Privacy Policy
Last updated May 2, 2026
This policy explains how Watchpost handles personal data. It is written so a normal person can read it. Where the GDPR uses specific terms, we mention them so you can find the relevant articles if you want to.
1. Who we are
The data controller for the personal data described in this policy is [YOUR_COMPANY_NAME] ([COMPANY_FORM]), registered in [COUNTRY_OF_REGISTRATION] under company number [REGISTRATION_NUMBER]. Our registered address is [REGISTERED_ADDRESS]. VAT identification: [VAT_NUMBER].
For privacy questions, requests under the GDPR, or anything else this policy mentions, write to privacy@watchpost.systems. We are not legally required to appoint a Data Protection Officer; privacy requests are answered by the people running the service.
2. What we collect, and the legal basis for each
2.1 Account data
Your email address, an optional name, and a hashed password if you signed up with one.
Purpose: creating and maintaining your account, signing you in. Legal basis: performance of a contract with you (GDPR Art. 6(1)(b)).
2.2 Verdict data
For every purchase your AI agent submits to us: the merchant domain, product title, amount, currency, the verdict we issued (approve, review, block), the reasoning, and the outcome if your agent reports back.
Purpose: running the verify endpoint, displaying your transaction history, refining the merchant trust score over time. Legal basis: performance of contract.
2.3 Connection tokens
A SHA-256 hash of each agent connection token, plus the first 8 characters in plain text for UI listing. The raw token never sits in our database.
Purpose: authenticating API calls from your agents. Legal basis: performance of contract.
2.4 Subscription data
Stripe customer ID, current plan, subscription status, monthly verdict count, and monthly overage in cents.
Purpose: charging the correct amount for the plan you've chosen, keeping tax records. Legal basis: performance of contract (Art. 6(1)(b)) for billing, and legal obligation (Art. 6(1)(c)) for retaining tax-related records.
2.5 Server logs
Request paths, status codes, IP addresses, user agents, timestamps. Kept for 30 days before automatic deletion.
Purpose: finding bugs, detecting abuse, keeping the service available.
Legal basis: our legitimate interest (Art. 6(1)(f)) in operating a secure and reliable service. We have weighed this interest against your rights and believe it is proportionate; you can object at any time (see Section 7).
2.6 Communications
Magic-link sign-in emails, weekly digest emails (if you've enabled them), and any email you send us.
Purpose: sending you links you've requested, summarizing your weekly activity, replying to support. Legal basis: performance of contract for transactional email; consent (Art. 6(1)(a)) for the weekly digest, which you can switch off in settings.
2.7 What we do not collect
- Card numbers, CVCs, expiries. Stripe handles that. We see a customer ID.
- Device fingerprints, advertising IDs, third-party tracking IDs.
- Analytics or marketing pixels of any kind.
- Special categories of data (health, biometrics, political opinions, etc.).
3. Automated decision-making
Watchpost makes automated decisions on every purchase your agent submits: approve, ask you, or block. The decision combines a merchant trust score, a listing-manipulation scan, and the rules you have configured.
Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. We consider Watchpost's verdicts to fall outside this category: they advise your agent on whether to proceed with a purchase you have configured rules for, and you can override any verdict by adjusting your rules or by tapping Allow or Block on any review notification.
If you disagree with a verdict, you can: change your rules; tap Allow or Block on any outstanding review; or contact us for a manual review by writing to privacy@watchpost.systems.
4. Who else processes your data
We use a small set of service providers ("processors" under GDPR) to run Watchpost. Each is bound by a written data-processing agreement and only sees what they need to do their part.
- Neon — Postgres database hosting. EU region (Frankfurt) for users who sign up from the EU. Data processed: everything we store about your account.
- Railway — API hosting. EU region for EU users. Data processed: request bodies and logs in transit.
- Vercel — web hosting. Edge nodes near you; control plane in the US. Data processed: session cookies, page requests.
- Stripe Payments Europe — billing. Ireland for EU users. Data processed: email, billing details you provide directly to Stripe, subscription state.
- Resend — transactional email (magic links, digests). United States, under Standard Contractual Clauses. Data processed: your email address and the message body.
- Anthropic — the model that scans listings for manipulation. United States, under Standard Contractual Clauses. Data processed: the listing text your agent submits. Anthropic does not retain or train on API content under their default API terms.
We do not sell, rent, or trade your data. The only time it leaves the providers above is if a court order or other legally binding request compels us; we will tell you about it unless the law prevents us.
5. International transfers
For providers outside the European Economic Area (Resend, Anthropic, Vercel control plane, Stripe non-EU operations), we rely on the European Commission's Standard Contractual Clauses (SCCs, Decision 2021/914) and supplementary measures: encryption in transit (TLS 1.2+), encryption at rest (AES-256), and minimal data sharing. If you would like a copy of the SCCs we use with a particular provider, write to privacy@watchpost.systems and we will send them.
6. How long we keep things
- Account data — for as long as you have an account.
- Verdict and transaction data — Free tier: 90 days. Watchful and Family: 12 months. Removed entirely on account deletion.
- Server logs — 30 days, then automatically deleted.
- Backups — 30 days; data deleted from production is overwritten in backups within 60 days.
- Billing records — 7 years, to satisfy tax-law retention requirements. Personal data is minimized after the active relationship ends.
- Support correspondence — 24 months from the last reply.
7. Your rights
Under the GDPR, you have the right to:
- Access the personal data we hold about you (Art. 15). Email us and we will send a JSON export within 30 days.
- Rectify data that is wrong or incomplete (Art. 16). Most fields are editable from your settings; for anything else, email us.
- Erase your data (Art. 17). Delete your account from settings, or email us. Removed within 30 days, except where we must keep something for a legal obligation (for example billing records).
- Restrict processing (Art. 18) while a dispute is being resolved.
- Object (Art. 21) to processing based on legitimate interest. We will stop unless we can show a compelling reason that overrides your interest.
- Data portability (Art. 20). We will send you your data in a machine-readable JSON file.
- Withdraw consent (Art. 7(3)) where processing is based on consent. In practice this affects the weekly digest opt-in; switching it off in settings counts as withdrawal.
- Lodge a complaint with your national supervisory authority. The list is at edpb.europa.eu/about-edpb/board/members. We would prefer you reach us first so we can fix things, but the right exists whether you do or not.
8. Security
The full picture lives on our security page. Briefly: TLS in transit, AES-256 at rest, bcrypt-hashed passwords, SHA-256 hashed connection tokens, scoped production access, audited operator logins.
If we ever experience a personal-data breach with risk to your rights, we will notify the relevant supervisory authority within 72 hours under Art. 33, and notify you without undue delay under Art. 34. Reach security@watchpost.systems if you suspect a security issue.
9. Cookies
We use one strictly necessary cookie. The full list and rationale are on the cookie policy.
10. Children
Watchpost is not intended for anyone under 16. We do not knowingly process the personal data of children. If you believe a child has created an account, email us and we will delete it.
11. Changes to this policy
If we change this policy in a way that materially affects you, we will email you and post a banner on the site at least 14 days before the change takes effect. Less material changes (typos, clarifications) are reflected by bumping the "Last updated" date at the top.
12. Contact
Privacy: privacy@watchpost.systems
Security: security@watchpost.systems
General: hello@watchpost.systems
Postal: [YOUR_COMPANY_NAME], [REGISTERED_ADDRESS]