Privacy Policy

Wesaka is operated by Pila Studio UG (haftungsbeschränkt), a company registered in Germany (“Wesaka”, “we”, “us”). For the purposes of the EU General Data Protection Regulation (GDPR), we are the data controller for the personal data described here.

If you have any question about this policy or wish to exercise your rights, contact us at privacy@wesaka.app. Our full registered details (Handelsregister number and registered address) are available on request.

We collect the following categories of personal data:

Account & identity. When you create an account, our authentication provider (Clerk) processes your name, email address, and — if you choose to use them — social sign-in identifiers (Google, Apple) and password credentials. Wesaka never stores your password.

Profile & cultural context. Information you choose to add — heritage background, languages spoken, home country and city, the traditions and regions you are interested in, and your communication preferences.

Participation data. Records of the events you save, the applications you submit (including the answers you write — why an event matters to you, what you bring), the events you attend, the witness journals and reflections you publish, and any media you upload.

Host & guide data. If you register a community, host, or guide, information about you and the community you represent, and — where verification is required — identity-verification status processed through our identity provider.

Payment data. When payments are introduced, transactions are handled by Stripe. Wesaka does not see or store your full card number — Stripe processes payment details directly and returns only a token and the transaction record.

Newsletter. If you subscribe to The Invitation, your email address and consent record are processed by our newsletter provider (Beehiiv). We store only the consent log; the newsletter content lives with the provider.

Usage & device data. Analytics and product-monitoring data — pages visited, approximate location derived from IP, browser and device type, and error diagnostics — collected through Google Analytics and PostHog to understand and improve the platform.

To provide the platform — creating your account, showing you events, processing applications and attendance, and connecting you with communities and guides. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

To communicate with you — transactional emails (application updates, notifications) via Resend, and, only with your consent, the newsletter. Legal basis: contract for transactional messages; consent (Art. 6(1)(a)) for marketing.

To keep the platform safe and improving — fraud prevention, debugging, analytics, and aggregate measurement. Legal basis: legitimate interests (Art. 6(1)(f)), balanced against your rights.

To meet legal obligations — tax, accounting, and responding to lawful requests. Legal basis: legal obligation (Art. 6(1)(c)).

We do not sell your personal data. We share it only with the service providers (“processors”) that operate the platform on our behalf, each bound by a data processing agreement:

Clerk (authentication), Stripe(payments & identity verification), Beehiiv (newsletter), Resend (transactional email), DigitalOcean (hosting & media storage), Vercel (website hosting), and Google Analytics + PostHog(analytics & monitoring).

The communities you engage with. When you apply to or attend an event, the host community and its endorsed guide see the parts of your application and profile needed to host you well. Witness journals and reflections you choose to publish are, by their nature, public cultural records.

We may also disclose data where required by law, or to protect the rights, safety, and property of Wesaka, our communities, and our users.

Some of our providers are based outside the European Economic Area, including in the United States. Where data is transferred abroad, we rely on appropriate safeguards — chiefly the European Commission’s Standard Contractual Clauses — to ensure your data continues to be protected to an equivalent standard.

We use a small number of cookies and similar technologies. Strictly necessary ones keep you signed in and the site functioning. Analytics technologies (Google Analytics, PostHog) help us understand how the platform is used. You can control non-essential cookies through your browser settings, and we honour “Do Not Track” signals where technically feasible.

We keep personal data for as long as your account is active and as long as needed for the purposes above. When you delete content or your account, we apply a soft delete — the record is removed from the live platform and excluded from all normal use — and purge it from backups on our standard retention cycle, except where law requires us to keep certain records (for example, financial records) for a defined period.

Under the GDPR you have the right to:

Access the personal data we hold about you · Rectify inaccurate data · Erase your data (“right to be forgotten”) · Restrict or object to certain processing · Port your data to another service · and Withdraw consent at any time, without affecting processing carried out before withdrawal.

To exercise any of these, email privacy@wesaka.app. You also have the right to lodge a complaint with a supervisory authority — in Germany, the data protection authority of your federal state (Landesdatenschutzbehörde).

Wesaka is not directed at children under 16. We do not knowingly collect data from them. If you believe a child has provided us with personal data, contact us and we will delete it.

We protect your data with encryption in transit, access controls, and reputable infrastructure providers. Media is stored privately and served through signed or access-controlled URLs. No system is perfectly secure, but we work to keep the risk low and to notify you and the authorities promptly in the unlikely event of a breach that affects you.

We may update this policy as the platform evolves. When we make material changes, we will update the date above and, where appropriate, notify you. Continued use of Wesaka after a change means you accept the revised policy.