Wordspace Logo

GDPR COMPLIANCE NOTICE

Last Updated: November 12, 2025

This GDPR Compliance Notice ("Notice") explains how Wordspace.io, LLC ("Wordspace.io," "we," "our," or "us") processes personal data of individuals located in the European Economic Area (EEA), United Kingdom (UK), and Switzerland, in accordance with the General Data Protection Regulation (EU 2016/679) ("GDPR"), the UK GDPR, and related data-protection laws.

This Notice supplements our Privacy Policy, Cookie Policy, Data Processing Addendum (DPA), and Terms of Service. If you do not agree with this Notice, you should not use our Service.

1. DATA CONTROLLER AND DATA PROCESSOR ROLES

Depending on the activity, Wordspace.io may act as:

1.1 Data Controller

For data we collect directly from you as part of account creation, customer support, marketing communications, and operational analytics.

1.2 Data Processor

For data you submit or generate through the platform (URLs, QR codes, analytics, workspace data, behavioral metrics) on behalf of your organization.

In this capacity, your organization is the Data Controller, and Wordspace.io processes data in accordance with your instructions under our Data Processing Addendum (DPA).

2. INFORMATION WE COLLECT

Categories of data processed under the GDPR include:

2.1 Personal Data You Provide

  • Name, email address, workspace name
  • Authentication data (including Google SSO identifiers)
  • Customer support messages and communication logs

2.2 Service Data (Platform Data)

  • Shortened URLs, QR codes, redirects
  • Campaign and UTM parameters
  • Analytics metrics, such as timestamp, IP address, device type, browser, operating system, and geolocation (approximate)
  • Uploaded brand assets (logos, images)

2.3 Behavioral and Technical Data

Collected automatically through cookies, tracking pixels, and Nest CXM tracking scripts, including:

  • Session replay data (rrweb)
  • Heatmap interactions
  • Clickstream, scroll, and engagement events
  • Page load metrics
  • Referrer and attribution data

2.4 Pseudonymous Identifiers

  • Session IDs
  • Visitor hashes
  • Cookie IDs
  • API tokens and workspace identifiers

We do not store payment card data; all billing is handled by Stripe.

3. LEGAL BASES FOR PROCESSING

Under GDPR Articles 6(1)(a)–6(1)(f), Wordspace.io processes personal data on the following bases:

3.1 Contractual Necessity

To provide and operate the Service, authenticate users, maintain accounts, and fulfill subscription obligations.

3.2 Legitimate Interests

For:

  • Platform security
  • Fraud prevention
  • Analytics and service improvement
  • Aggregated statistical measurement
  • Behavioral analysis (heatmaps, session events)

We balance these interests with your rights and expectations.

3.3 Consent

For:

  • Non-essential cookies
  • Certain marketing communications
  • Optional behavioral tracking in Nest CXM (where opt-in applies)

3.4 Legal Obligation

To comply with tax, fraud-prevention, regulatory, or law enforcement requirements.

4. HOW WE USE PERSONAL DATA

We process personal data to:

  • Deliver the Service and maintain account functionality
  • Provide analytics and reporting tools
  • Generate session replay and heatmap insights
  • Improve performance, reliability, and user experience
  • Respond to support requests
  • Detect misuse or policy violations
  • Develop and test new features (including beta features)
  • Comply with legal and regulatory obligations

Aggregated and anonymized data may be retained indefinitely for research and product development.

5. INTERNATIONAL DATA TRANSFERS

Wordspace.io may transfer personal data outside the EEA/UK, including to the United States, where the company is located.

Such transfers occur only with adequate safeguards, including:

  • Standard Contractual Clauses (SCCs) (EU Commission Decision 2021/914)
  • UK Addendum to the SCCs (ICO-approved)
  • Data Processing Addendum with each customer
  • Subprocessor agreements with equivalent protections

Subprocessors include:

Cloudflare, Vercel, Supabase, Railway, Google (SSO), Stripe, ESPs, and Nest CXM infrastructure.

6. DATA SUBJECT RIGHTS

Under GDPR, you have the following rights:

6.1 Right to Access

Request a copy of the personal data we hold about you.

6.2 Right to Rectification

Request correction of inaccurate or incomplete data.

6.3 Right to Erasure ("Right to be Forgotten")

Request deletion of personal data subject to legal retention requirements.

6.4 Right to Restriction of Processing

Request we limit processing in certain circumstances.

6.5 Right to Data Portability

Receive your personal data in a structured, machine-readable format.

6.6 Right to Object

Object to processing based on legitimate interests, including:

  • analytics
  • behavioral tracking
  • session replay
  • heatmapping

6.7 Right to Withdraw Consent

Withdraw cookie or marketing consent at any time.

6.8 Automated Decision-Making

Wordspace.io does not perform automated decision-making that produces legal or similarly significant effects.

To exercise these rights, contact:

support@wordspace.io

We may require identity verification before fulfilling your request.

7. RIGHT TO LODGE A COMPLAINT

If you believe your GDPR rights have been violated, you may lodge a complaint with your local supervisory authority.

For EU residents: a list of supervisory authorities is available at:

https://edpb.europa.eu/about-edpb/board/members_en

For UK residents: contact the Information Commissioner's Office (ICO) at:

https://ico.org.uk

8. DATA RETENTION

We retain personal data only as long as necessary to:

  • provide the Service
  • comply with legal obligations
  • enforce our agreements
  • resolve disputes

Aggregated or anonymized data may be retained indefinitely.

9. SUBPROCESSORS

Wordspace.io engages subprocessors to assist with hosting, analytics, email delivery, authentication, and infrastructure.

A full list is available in our Privacy Policy.

We require all subprocessors to implement GDPR-compliant safeguards and confidentiality obligations.

10. SECURITY MEASURES

Wordspace.io implements administrative, technical, and physical security safeguards, including:

  • TLS encryption
  • Firewalling and DDoS protection
  • Access control and MFA
  • Regular security audits
  • Controlled access to infrastructure
  • Monitoring for anomalous or malicious behavior

No system is completely secure, but we continually enhance our security posture.

11. NEST CXM AND GDPR

When Nest CXM scripts are embedded on Wordspace.io, the following GDPR considerations apply:

  • Session replay data may include behavioral interactions (not keystrokes in password/payment fields).
  • For EU/UK users, session-replay cookies may require opt-in consent.
  • Nest CXM acts as a Processor under your DPA with Wordspace.io.
  • All data collected via Nest CXM falls under this Notice and the main Privacy Policy.

We do not record sensitive categories of data under GDPR Article 9.

12. CHANGES TO THIS NOTICE

We may update this GDPR Notice to reflect changes in law or Service functionality. Material changes will be communicated by reasonable means.

Continued use of the Service constitutes acceptance of the updated Notice.

13. CONTACT INFORMATION

For GDPR inquiries, rights requests, or DPA questions, contact:

Wordspace.io, LLC

235 River Stone Ct.

Lumberton, Texas 77657

Email: support@wordspace.io