pricing
  • Certificates
  • FAQ
  • Contact
Login Join Waiting List
logo
  • Services
  • Why Waipal
  • Who it's for
  • Pricing
  • Certificates
  • FAQ
  • Contact
Login Join Waiting List

Privacy Policy

Waipal · FLEXI CREDIT s.r.o.

Effective from 25 June 2026

This Privacy Policy explains how FLEXI CREDIT, s.r.o. (the Waipal service) collects, uses, stores and protects your personal data when you use our website and services.

1. Who is the data controller?

The controller, i.e. the entity determining the purposes and means of processing, is the operator of the Waipal service:

FLEXI CREDIT, s.r.o.

Company ID (IČO): 27838358
Registered office: Zelená 1387/14, 735 35 Horní Suchá, Czech Republic
E-mail: info@waipal.com
Website: waipal.com

We have not appointed a Data Protection Officer, as we are not required to do so.

2. What personal data do we process?

Depending on how you use Waipal, we process the following categories of personal data:

  • Account and registration data – name, surname, company name and Company ID (for entrepreneurs), e-mail address, and password (stored only in encrypted, hashed form).
  • Billing and payment data – billing details and information about ordered services, prices and payments. Card details are entered directly with the payment gateway provider; we have no access to the full card number.
  • Content you upload – files uploaded for encrypted storage or to create a Certificate, the name/description of the file, and its digital fingerprint (hash).
  • Certificate data – date and time of the record, the file hash, the blockchain record identifier (TX hash), the file name/description, and the owner's identifier (usually e-mail).
  • Communication data – messages, e-mails and queries.
  • Technical data – IP address, device and browser type, log records of sign-in and account activity, and cookie data.
  • Marketing data – e-mail address and data on segmentation and interaction with our e-mails (whether an e-mail was opened, which links were clicked) – see Article 4.

Uploaded files may themselves contain personal data, including special categories of data (e.g. health data). You are responsible for the content you upload and for the lawfulness of its processing. In relation to such data we generally act as a processor acting on your instructions; see also the Terms and Conditions.

3. Purposes and legal basis of processing

Each processing has a specific purpose and a legal basis under Article 6 GDPR:

PurposeDataLegal basis
Account, providing the service (storing files, issuing and verifying Certificates)account data, uploaded content, certificate dataperformance of contract – Art. 6(1)(b)
Payments, issuing and archiving tax documentsbilling and payment datacontract and legal obligation – Art. 6(1)(b),(c)
Security, fraud prevention, defence of legal claimstechnical and account datalegitimate interest – Art. 6(1)(f)
Commercial communications to existing customerse-mail addresslegitimate interest – Art. 6(1)(f) + § 7(3) Act 480/2004
Newsletter to non-customerse-mail, segmentation dataconsent – Art. 6(1)(a)
Necessary and optional cookiescookie datalegitimate interest / consent – Art. 6(1)(f),(a)

4. Newsletter and Mailchimp

To send e-mail commercial communications and our newsletter and to manage and segment contacts, we use Mailchimp, operated by The Rocket Science Group LLC (part of Intuit Inc.), based in the United States.

Within this tool, e-mail contacts are grouped and segmented and interaction with our e-mails is evaluated (whether an e-mail was delivered, opened and which links were clicked). This helps us tailor the content and relevance of our messages.

  • Legal basis: consent for non-customers (given when subscribing); legitimate interest for existing customers under § 7(3) of Act No. 480/2004 Coll.
  • Unsubscribe: you can unsubscribe at any time free of charge via the link in the footer of every e-mail or by writing to info@waipal.com. Unsubscribing does not affect provision of the Waipal service.
  • Transfer to the USA: using Mailchimp involves a transfer of e-mail data to a third country (USA); see Article 7.

5. Who has access to personal data?

We do not share your data with anyone who would process it for their own purposes. To operate the service we use vetted processors acting under contract and our instructions:

RecipientPurposeLocation
Microsoft Azurewebsite / application hostingEurope
Microsoft Azurestorage of encrypted filesEurope
Stripepayment processingUSA
The Rocket Science Group LLC (Mailchimp)e-mail sending and segmentationUSA
Google (Analytics)website analyticsUSA / EU
Meta Platforms (Facebook)marketingUSA / EU
XRP Ledger (XRPL)writing the digital fingerprint of the filepublic network
Accounting, tax and legal advisorsaccounting and legal mattersCZ / EU

We have a data processing agreement with each processor. We may disclose data to public authorities where required by law.

6. Blockchain and encrypted files

What is written to the blockchain

Only the digital fingerprint (hash) of the file is written to the public blockchain, together with a timestamp – never the content of the file or your personal data. The hash is the result of a one-way cryptographic function from which the file content cannot be reconstructed.

Important – permanence of the record. A blockchain record is permanent and cannot be altered or deleted. By creating a Certificate you acknowledge that the relevant hash will remain in the network even after your account or the service ends – this permanence is the basis of the Certificate's verifiability. The right to erasure therefore cannot apply to a record already written to the blockchain, as it cannot technically be removed and erasure would defeat the purpose of the processing.

Encrypted files

Files uploaded for encrypted storage are stored in encrypted form. Only you, and persons you grant access to, can access their content. You control the encryption key; without it, not even we can access the content of your files.

7. International transfers

Some providers (in particular Mailchimp, Google and Meta) process data in the United States. Any such transfer is safeguarded under Chapter V GDPR, in particular:

  • an adequacy decision of the European Commission (the EU–U.S. Data Privacy Framework), where the recipient is certified, and/or
  • the European Commission's Standard Contractual Clauses, supplemented by appropriate additional measures.

8. How long do we keep the data?

CategoryRetention
Account data and uploaded contentfor the duration of the account; after cancellation no longer than 5 years, then deleted
Certificate dataas long as needed for verifiability; the hash on the blockchain permanently (see Art. 6)
Billing and tax documents10 years (VAT and Accounting Acts)

9. What rights do you have?

Under the GDPR you have the rights of: access; rectification; erasure ("right to be forgotten", subject to the exceptions in Art. 6 and statutory retention); restriction of processing; data portability; objection to processing based on legitimate interest, including direct marketing; withdrawal of consent; and to lodge a complaint with the supervisory authority.

To exercise your rights, contact info@waipal.com. We will respond without undue delay, no later than within one month.

The supervisory authority is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.gov.cz.

10. Cookies

We use necessary cookies and, with your consent, optional analytical (e.g. Google Analytics) and marketing cookies. You give and manage consent via the cookie banner and can change it at any time. See our cookie policy.

11. Security

All communication runs securely over HTTPS. Sensitive files are stored in encrypted form and access to data is controlled through a verified account. We take reasonable technical and organisational measures to protect data against unauthorised access, loss, misuse or damage.

12. Changes to the Policy

We may update this policy from time to time. The current version is always available on this page. This version is effective from 25 June 2026.

Waipal

Secure protection and certification of documents using blockchain technology.

FLEXI CREDIT s.r.o. · Zelená 1387/14, 735 35 Horní Suchá

Services

  • Intellectual property protection
  • Document encryption
  • Verify certificate

Company

  • FAQ
  • Contact
  • info@waipal.com

Legal

  • Privacy Policy
  • Terms and conditions

© 2026 Waipal · FLEXI CREDIT s.r.o.

We use cookies

To give you the best user experience, we use cookies on our WAIPAL website. Some are essential for the proper functioning of the site, others help us to improve our services or display relevant content.

Types of cookies we use:

Technical (necessary): They ensure the proper functioning of the website. Without them, the site would not function properly.
Marketing: Used to personalise advertising and track your preferences across sites.
Analytical: They help us understand how users use our website (e.g. using Google Analytics).

By clicking on "Accept All" you agree to the use of all types of cookies. By clicking on "Settings" you can choose which cookies you allow us to use. You can change your consent at any time in your browser settings or in the footer of the website.

Settings