Version 1.0 — June 2026 · Wede Technology, Lda · GDPR (EU) 2016/679
Wede Technology, Lda ("Wede", "we") is the controller of personal data collected in connection with the use of the Wede Platform. Contact email: geral@wede.pt Privacy email: privacy@wede.pt Website: wede.pt The formal appointment of a Data Protection Officer (DPO) is in progress. Until that appointment, privacy requests should be directed to privacy@wede.pt.
Account and authentication data: user name and email (provided at registration), role and access level (RBAC), account creation date and time, session history (JWT — expires after 8 hours). Operational data: events created by the Tenant (type, priority, vertical, GPS location, timestamp), team and member data (name, role, availability status, GPS location), missions and their lifecycle (status, delivery channel, timestamps), Tenant configuration (parsers, catalog, zones, thresholds). Device data (offline SDK): device_id — unique permanent identifier generated by the SDK on installation; platform and application version (iOS, Android, web, etc.); offline queue — operations generated without connectivity, with sequence number and generation timestamp; GPS location — collected periodically when tracking is active (intervals configured by the Tenant). Audit and security data: immutable log of all operations (action, entity, user, IP, NTP timestamp), authentication attempts, unauthorised access attempts. What we do not collect: event payload content — payloads are opaque; Wede transports them without reading or storing them in an interpretable form. Biometric data. Health data (unless the Tenant includes health data in the payload — the Tenant's responsibility).
Provision of contracted service (account, operational, device data) — Art. 6(1)(b) GDPR, contract performance. Offline delivery guarantee (device_id, offline queue) — Art. 6(1)(b) GDPR, contract performance. Security and fraud prevention (audit, IPs, sessions) — Art. 6(1)(f) GDPR, legitimate interests. Compliance with legal obligations (audit, billing) — Art. 6(1)(c) GDPR, legal obligation. Service improvement (anonymised usage metrics) — Art. 6(1)(f) GDPR, legitimate interests.
The device_id is a unique identifier generated by the Wede SDK on the first installation on a device. It is permanent — it survives application updates and reinstallations when stored in the operating system keychain/keystore. Purpose: identify the device for offline queue synchronisation; guarantee idempotency — the server never processes the same operation twice; allow the server to monitor the offline state of each device; record in the audit log which operations were generated by which device. The device_id is associated with the Tenant and the User who registered it. Wede does not share the device_id with third parties. Offline queue data is retained locally on the device until server confirmation. After synchronisation, synced entries may be deleted by the SDK on device. On the server, entries are retained for the plan's retention period (minimum 90 days). The offline queue contains only operational data (action type, GPS coordinates, vertical, priority, timestamp). It does not contain event payloads.
GPS location of team members is collected by the SDK when tracking is active. Tracking is activated by the user (team member) themselves or by the Tenant through Platform configuration. Frequency: online — configurable interval by the Tenant (default: 60 seconds). Offline/SMS — configurable interval by the Tenant (default: 300 seconds). GPS location is used exclusively to: calculate team proximity to the event location (scoring engine); display team positions on the Tenant's dashboard map; optimise the communication channel based on location. Only the Tenant and its authorised users have access to location data. Wede does not share location data with third parties.
Account data: duration of contract + 30 days. Audit log: minimum 5 years (legal and regulatory obligations). Device data (device_id): duration of contract. Synced offline queue: minimum 90 days after sync. GPS location: 30 days after collection. Billing data: 10 years (tax obligation).
Wede does not sell personal data. Sub-processors: - Google Cloud Platform — hosting, database, secrets management — EU (europe-west1, Belgium) - Resend — transactional email delivery — EU - Twilio — SMS delivery (fallback channel) — EU/US (transient data) - Stripe — payment processing — EU/US We may be required to share data with competent authorities in compliance with legal obligations or court orders.
Under the GDPR, data subjects have the right to: access — obtain confirmation whether their data is processed and access a copy; rectification — correct inaccurate or incomplete data; erasure — request deletion of data, subject to legal retention obligations; restriction of processing — in certain circumstances; portability — receive their data in a structured, machine-readable format; objection — object to processing based on legitimate interests. Note: the audit log is immutable by construction (enforced by a database trigger). The right to erasure does not apply to the audit log, due to legal and security obligations. To exercise these rights, contact: privacy@wede.pt
Wede implements appropriate technical and organisational measures to protect personal data: TLS 1.2+ on all communications; passwords stored with bcrypt; secrets managed via GCP Secret Manager; 7-level RBAC with no privilege escalation; JWT with 8-hour expiry and immediate revocation; brute force protection and rate limiting; immutable audit log; data in EU (GCP europe-west1).
The Wede dashboard (app.wede.pt) uses: session cookies — required for authentication (JWT stored in HttpOnly cookie); localStorage — to persist interface preferences (verticals, country). We do not use tracking, advertising or third-party analytics cookies.
Data is processed primarily in the EU (GCP europe-west1). For sub-processors with a US presence (Twilio, Stripe), transfers are made on the basis of Standard Contractual Clauses approved by the European Commission.
This Policy may be updated to reflect legislative changes or changes to the service. Significant changes will be communicated by email with 30 days' notice. The current version is always available at wede.pt/privacy.
If you believe the processing of your data violates the GDPR, you have the right to lodge a complaint with the competent supervisory authority: CNPD — Comissao Nacional de Protecao de Dados (cnpd.pt) · geral@cnpd.pt
Privacy: privacy@wede.pt · General: geral@wede.pt · Website: wede.pt