PRIVACY POLICY β WIBLO
Last updated: May 19, 2026
Wiblo is committed to protecting your privacy and processing your personal data in a transparent, secure manner that complies with the General Data Protection Regulation (GDPR - EU 2016/679) and applicable laws in France.
This document explains:
- What data we collect
- Why and how we use it
- Who we share it with
- Your rights and how to exercise them
- Our security measures
- Cookie management
Contact: hello.wiblo@gmail.com
1. DATA CONTROLLER
Data Controller: SAS Hapy
Address: 60 Rue François 1er, 75008 Paris, France
Personal data contact: hello.wiblo@gmail.com
Wiblo processes data as:
- Data controller for its own operational needs
- Data processor for certain specific data (e.g., reviews transmitted to Creators)
2. PERSONAL DATA COLLECTED
2.1 β IDENTIFICATION DATA (mandatory)
Collected during registration and account creation:
| Data | Why? | Legal basis |
|---|---|---|
| Phone number | Anti-multi-account verification, contact | Legitimate interest (security), consent |
| Email address | Primary identifier, notifications, account recovery | Necessary for contract |
| First name/Last name or pseudonym | User profile, public display (optional) | Legitimate interest (community functioning) |
| Password | Authentication (hashed, never stored in plain text) | Necessary for contract |
2.2 β USAGE & ACTIVITY DATA
| Data | Why? | Legal basis |
|---|---|---|
| Test history | Points allocation, levels, anti-fraud | Necessary for contract |
| Published reviews | Display to the Project's Creator, quality analysis | Consent, legitimate interest |
| Points/Levels | Gamification, user progression | Necessary for contract |
| Proposed Appreciation Tokens | Display and moderation of proposed Appreciation Tokens | Necessary for contract |
2.3 β TECHNICAL DATA
| Data | Why? | Legal basis |
|---|---|---|
| IP address | Security, anti-fraud geolocation | Legitimate interest (security) |
| Device type/OS | Compatibility, analytics | Legitimate interest |
| Device identifier | User sessions | Legitimate interest |
| Cookies (see section 9) | Website/app functioning | Consent |
2.4 β OPTIONAL DATA
| Data | Why? | Legal basis |
|---|---|---|
| Geolocation (opt-in) | Localized content discovery, anti-fraud | Explicit consent |
| Marketing preferences | Communication personalization | Consent |
NO SENSITIVE DATA: Wiblo does not collect health data, religion, sexual orientation, political opinions, etc.
3. PROCESSING PURPOSES
We process your data ONLY for:
3.1 β PRIMARY PURPOSES (necessary for contract)
1. Wiblo service provision:
- Account creation and management
- Points/Levels allocation based on your actions
- Project publication (Creators)
- Test and Review management (Testers)
2. Appreciation Tokens management:
- Display of the Appreciation Tokens proposed by Creators in the Project description
- Moderation of Appreciation Token proposals to enforce platform policy (no monetary, convertible, or transferable rewards β see Terms of Service section 5.3)
- Notification to the Creator when a Tester has completed a test eligible for an Appreciation Token
Wiblo does not deliver, store, transfer, or guarantee any Appreciation Token. All Appreciation Tokens are delivered directly by Creators to Testers, outside the Wiblo Platform.
3. Security & integrity:
- Fraud detection (multi-accounts, bots)
- Abuse protection (IP monitoring, patterns)
- Critical data backup
3.2 β SECONDARY PURPOSES (legitimate interest)
1. Platform improvement:
- Anonymized trend analysis
- Internal statistics (TesterβCreator conversion rate)
- UX/UI optimization (analytics)
2. Customer support:
- Response to your tickets and claims
- History of your interactions with support
3. Legal compliance:
- Tax obligations (invoices)
- Response to authorities (judicial orders)
3.3 β MARKETING PURPOSES (consent)
1. Marketing communications:
- Newsletter (new Projects, events)
- Special offers and Wiblo product announcements
- MANDATORY OPT-IN: You can unsubscribe at any time
4. LEGAL BASES FOR PROCESSING
| Purpose | GDPR legal basis | Details |
|---|---|---|
| Service provision | Article 6.1.b β Necessary for contract | Without this data, no service possible |
| Security | Article 6.1.f β Legitimate interest | Platform security priority |
| Improvement | Article 6.1.f β Legitimate interest | Anonymized A/B tests, product analytics |
| Marketing | Article 6.1.a β Consent | Explicit opt-in required |
| Compliance | Article 6.1.c β Legal obligation | Invoices, authorities |
| Optional geolocation | Article 6.1.a β Consent | Localized content, anti-fraud |
5. DATA RECIPIENTS
5.1 β INTERNAL RECIPIENTS
- Wiblo team (support, moderation, development)
- Restricted access by role (principle "need to know")
5.2 β SUB-CONTRACTORS / TECHNICAL PARTNERS
| Partner | Role | Data shared | Contract type |
|---|---|---|---|
| Apple | In-app purchases via App Store | Payment metadata | Standard store agreement |
| In-app purchases via Google Play | Payment metadata | Standard store agreement | |
| Supabase | Backend hosting, database, edge functions | Technical data, user data | Signed GDPR DPA |
| Resend | Transactional emails (account verification, deletion confirmation, notifications) | Email address, message content | Signed GDPR DPA |
| PostHog (EU Cloud) | Product analytics & behavioral events | Behavioral events, anonymized user ID, email (support identifier) | Signed GDPR DPA β EU Cloud (eu.i.posthog.com) |
ALL SUB-CONTRACTORS SIGN A GDPR DPA (DATA PROCESSING AGREEMENT).
5.3 β SHARING WITH CREATORS
- Reviews: Your published Reviews are visible exclusively to the Project Creator. Reviews are not displayed publicly to other Testers or to the general community.
- Limited identifiers shared with Creators: When you submit a Review on a Project, the Creator may see your username, avatar, and email address. This sharing is necessary to enable the Creator to contact you directly and deliver any Appreciation Token they have proposed, outside the Wiblo Platform.
- Sensitive data NOT shared: The Creator does not see your IP address, date of birth, or other sensitive personal data.
- Legal basis: Necessary for the performance of the contract (Article 6.1.b GDPR) β the Creator has subscribed to a paid Test Session and must be able to fulfill the Appreciation Token they proposed.
- No Wiblo intermediation: Wiblo only transmits the list of Testers who submitted Reviews to enable direct contact between Testers and Creators. Wiblo does not deliver, store, transfer, or guarantee the delivery of any Appreciation Token (see Terms of Service Section 5.5).
- Aggregated statistics: The Creator sees anonymized stats (e.g., "50 French Testers, average rating 4.2")
5.4 β AUTHORITIES & LEGAL OBLIGATIONS
- Judicial orders, police, tax authorities
- Only upon legally founded request
WIBLO NEVER SELLS YOUR PERSONAL DATA TO THIRD PARTIES.
6. INTERNATIONAL DATA TRANSFERS
6.1 β DATA LOCATION
- Backend hosting & database: Supabase (EU region)
- Product analytics: PostHog EU Cloud (
eu.i.posthog.com) - Transactional emails: Resend (EU region where supported by the provider)
6.2 β TRANSFERS OUTSIDE EU
Wiblo strives to keep all personal data within the European Union. As of the effective date of this Policy, no systematic transfer of personal data outside the EU is performed by Wiblo's primary operations. Should a sub-contractor process personal data from outside the EU in the future, appropriate safeguards (Standard Contractual Clauses, EU adequacy decisions, or equivalent) will be applied, and this Policy will be updated accordingly.
7. DATA RETENTION PERIOD
| Data type | Retention period | Reason |
|---|---|---|
| Active account | Duration of your use + 3 years | Support, legal, reactivation |
| Gamification Points | Until account deletion | Gamification continuity |
| Invoices/Payments | 10 years | French tax obligations (Article L123-22 of the Commercial Code) |
| Security logs (anonymized) | 6 months | GDPR Article 32 β security obligation |
| Reviews submitted by Testers | Until account deletion of the submitting Tester (then deleted in cascade with the Tester account) | Linked to Tester identity, subject to cascade deletion |
| Projects published by Creators | May remain on the Platform after Creator account deletion, with empty creator profile | Preserve feedback integrity and Wiblo catalog |
Account deletion process
When you request the deletion of your Wiblo account, your data is processed in two phases:
1. Grace period (D+0 to D+14): your account is marked for deletion. You can cancel the request by logging back into the Wiblo application. Your data remains in our database but is flagged as inactive.
2. Effective deletion (D+14): an automated edge function purges all your personal data from our active database. Wiblo currently operates on Supabase Free, which does not generate automated backups. As a result, the deletion at D+14 is immediate and complete β no residual data remains on Wiblo servers beyond this point.
Data subject to legal obligations (invoices, anonymized security logs) is retained separately as detailed in the table above. Should Wiblo migrate to a Supabase plan with automated backups in the future, this section will be updated to disclose the corresponding backup rotation period.
8. YOUR GDPR RIGHTS
You have the following rights (Articles 15 to 22 GDPR):
| Right | Description | How to exercise |
|---|---|---|
| ACCESS (Art. 15) | Obtain a copy of your data | Form in app or email hello.wiblo@gmail.com |
| RECTIFICATION (Art. 16) | Correct inaccurate data | Account settings or support |
| OBJECTION (Art. 21) | Refuse marketing/analytical processing | Unsubscribe link or settings |
| ERASURE (Art. 17) | Request deletion of your data | See "Right to erasure (Account Deletion)" below |
| PORTABILITY (Art. 20) | Retrieve your data in a structured format (JSON, CSV) | Request by email |
| RESTRICTION (Art. 18) | Temporarily freeze processing of your data | Request by email |
| COMPLAINT | File a complaint with CNIL if rights not respected | cnil.fr/fr/plaintes |
RESPONSE TIME: Maximum 30 days after receipt of your request.
Right to erasure (Account Deletion)
You can request the deletion of your account via two channels:
- From the Wiblo application β Settings β Account β Delete my account
- From the Wiblo website β through the dedicated Account Deletion page
For web requests, a confirmation by email is required to verify your ownership of the account (link valid for 48 hours). Once confirmed, the 14-day grace period begins as described in Section 7.
9. COOKIES & TRACKING TECHNOLOGIES
9.1 β WHAT IS A COOKIE?
A cookie is a small text file stored on your device when you visit our application or website. It allows us to remember your preferences and improve your experience.
9.2 β COOKIES USED
| Type | Purpose | Duration | Legal basis |
|---|---|---|---|
| ESSENTIAL COOKIES | User session, Login, Security | Session | Necessary for contract |
Wiblo does not use third-party analytics or marketing cookies on its website. Product analytics in the mobile application are handled through a first-party setup (see section 9.5).
9.3 β COOKIE MANAGEMENT
You can refuse non-essential cookies:
- In Wiblo application settings
- Via your browser (if using web app)
- Via your mobile device settings (iOS/Android)
9.4 β SIMILAR TECHNOLOGIES
Wiblo may also use:
- First-party analytics events (via PostHog EU Cloud, see section 9.5)
- Local storage / session storage for session management
Wiblo does not collect mobile advertising identifiers (such as IDFA on iOS or GAID on Android), does not integrate with any third-party advertising network, and does not perform cross-app tracking.
9.5 β PRODUCT ANALYTICS (PostHog)
Wiblo uses PostHog (EU Cloud β eu.i.posthog.com) to collect behavioral analytics in the mobile application. PostHog helps us understand how users interact with the app and improve product quality.
Data collected via PostHog:
- Behavioral events: screen navigation, feature interactions, funnel steps (project creation, test redirect, review submission, vote, XP/badge rewards)
- User identification (support): your email address may be associated with analytics events via PostHog's
identify()function, solely to link events to your account for customer support purposes β it is not used for advertising - Technical context: device type, OS version, app version (automatically collected by PostHog)
- Approximate location: PostHog automatically derives an approximate location (region/city level) from the IP address, used for analytics and user support purposes.
Legal basis: Legitimate interest β Article 6.1.f GDPR (platform improvement, product analytics, post-launch IAP pricing based on real behavior)
Data location: EU Cloud (eu.i.posthog.com) β data stored in Europe, compliant with GDPR
Opt-out: You can request to opt out of PostHog analytics at any time by contacting hello.wiblo@gmail.com with subject [GDPR] Analytics opt-out. Upon request, your PostHog profile will be deleted and future collection disabled for your account.
10. DATA SECURITY
Wiblo implements technical and organizational measures to protect your personal data against unauthorized access, loss, destruction or alteration.
10.1 β TECHNICAL MEASURES
- β Communication encryption (HTTPS/TLS)
- β Passwords hashed with bcrypt (never stored in plain text)
- β Two-factor authentication (2FA) β planned feature
- β Sensitive data encryption in database
- β Encrypted and regular backups (where applicable to the hosting plan in use)
- β DDoS attack protection
10.2 β ORGANIZATIONAL MEASURES
- β Restricted data access (limited team, "need to know" principle)
- β Mandatory GDPR training for all employees
- β Regular security audits (internal and external)
- β Continuous anti-fraud monitoring (logs, patterns)
- β Security incident response procedures
- β DPA contracts with all sub-contractors
10.3 β IN CASE OF DATA BREACH
In case of a data breach affecting your rights and freedoms, Wiblo commits to:
- Notify CNIL within 72 hours (GDPR Article 33)
- Inform you directly by email if high risk (GDPR Article 34)
- Take all necessary corrective measures
- Publish a transparency report
11. MODIFICATIONS TO THIS POLICY
11.1 β CHANGE NOTIFICATIONS
In case of IMPORTANT changes (new data collected, new recipients, purpose change):
- Email notification 7 days before effective date
- In-app notification (pop-up on launch)
- New version published with visible update date
- Acceptance required to continue using Wiblo
11.2 β MINOR CHANGES
For minor modifications (corrections, clarifications):
- Update of "Last updated" date
- Publication without prior notification
11.3 β VERSION HISTORY
Previous versions of this Policy are archived and available upon request by email at hello.wiblo@gmail.com.
12. CONTACT & COMPLAINTS
12.1 β QUESTIONS ABOUT YOUR PERSONAL DATA
- π§ Email: hello.wiblo@gmail.com
- π Postal address: SAS Hapy - 60 Rue FranΓ§ois 1er, 75008 Paris, France
Email subject: [GDPR] followed by your request (e.g., [GDPR] Access request)
We commit to responding within a maximum of 30 calendar days.
12.2 β COMPLAINT TO CNIL
- π cnil.fr/fr/plaintes
- π§ plaintes@cnil.fr
- π CNIL - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
13. COMPLIANCE
This Privacy Policy complies with:
- β General Data Protection Regulation (GDPR - EU 2016/679)
- β Data Protection Act (France, amended in 2018)
- β Apple App Store Review Guidelines (Section 5.1.1)
- β Google Play Store Data Safety Requirements
- β ePrivacy Directive (cookies and electronic communications)
Wiblo β Your privacy is our priority.
Last updated: May 19, 2026