WabiroWabiroStart an audit

Legal

Privacy policy.

Last updated · May 16, 2026

Wabiro Inc. (“Wabiro,” “we,” “our”) operates wabiro.com and the audit application available at the same domain. This policy explains what we collect, why we collect it, how long we keep it, and the choices you have. It is written in plain English; the binding legal terms are in the Terms of Service.

1. What we collect

Account data. When you sign up we collect your email address, a password hash, your name, and the organization name you choose. This data is held by our identity provider, Supabase Auth.

Audit data. CSVs that you upload to Wabiro typically include vendor names, license SKUs, license costs, employee email addresses, employee names, login timestamps, and license status. We treat this as customer-controlled data: we process it on your behalf, we do not sell it, and we do not use it to train models.

Billing data. If you subscribe, Stripe collects your payment method, billing address, and any tax identifiers. Wabiro stores the Stripe customer ID, subscription state, and plan tier; we never see your card number.

Operational data. We log API requests, error events, and an audit trail of uploads, analyses, exports, and report views. This is used to operate the service, investigate incidents, and produce the in-app activity log you can see at /settings/organization.

2. How we use it

  • To run the deterministic audit rules engine on the data you upload.
  • To generate the savings report, findings table, and CSV exports.
  • To authenticate you, gate billing-only features, and prevent abuse.
  • To send transactional email — sign-up confirmation, password reset, billing receipts, and audit-related notifications. We do not send marketing email unless you explicitly opt in.
  • To diagnose errors and improve reliability of the service.

We do not use your data to train machine-learning models. The rules engine is deterministic.

3. Subprocessors

We use the following third-party services to run Wabiro. Each is contractually bound by data-processing terms equivalent to ours.

  • Supabase — Postgres database, authentication, and private object storage. Region: US (configurable on request).
  • Vercel — application hosting, edge network, and serverless compute.
  • Stripe — payment processing, subscriptions, and tax calculation.
  • Sentry — server-side error reporting. Only error context (no CSV row contents) is sent.

We notify customers in writing before adding a new subprocessor that handles customer data.

4. Where data is stored

All customer data is stored in US-region infrastructure unless we agree otherwise with you in writing. Database rows are encrypted at rest and tenant-isolated via Postgres Row-Level Security — a query running with one customer’s session cannot read another customer’s rows. Object storage uses per-tenant path prefixes enforced by the same RLS policies.

5. How long we keep it

  • Audit data (CSVs, findings, vendors): retained for the life of your account.
  • Audit logs: retained for 24 months, then aggregated.
  • Billing records: retained for 7 years, as required by US tax regulations.
  • Backups: encrypted snapshots are retained for 30 days.

When you delete your workspace (see section 7), all of the above except billing records is purged from production systems within 24 hours and from backups within 30 days.

6. Sharing and disclosure

We do not sell your data. We disclose data only:

  • To the subprocessors listed in section 3, to operate the service.
  • To you, the customer, via the application and CSV exports.
  • When required by valid legal process. If we receive a subpoena or court order covering your data, we will notify you unless legally prohibited from doing so.
  • In the event of a corporate transaction (merger, acquisition, asset sale), with continuity of these privacy commitments.

7. Your rights

You can exercise the following rights at any time directly in the product:

  • Access — every row of data we hold is visible in the application or available via CSV export from the findings page.
  • Correction — re-upload CSVs to update vendor and license data; edit organization details under /settings/organization.
  • Deletion (GDPR Art. 17 / CCPA § 1798.105) — go to /settings/organization Danger zone to permanently delete your workspace, every audit, every file, your account, and cancel any active subscription. This is immediate, irreversible, and free.
  • Portability — CSV export of findings is available on every audit; raw vendor and user data is exportable on request to privacy@wabiro.com.
  • Objection — if you object to a specific processing activity, contact us at privacy@wabiro.com.

Where Wabiro acts as a data processor (e.g., processing employee records on behalf of your company), we route requests from data subjects to you, the data controller, within 5 business days.

8. Cookies

Wabiro uses strictly-necessary cookies for authentication (Supabase session) and for CSRF protection during checkout. We do not use advertising, analytics, or cross-site tracking cookies. No consent banner is required because no non-essential cookies are set.

9. Children

Wabiro is a B2B product. We do not knowingly collect data from individuals under 16, and the service is not directed to children.

10. Changes to this policy

We will post material changes here at least 30 days before they take effect. If you are a paying customer we will also email the address on file.

11. Contact

Privacy questions, data-subject requests, or security disclosures: privacy@wabiro.com. General support: support@wabiro.com.