LEGAL

Privacy Policy

Effective date: April 2026
Last updated: April 2026
Data controller: Wollow Inc., a Delaware corporation

1. Introduction

Wollow Inc. ("Wollow," "we," "us," or "our") operates the Wollow platform, a software-as-a-service product that allows customers to deploy and operate autonomous AI agents on dedicated infrastructure. This Privacy Policy describes how we collect, use, disclose, retain, and protect Personal Data, and the rights and choices available to individuals whose data we process.

We have prepared this Privacy Policy to comply with applicable data protection laws including the European Union General Data Protection Regulation (GDPR), the United Kingdom General Data Protection Regulation (UK GDPR), the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, LGPD), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA / CPRA), the Google API Services User Data Policy, and the Meta Platform Terms and Developer Policies, in each case where applicable to the integrations you choose to enable.

By creating an account, accessing the Wollow platform, or using any of its features, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of it, you must discontinue use of the Service immediately.

2. Definitions

For the purposes of this Privacy Policy, the following terms have the meanings set forth below:

Personal Data means any information relating to an identified or identifiable natural person.
Processing means any operation performed on Personal Data, whether automated or manual, including collection, recording, organization, storage, use, disclosure, and erasure.
Controller means the entity that determines the purposes and means of the Processing of Personal Data.
Processor means an entity that Processes Personal Data on behalf of a Controller.
Service means the Wollow platform, including the websites at wollow.ai, app.wollow.ai, api.wollow.ai, and any per-customer subdomains operated under usewollow.com.
Customer means an individual or organization that has registered for an account with the Service.
End User means an individual who interacts with an AI agent operated by a Customer through the Service.
Connected Account means a third-party account (for example, a Google Ads account, a Meta Business account, or a messaging channel) that a Customer has explicitly authorized Wollow to access on their behalf.

3. Scope

This Privacy Policy applies to Personal Data Wollow collects from Customers in the course of providing the Service. It does not apply to:

Information that Customers themselves collect, store, or process on their own dedicated infrastructure using AI agents they configure (for which Customers act as independent Controllers);
Information processed by third-party platforms after a Customer authorizes Wollow to interact with them (such platforms remain governed by their own privacy notices);
Information collected by websites, applications, or services that are not operated by Wollow but may be linked from our properties.

Where Wollow acts as a Processor on behalf of a Customer-Controller, the terms of any applicable Data Processing Addendum take precedence over conflicting terms in this Privacy Policy.

4. Information We Collect

4.1 Information You Provide Directly

When you register for an account or interact with the Service, you provide us with the following categories of Personal Data:

Identification data: full name, email address, organization name where applicable;
Authentication credentials: a password that we store only as a salted bcrypt hash, never in plain text;
Billing data: billing address and tax identifiers required for invoicing. Payment card details are never received or stored by Wollow and are processed exclusively by our PCI-DSS-compliant payment processor;
Customer support content: messages, attachments, and metadata you send to our support channels;
Configuration data: non-sensitive choices you set in the Wollow dashboard, such as plan, region, and agent name.

4.2 Information Collected Automatically

When you access the Service, we automatically collect a limited set of technical information necessary to operate, secure, and improve it:

Device and connection data: IP address, browser type, operating system, language preference, and device identifiers used for session continuity;
Usage data: timestamps of requests, endpoints accessed, request and response sizes, error codes, and aggregate counters of agent invocations and tool calls. We do not log the content of agent conversations as part of our centralized logging;
Infrastructure metadata: the IP address, region, and provisioning status of any dedicated server allocated to your account;
Security telemetry: authentication attempts, suspicious access patterns, and other signals used to detect and prevent fraud or abuse.

4.3 Information from Connected Accounts

When you choose to authorize Wollow to access a Connected Account (for example, by completing an OAuth 2.0 authorization flow with Google, Meta, or another platform), we receive only the minimum data necessary to perform the actions you have requested. The specific categories of data we may receive are determined by the scopes of authorization you grant. We do not request, and we will never use, scopes broader than those required to deliver the features you have explicitly enabled.

A current enumeration of the scopes requested by each integration, together with the specific operations they enable, is maintained by Wollow and is available upon request to privacy@wollow.ai.

5. Information We Do Not Collect

Wollow is architected on a principle of data minimization. The following categories of data are processed exclusively on the Customer's dedicated infrastructure and are never transmitted to, replicated to, or accessible by Wollow's centralized systems:

The content of conversations between End Users and AI agents you operate;
Files, documents, and media that AI agents read, write, or otherwise process;
Agent configuration files that you author, including profile, mission, and routine documents;
API keys and credentials you provide for use by your agents, which are stored in encrypted form on your dedicated infrastructure only;
Knowledge bases, vector stores, and any other Customer-supplied content used by your agents.

6. Purposes of Processing and Legal Bases

We Process Personal Data only for the purposes set out below, and only on the legal bases identified for each. Where multiple legal bases apply to the same Processing activity, we rely on the most specific.

Purpose	Legal basis (GDPR / LGPD)
Providing the Service in accordance with our Terms of Service	Performance of a contract
Provisioning, monitoring, and maintaining dedicated infrastructure	Performance of a contract
Processing payments and issuing invoices	Performance of a contract; legal obligation
Sending service notices, security alerts, and policy updates	Legitimate interest; legal obligation
Detecting, preventing, and responding to security incidents, fraud, and abuse	Legitimate interest; legal obligation
Complying with applicable laws, court orders, and binding requests from public authorities	Legal obligation
Enforcing our Terms of Service and protecting our legal rights	Legitimate interest
Sending marketing communications about Wollow products and features	Consent (which you may withdraw at any time)

We do not sell Personal Data. We do not use Personal Data for behavioral advertising. We do not use Personal Data to train machine-learning models intended for general resale.

7. Disclosure of Personal Data

We disclose Personal Data only to the categories of recipients listed below, and only to the extent strictly necessary for the stated purpose. We do not sell, rent, or trade Personal Data to any party for any purpose.

7.1 Service Providers and Sub-Processors

We engage a limited number of vetted vendors to perform functions essential to operating the Service. These vendors act as Processors under our written instructions and are bound by data protection agreements that impose confidentiality, security, and use-limitation obligations. The categories of vendors we engage include:

Cloud infrastructure providers that host our centralized systems and provision dedicated servers on our Customers' behalf;
Database, storage, and backup providers that hold account metadata and operational records;
Payment processors that handle billing, taxation, and financial reconciliation;
Transactional email and notification providers that deliver service messages;
Logging, observability, and incident-response providers that help us detect outages and security events;
Customer support tooling providers.

The current Sub-Processors we engage are listed below and are also published on the canonical Sub-Processors page. We will provide reasonable advance notice by email to Customer administrators of any material change to this list, and Customers may object to a new Sub-Processor for a legitimate data protection reason by contacting privacy@wollow.ai.

Sub-Processor	Function	Location
Hetzner Online GmbH	Cloud infrastructure hosting the dedicated per-Customer servers and centralized control plane.	Germany / Finland (European Union).
Hostinger International Ltd.	Secondary cloud infrastructure used for regional deployments and the marketing website (wollow.ai) and dashboard application (app.wollow.ai).	Lithuania (European Union) / United States / other regions.
Supabase, Inc.	Account metadata database (Postgres), authentication, and per-Customer isolated project databases.	United States / European Union (region selected per project).
Stripe Payments Europe, Ltd.	Subscription billing, payment processing, tax calculation, and invoicing.	Ireland / United States.
Resend, Inc.	Transactional email delivery (account, billing, and security notifications).	United States.
Cloudflare, Inc.	DNS, edge TLS termination, DDoS protection, and web application firewall for public-facing endpoints.	Global edge network.

AI model providers that Customers connect under the BYOK model (including Anthropic PBC, OpenAI OpCo LLC, Google LLC, fal.ai, and Replicate, Inc.) are independent Controllers or Processors engaged directly by the Customer; they are not Wollow Sub-Processors. Their processing is governed by the agreement between the Customer and that provider.

7.2 Connected Third-Party Platforms

When you authorize Wollow to interact with a Connected Account, we transmit data to and receive data from the corresponding platform strictly to perform the actions you have requested. The following two integration families are subject to specific developer policies that govern how we may access and use the data they expose.

Google integrations. When you connect a Google service to Wollow (including Google Ads, Gmail, Google Drive, Google Calendar, or Google Analytics), we access your data exclusively through OAuth 2.0 authorization. We request only the minimum scopes necessary to perform the actions you have explicitly enabled. Wollow's use and transfer to any other application of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we do not sell Google user data, we do not use Google user data to serve advertisements, we do not use Google user data to develop, improve, or train generalized AI or machine-learning models, and we do not allow human beings to read Google user data except (i) with your affirmative consent for specific messages, (ii) when necessary for security purposes such as investigating abuse, (iii) to comply with applicable law, or (iv) for internal operations where the data has been aggregated and anonymized in accordance with applicable privacy obligations. You may revoke Wollow's access to your Google account at any time by visiting myaccount.google.com/permissions.

Meta integrations. When you connect a Facebook, Instagram, WhatsApp Business, or Meta Ads account to Wollow, we access your data exclusively through Meta's official OAuth flow and Marketing API. We request only the minimum permissions (such as ads_management, ads_read, business_management, or pages_show_list) required to operate the features you have enabled. We comply with the Meta Platform Terms and Developer Policies, do not transfer Meta data to data brokers or to any third party for advertising purposes, and do not retain Meta data longer than necessary to perform the requested operation. You may revoke Wollow's access to your Meta accounts at any time by visiting your Facebook Settings > Apps and Websites.

7.3 Legal Disclosures

We may disclose Personal Data when we believe in good faith that disclosure is necessary to (i) comply with applicable law, regulation, or valid legal process; (ii) respond to lawful requests from public authorities, including to meet national security or law enforcement requirements; (iii) protect the safety, rights, or property of Wollow, our Customers, or the public; or (iv) detect, prevent, or otherwise address fraud, security, or technical issues. Where legally permissible, we will notify the affected Customer of any compelled disclosure.

7.4 Business Transfers

If Wollow is involved in a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or other business transaction, Personal Data may be transferred as part of that transaction. We will require any successor entity to honor the commitments made in this Privacy Policy and we will notify affected Customers in advance where reasonably feasible.

8. International Data Transfers

Wollow is headquartered in the United States, and Personal Data we Process may be transferred to and stored in the United States or in other jurisdictions where we or our Sub-Processors operate. These jurisdictions may have data protection laws that differ from those of your country of residence.

When we transfer Personal Data of individuals located in the European Economic Area, the United Kingdom, or Switzerland to a country that has not been recognized by the European Commission as providing an adequate level of data protection, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses and supplementary measures where required. A copy of the safeguards we apply is available upon request to privacy@wollow.ai.

9. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including any legal, accounting, or reporting requirements. The specific retention periods we apply are summarized below.

Category of data	Retention period
Account identification and credentials	For the lifetime of the account, plus 30 days after closure
Billing and tax records	As required by applicable tax and accounting law (typically 7 years)
Operational and security logs	12 months, except where a longer period is necessary to investigate an incident
Infrastructure metadata for terminated accounts	7 days after account termination, then permanently deleted
Tokens and credentials issued by Connected Accounts	Until the integration is disconnected or the token expires; revoked within 24 hours of disconnection
Support tickets and correspondence	3 years from the date of last contact

Upon expiry of the applicable retention period, Personal Data is irreversibly deleted or anonymized so that it can no longer be associated with an identifiable individual. Backup copies are purged on the next scheduled rotation.

10. Information Security

Wollow implements technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. These measures include, at minimum:

Encryption of Personal Data in transit using TLS 1.2 or higher;
Encryption at rest of sensitive credentials, OAuth tokens, and API keys using authenticated encryption with industry-standard ciphers;
Per-Customer isolation of dedicated infrastructure, with separate process boundaries, sandboxed execution environments, and isolated browser profiles;
Role-based access controls, least-privilege principles, and mandatory multi-factor authentication for all personnel with access to production systems;
Comprehensive audit logging of administrative actions, with logs retained for forensic analysis;
Regular security reviews, dependency scanning, and prompt remediation of identified vulnerabilities;
An incident response plan that includes notification of affected Customers and applicable regulators within the timeframes required by law.

No method of transmission over the internet or method of electronic storage is one hundred percent secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee absolute security. You are responsible for safeguarding the credentials used to access your Wollow account.

11. Your Rights

Subject to applicable law and to verification of your identity, you may exercise the following rights with respect to your Personal Data:

Right of access — request confirmation of whether we Process your Personal Data and obtain a copy of it;
Right to rectification — request correction of inaccurate or incomplete Personal Data;
Right to erasure — request deletion of your Personal Data, subject to lawful exceptions;
Right to restriction of Processing — request that we limit the use of your Personal Data in defined circumstances;
Right to data portability — receive your Personal Data in a structured, commonly used, machine-readable format;
Right to object — object to Processing based on legitimate interest, including profiling;
Right to withdraw consent — where Processing is based on consent, withdraw it at any time without affecting the lawfulness of Processing carried out before withdrawal;
Right to lodge a complaint — file a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact us at privacy@wollow.ai. We will respond within the timeframe required by applicable law (typically 30 days). We may request additional information necessary to verify your identity before fulfilling your request.

12. Revoking Third-Party Access

You may revoke Wollow's access to any Connected Account at any time. Revoking access does not delete your Wollow account or any data we hold about you under this Policy. For full data deletion instructions, see our Data Deletion page.

From within Wollow: open the relevant integration page in the Wollow dashboard and select "Disconnect". Wollow will revoke its tokens and stop accessing the Connected Account within 24 hours.
For Google integrations: visit myaccount.google.com/permissions, locate Wollow, and select "Remove Access".
For Meta integrations: visit Facebook Settings > Apps and Websites, locate Wollow, and remove the integration.
For other connected services: follow the revocation procedure published by the respective platform.

13. Cookies and Similar Technologies

Wollow uses only cookies and similar technologies that are strictly necessary to operate the Service. Strictly necessary cookies are exempt from prior consent requirements under most data protection laws because they are essential to deliver the functionality you have explicitly requested.

The strictly necessary categories we use include:

Authentication and session management cookies that keep you signed in across pages;
Cross-site request forgery protection tokens;
Load balancer affinity cookies that route your requests consistently.

We do not use advertising cookies, tracking pixels, third-party analytics that profile individual visitors, or any technology that builds a behavioral profile of you across sites or applications.

14. Region-Specific Disclosures

14.1 European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, the UK, or Switzerland, the Controller of your Personal Data is Wollow Inc. The legal bases on which we rely are described in Section 6. You have the rights described in Section 11 and may lodge a complaint with the supervisory authority of your country of residence, place of work, or the place of the alleged infringement. You may contact us at privacy@wollow.ai for any data protection inquiry.

14.2 Brazil (LGPD)

If you are located in Brazil, you have the rights granted by the Lei Geral de Proteção de Dados (Federal Law No. 13.709/2018), including the rights of access, correction, anonymization, blocking or deletion, portability, information about sharing, and revocation of consent. To exercise these rights, contact us at privacy@wollow.ai. You may also file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

14.3 California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, grants you the following rights:

Right to know what categories of Personal Information we collect, the sources of that information, the purposes for collecting it, and the categories of third parties with whom we share it;
Right to delete Personal Information we have collected from you, subject to statutory exceptions;
Right to correct inaccurate Personal Information;
Right to opt out of the sale or sharing of Personal Information for cross-context behavioral advertising;
Right to limit the use and disclosure of Sensitive Personal Information;
Right to non-discrimination for exercising your privacy rights.

Wollow does not sell Personal Information and does not share Personal Information for cross-context behavioral advertising. We do not use Sensitive Personal Information for any purpose other than those permitted under California Civil Code section 1798.121(a). To exercise your California privacy rights, contact us at privacy@wollow.ai.

15. Children's Privacy

The Service is not directed to children under the age of sixteen, and we do not knowingly collect Personal Data from children. If we learn that we have collected Personal Data from a child without verified parental consent, we will delete that information promptly. If you believe that a child has provided us with Personal Data, please contact us at privacy@wollow.ai.

16. Automated Decision-Making

Wollow does not make decisions producing legal effects concerning you, or similarly significantly affecting you, that are based solely on automated Processing within the meaning of Article 22 GDPR. Any account-level decisions that materially affect a Customer (such as account suspension for terms violations) are reviewed by qualified personnel before they are applied.

17. Third-Party Links

The Service may contain links to websites, applications, or services that are not operated by Wollow. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party service before providing them with Personal Data.

18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will provide notice by email or by prominent notice on the Service at least fourteen (14) days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the revised Policy. The "Last updated" date at the top of this Policy reflects the date of the most recent revision. We maintain prior versions of this Policy and will provide them upon request.

19. How to Contact Us

For any privacy-related question, request, or complaint:

Email: privacy@wollow.ai

Postal address: Wollow Inc., a Delaware corporation. Our registered office address is available on request to privacy@wollow.ai.