WaitlistGrow logo WaitlistGrow
Home Pricing Log in Get started free Feedback F

Contents

1. Who we are 2. Data we collect 3. Legal basis 4. How we use your data 5. Third parties 6. International transfers 7. Retention 8. Cookies 9. Your rights 10. Children 11. Changes 12. Contact
Legal

Privacy Policy

Last updated: 26 May 2026 — Governed by Estonian law & the GDPR

WaitlistGrow is committed to protecting your personal data. This policy explains what data we collect, why we collect it, who we share it with, and what rights you have under the General Data Protection Regulation (GDPR, Regulation EU 2016/679) and Estonian law. Please read it carefully before using the platform.

1. Who we are

WaitlistGrow (“we”, “us”, or “our”) is the controller of personal data collected directly through this website and platform. Our registered place of business is in Estonia, and we process personal data in accordance with the GDPR and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus, 2018).

Where you use WaitlistGrow to collect email addresses from your own waitlist subscribers, you become an independent data controller for that subscriber data. WaitlistGrow acts solely as a data processor on your behalf for those records. See the Data Processing Agreement section of our Terms of Service for details.

Data Protection contact:
You can reach us through the feedback form or by emailing privacy@waitlistgrow.com — please replace this with your real contact address before going live.

2. Data we collect

2.1 Account holders (makers and founders)

When you create a WaitlistGrow account we collect:

  • Email address — used to identify your account and send service notifications.
  • Password — stored as a one-way cryptographic hash (bcrypt). We never store or transmit your plain-text password.
  • Waitlist content — the names, taglines, descriptions, feature lists, and settings you create inside the platform.

2.2 Waitlist subscribers (end users)

When someone signs up for a waitlist created by one of our users, we collect on that user’s behalf:

  • Email address — required to join the waitlist.
  • Feature votes — which features the subscriber selected, if any.
  • Sign-up timestamp — when the subscription was recorded.
  • UTM parameters — source, medium, and campaign values from the URL (e.g. utm_source=twitter), used to attribute traffic channels. No personal profiles are built from these.

2.3 Technical and usage data

  • IP address — collected transiently on each request solely for rate-limiting and abuse prevention. It is processed in memory and is not written to the database or retained after the request cycle.
  • Page view analytics — we use Vercel Analytics, a cookieless, privacy-preserving analytics service. It records aggregate page views and referrers; it does not track individuals across sessions and does not set cookies.

3. Legal basis for processing (GDPR Art. 6)

Processing activity Legal basis
Creating and managing your account Art. 6(1)(b) — performance of a contract
Sending transactional emails (password reset) Art. 6(1)(b) — performance of a contract
Rate limiting and security Art. 6(1)(f) — legitimate interests (protecting service integrity)
Aggregate page-view analytics (Vercel) Art. 6(1)(f) — legitimate interests (service improvement)
Processing subscriber emails on behalf of waitlist owners Art. 6(1)(b) — performance of a contract (between us and the waitlist owner)

4. How we use your data

We use the data described above only for the following purposes:

  • Providing, operating, and maintaining the WaitlistGrow platform.
  • Authenticating your account and keeping it secure.
  • Sending password-reset emails and essential service notices.
  • Displaying waitlist analytics (signups, feature votes, traffic sources) to the waitlist owner.
  • Preventing abuse and enforcing our rate limits.
  • Understanding aggregate usage patterns to improve the product.

We do not sell your personal data. We do not use your data for advertising, behavioural tracking, or profiling.

5. Third-party processors

We share data only with the following sub-processors, under written data processing agreements, and only to the extent necessary to operate the service:

Processor Purpose Location
Vercel Inc. Hosting and deployment infrastructure; cookieless page-view analytics United States (EU region available)
Resend Transactional email delivery (password reset) United States

We do not share personal data with any other third party unless required to do so by law or by a binding order from a competent authority.

6. International transfers

Both Vercel and Resend are US-based companies. Where data is transferred outside the European Economic Area (EEA), we rely on the European Commission’s Standard Contractual Clauses (SCCs) and/or adequacy decisions to ensure an equivalent level of protection to that required under the GDPR.

7. Data retention

  • Account data — retained for as long as your account is active. When you delete your account, all associated waitlists and your personal data are permanently deleted within 30 days.
  • Waitlist subscriber data — retained for as long as the waitlist exists in your account. Deleting a waitlist permanently removes all associated subscriber records.
  • IP addresses — not persisted; processed in-memory only and discarded after each request.
  • Aggregate analytics — retained by Vercel per their own retention policy. These records contain no personally identifiable information.

8. Cookies

WaitlistGrow uses a single session cookie (sessionid) to keep you logged in. This cookie is:

  • Set with the HttpOnly and SameSite=Lax flags to prevent XSS and CSRF attacks.
  • Deleted when you log out or when your browser session ends.
  • Strictly necessary for the service to function — it does not require separate consent under the ePrivacy Directive.

We do not set advertising, tracking, or analytics cookies. Vercel Analytics operates without cookies and without fingerprinting individual users.

A CSRF protection token (csrftoken) is also set as a security measure on forms. It contains no personal data.

9. Your rights under the GDPR

As a data subject under the GDPR (Arts. 15–22), you have the following rights:

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — ask us to delete your data (“right to be forgotten”), subject to our legal obligations.
  • Right to restriction (Art. 18) — ask us to limit how we process your data in certain circumstances.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests.
  • Right not to be subject to automated decisions (Art. 22) — we do not make automated decisions with legal or significant effects about you.

To exercise any of these rights, contact us via the feedback form. We will respond within 30 days. Where we cannot fulfill a request, we will explain why.

You also have the right to lodge a complaint with the Estonian supervisory authority, the Andmekaitse Inspektsioon (Data Protection Inspectorate): www.aki.ee.

10. Children

WaitlistGrow is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will update the “Last updated” date at the top of this page. For significant changes, we will notify account holders by email. Continued use of the service after the effective date constitutes acceptance of the revised policy.

12. Contact

For any privacy-related questions, requests, or complaints, please contact us via the feedback form. We aim to respond to all requests within 30 calendar days.

Feedback

Tell us what would make WaitlistGrow better.

Share product ideas, bugs, or anything unclear.
Optional — only if you want a follow-up.

Anonymous feedback is completely fine.