This Privacy Policy explains how Watasu LTD (“Watasu”, “we”, “us”) collects, uses, and protects personal data in connection with the Watasu platform and the website at watasu.io (together, the “Service”).
This policy applies to personal data we process as a controller — meaning data we collect about our customers, prospects, and website visitors. Where you upload, deploy, or otherwise process personal data through the Watasu platform in the course of using the Service, Watasu acts as a processor on your behalf, and that processing is governed by our Data Processing Agreement rather than this Privacy Policy.
This policy is written by reference to the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 as amended by the Data (Use and Access) Act 2025 (“DUAA”), the Privacy and Electronic Communications Regulations 2003 (“PECR”), and the EU General Data Protection Regulation (Regulation (EU) 2016/679) where applicable.
1. Who we are
Watasu LTD
128 City Road
London EC1V 2NX
United Kingdom
Companies House No: 17185896
ICO Registration No: ZC136051
Privacy contact: privacy@watasu.io
1A. EU representative
For data subjects in the European Economic Area, Watasu has appointed the following representative under Article 27 of the EU GDPR:
Euverify Ltd
Unit 3D, North Point House
North Point Business Park
New Mallow Road
Cork T23 AT2P
Ireland
Email: gdpr@euverify.comYou may contact our EU representative directly with any matters relating to processing of your personal data. To submit a Data Subject Access Request (DSAR), data deletion request, or any other GDPR-related inquiry, you may also use our representative’s secure portal at:
https://gdpr.euverify.com/verify/479bcb74-1fa4-4742-88fc-ad0e861ecaef
Requests submitted through this portal are logged and tracked to ensure timely response and compliance.
2. Personal data we collect
We collect the following categories of personal data:
Account and identification data. Name, company name, business email address, billing address, country, VAT identification number (for EU/UK B2B customers), and authentication credentials (username, password hash).
Payment data. We do not store full payment card details. Stripe Payments UK Limited (“Stripe”) processes payments on our behalf and provides us with limited metadata: card brand, last four digits, expiry month/year, billing country, and a Stripe customer/payment-method identifier. Stripe is authorised by the UK Financial Conduct Authority as an electronic money institution (FRN 900461).
Service usage data. SSH public keys, API tokens, deployment configuration, project and resource names, audit logs, and metering data describing your consumption of the Service.
Technical data. IP address, user-agent string, session identifiers, timestamps, and request logs collected when you access the Service or our website.
Communications data. Support tickets, email correspondence, and any information you voluntarily provide when contacting us.
Marketing data. If you sign up for product updates, your email address and engagement events (open, click) recorded by our email provider.
We do not knowingly collect special category data (health, biometric, political opinions, etc.) and ask that you do not submit such data through support channels.
3. How we use personal data and our legal bases
| Purpose | Legal basis (UK/EU GDPR Art. 6) |
|---|---|
| Creating and operating your account | Contract |
| Providing, maintaining, and improving the Service | Contract; Legitimate interests |
| Processing payments and issuing invoices | Contract; Legal obligation |
| Sending transactional and service-related notices | Contract |
| Detecting, preventing, and investigating fraud, abuse, and security incidents | Legitimate interests; Legal obligation |
| Complying with tax, accounting, and regulatory obligations | Legal obligation |
| Responding to support requests | Contract; Legitimate interests |
| Sending product updates and marketing (B2B) | Legitimate interests, with opt-out |
| Establishing, exercising, or defending legal claims | Legitimate interests |
Our legitimate interests are: keeping the Service secure, operating a sustainable business, and informing existing and prospective business customers about products relevant to their work. You may object to processing based on legitimate interests at any time (see Section 8).
4. Who we share personal data with
Subprocessors. We engage the third parties listed at watasu.io/subprocessors to provide infrastructure, payment, and email services. Each is bound by a written agreement requiring at least the data protection standards required by UK GDPR.
Professional advisers. Lawyers, auditors, and accountants under duties of confidentiality, where reasonably necessary.
Authorities. Where we are legally compelled by a binding order from a competent UK or EU authority, or where disclosure is necessary to protect our rights, property, or the safety of others.
Successor entities. In connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality and continuity of this policy.
We do not sell personal data and do not share personal data with advertising networks.
5. International transfers
Customer data hosted on the Watasu platform is stored exclusively within the European Economic Area (Germany and Finland, via Hetzner Online GmbH). The European Commission has recognised the United Kingdom as providing adequate protection for personal data transferred from the EEA, valid until 27 December 2031, and the UK recognises the EEA as adequate; transfers between Watasu (UK) and Hetzner (EEA) therefore do not require additional safeguards.
Limited operational personal data is transferred outside the EEA/UK to:
- Twilio Inc. (operating SendGrid), United States — transactional email delivery. Transfers rely on Twilio’s certification under the EU-US Data Privacy Framework and the UK Extension to the EU-US Data Privacy Framework as the primary mechanism, with the Standard Contractual Clauses approved by the European Commission together with the UK International Data Transfer Addendum as a backstop. Twilio also maintains Binding Corporate Rules, although those do not extend to SendGrid services.
Where you would like a copy of the safeguards in place for any specific transfer, contact privacy@watasu.io.
6. Retention
We retain personal data only for as long as necessary for the purposes set out in this policy. Specific periods:
| Data | Retention |
|---|---|
| Active account data | Duration of the contract + 30 days |
| Billing records, invoices, tax data | 6 years from issuance (UK HMRC) |
| Server, application, and audit logs | 90 days |
| Support tickets and correspondence | 2 years from closure |
| Operational backups containing customer data | 30 days from origin write |
| Marketing list entries | Until unsubscribe or 24 months of inactivity |
Where retention is required by law or to establish, exercise, or defend legal claims, data may be retained longer.
7. Security
We implement technical and organisational measures appropriate to the risk, including encryption of data in transit and at rest where applicable, access controls and the principle of least privilege, audit logging, network isolation, vulnerability management, and regular review of subprocessor security posture. A summary of our technical and organisational measures is provided as Annex II to our DPA.
No system is perfectly secure, and we cannot guarantee absolute security. We will notify affected customers of personal data breaches without undue delay and, where required, the ICO within 72 hours.
8. Your rights
Under UK and EU GDPR, you have the right to:
- Access — obtain a copy of personal data we hold about you;
- Rectification — correct inaccurate or incomplete data;
- Erasure — request deletion in certain circumstances;
- Restriction — limit how we process your data;
- Portability — receive certain data in a structured, machine-readable format;
- Object — object to processing based on legitimate interests, including direct marketing;
- Withdraw consent — where processing is based on consent;
- Complain — make a complaint directly to us about how we process your personal data, or to a supervisory authority.
To exercise any of these rights, email privacy@watasu.io. We will respond within one month and may extend by two further months for complex requests, with notice.
9. Complaints
If you are unhappy with how we have handled your personal data, you may complain to us directly using the form at watasu.io/privacy-complaint or by emailing privacy@watasu.io with the subject line “Privacy complaint”. We will:
- Acknowledge your complaint within 30 days of receipt;
- Investigate the matter without undue delay, including by making appropriate enquiries;
- Inform you of the outcome of our investigation and any action taken.
You also have the right to lodge a complaint with a supervisory authority:
- United Kingdom: Information Commissioner’s Office, ico.org.uk (becoming the Information Commission during 2026)
- European Union: the supervisory authority of your member state of residence or work (data subjects in the EEA may also contact our EU representative under Section 1A)
10. Cookies
We do not use website analytics, advertising trackers, or cross-site tracking technologies on watasu.io. We do not set non-essential cookies and no consent banner is required.
Strictly necessary cookies (or equivalent local storage) may be used to maintain your authenticated session in the Watasu console. These are exempt from consent requirements as they are essential for the service you have requested.
11. Children
The Service is intended for business use only and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.
12. Automated decision-making
We do not make decisions producing legal or similarly significant effects on you based solely on automated processing.
13. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to account administrators at least 30 days before they take effect. The “Last updated” date at the top reflects the current version.
14. Contact
Questions about this policy or our processing of personal data: privacy@watasu.io
Postal: Watasu LTD, 128 City Road, London EC1V 2NX, United Kingdom.