Privacy Policy

TheWiFy ("we", "us", "our") provides a cloud-managed guest Wi-Fi platform optimised for MikroTik routers. This Privacy Policy explains how we collect, use, store, and share personal data when you visit our website, use our services, or interact with captive portals powered by TheWiFy. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR), the ePrivacy Directive, and applicable data protection laws.

1. Data controller

The data controller for personal data collected through this website and TheWiFy platform is:

Where TheWiFy processes guest WiFi data on behalf of a venue owner or MSP, the venue owner/MSP is the data controller and TheWiFy acts as a data processor under Article 28 GDPR.

2. Information we collect

Website visitors

• Business contact details: name, email, phone number, company name, and number of locations (via contact and demo request forms)
• Email address (via newsletter subscription)
• Technical data: IP address, browser type, device information, pages visited
• Cookie data (see our Cookie Policy)

WiFi guests (processed on behalf of venue owners)

• Authentication data: name, email, phone number (depending on login method chosen)
• Social profile data: information shared via Facebook, Google, or Instagram OAuth (with explicit consent)
• Session data: device MAC address, IP address, connection timestamps, session duration, data usage
• Portal interactions: login method selected, consent choices, marketing opt-in status
• Voucher/payment data: purchase records processed via Stripe (we do not store card details)

3. Lawful basis for processing

We process personal data under the following lawful bases (Article 6 GDPR):

• Consent (Art. 6(1)(a)): Marketing communications, analytics cookies, social login data capture. You can withdraw consent at any time.
• Contract performance (Art. 6(1)(b)): Processing necessary to provide our WiFi management services, process demo requests, and manage your account.
• Legitimate interests (Art. 6(1)(f)): Website security, fraud prevention, service improvement, and aggregated analytics. We balance our interests against your rights and freedoms.
• Legal obligation (Art. 6(1)(c)): Compliance with applicable laws, regulations, and lawful requests from authorities.

4. How we use information

• Provide, secure, and improve the TheWiFy platform and services
• Authenticate guest WiFi access and enforce network policies via FreeRADIUS
• Generate analytics and insights for venue owners and MSPs
• Process demo requests and respond to enquiries
• Send service updates and, where consented, marketing communications
• Process payments for WiFi vouchers via Stripe
• Detect and prevent fraud, abuse, and security threats

5. How we share information

• Venue owners and MSPs: Guest WiFi data is shared with the venue owner or MSP who manages the network (as they are the data controller for their guests).
• Sub-processors: A full list, with purpose, data categories, and processing location for each vendor, is published at /privacy/sub-processors. All sub-processors are bound by data processing agreements.
• Legal authorities: When required by law, court order, or to protect our rights and safety.

We do not sell personal data to third parties.

6. International data transfers

Our primary infrastructure is hosted on Google Cloud Platform. Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Data processing agreements with all sub-processors

7. Data retention

• Contact form submissions: Retained for up to 24 months from last interaction, then deleted or anonymised.
• Newsletter subscriptions: Retained until you unsubscribe.
• Guest WiFi session data: Retained for up to 12 months as configured by the venue owner, then automatically purged.
• Authentication logs: Retained for up to 12 months for security and compliance audit trails.
• Payment records: Retained as required by applicable tax and accounting laws (typically 7 years).

You can request earlier deletion subject to legal and contractual obligations.

8. Data security

We implement appropriate technical and organisational measures to protect personal data, including:

• AES-256-GCM encryption for data at rest
• TLS 1.2+ encryption for data in transit
• Row-level tenant isolation in our multi-tenant database
• Role-based access control (RBAC) for platform administrators
• Regular security audits and vulnerability assessments
• Automated health monitoring and incident response procedures

9. Your rights under GDPR

If you are in the EEA or UK, you have the following rights under Articles 15–22 of the GDPR:

• Right of access (Art. 15): Request a copy of your personal data.
• Right to rectification (Art. 16): Correct inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten").
• Right to restriction (Art. 18): Restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests or direct marketing.
• Right to withdraw consent: Withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: File a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact us at privacy@thewify.com. We will respond within 30 days.

WiFi guests: If you connected to a WiFi network powered by TheWiFy, please contact the venue or business that operates the network first, as they are the data controller for your session data. They can direct requests to us as their data processor.

10. Cookies

We use cookies and similar technologies on our website. For full details on the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

11. Children's privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via our website or email. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact & Data Protection Officer

For privacy-related enquiries or to exercise your data subject rights: