Last Updated: June 21, 2025
WhereTheyTalk (the "Service") is a B2B SaaS platform operated by Perjan Professional Product Partners FlexKapG, an Austrian company. We are committed to protecting your privacy and handling your personal data in compliance with the EU General Data Protection Regulation (GDPR). For the purposes of GDPR, Perjan Professional Product Partners FlexKapG (Heiligenstädter Lände 29/2. OG, 1190 Vienna, Austria) is the data controller. If you have any questions or requests regarding your personal data, you can contact us at privacy@wheretheytalk.com.
We collect various types of personal data when you use WhereTheyTalk. We only collect what is necessary for the purposes described in this Policy. Below is an overview of the data we collect, why we collect it, and the legal basis for processing:
When you register, we collect your email address and a password (handled via Supabase Auth) and any other details you provide (such as name or organization). Purpose: To create and manage your user account, authenticate you, and provide our services. Legal Basis: Performance of a contract – we need this data to provide the Service you signed up for (GDPR Art. 6(1)(b)).
If you join a waitlist, subscribe to updates, or contact us for support, we collect your email and any information you choose to provide in your request. Purpose: To communicate with you, send you service-related emails (e.g. confirmations, updates), and respond to inquiries. Legal Basis: Your consent (for waitlist/newsletter sign-ups) or our legitimate interest in providing customer support (GDPR Art. 6(1)(a) or 6(1)(f), as applicable).
When you use WhereTheyTalk, we collect data about your interactions with the platform. This includes features you use, search queries or keywords you monitor, and logs of user actions. Purpose: To operate and personalize the Service (e.g. show relevant results), to maintain security, and to improve the platform's features. Legal Basis: Performance of contract (for providing core service features) and legitimate interests (to secure and enhance the Service) – GDPR Art. 6(1)(b) and 6(1)(f).
We use analytics tools (PostHog) to automatically collect technical information about your device and usage when you interact with our web app. This may include your IP address (which we may anonymize), browser type, pages viewed, and click events. Purpose: To understand user behavior, debug issues, and improve our product's usability. Legal Basis: Your consent, which we obtain via our cookie banner (GDPR Art. 6(1)(a)). We do not run analytics unless you have allowed analytics cookies.
We use cookies to remember your session and preferences, and to collect analytics (with consent). Purpose: Some cookies are strictly necessary for the Service to function (for example, the authentication cookie that keeps you logged in). Other cookies (like those for analytics) are optional and used only if you consent, in order to help us improve the product. Legal Basis: For necessary cookies, our legitimate interest in providing a functioning service (these do not require consent under ePrivacy laws as they are essential). For analytics cookies, consent (GDPR Art. 6(1)(a)). (See Cookies section below for more detail.)
We do not collect any sensitive personal data such as racial or ethnic origin, political opinions, health information, or similar categories of sensitive data. We also do not intentionally collect any personal data from children – the Service is intended for business use by adults.
Cookies: A cookie is a small text file placed on your device. WhereTheyTalk uses two types of cookies: essential cookies and analytics cookies. Essential cookies are necessary for the website and application to operate. For example, when you log in, a secure session cookie is set to keep you authenticated; this cookie is required for you to use the platform (it's considered a "strictly necessary" cookie under GDPR, as it enables core functionality). Because of this, we do not provide an option to reject essential cookies – if you disable them, the Service will not work (you would not be able to log in or use most features).
We also use an analytics cookie (set by PostHog) to gather usage statistics only if you give consent. This cookie helps us track how you navigate the app (pages visited, actions taken) so we can improve user experience. If you decline or ignore the analytics consent, no analytics cookies will be stored, and we will not collect analytical data from your visit.
Cookie Banner & Preferences: When you first visit our site, you will see a cookie consent banner. You can choose to Accept or Decline analytics cookies. You can also customize your preference at any time later. A "Cookie Preferences" link is provided (for example, in the footer of our site or via the banner) to let you adjust your settings at any time. Through this link, you can withdraw consent for analytics cookies or grant it if you previously declined. We do not use cookies for advertising or third-party marketing.
Automatic Cookie Acceptance: Using WhereTheyTalk's core functionality requires both essential and analytics cookies. Therefore, when you create an account (sign up) or log into your existing account, you automatically consent to all cookies, including analytics cookies. This automatic acceptance is necessary because authenticated users need analytics functionality for the service to operate properly (such as tracking your usage patterns to provide personalized features and improve your experience). If you do not wish to accept analytics cookies, you can browse our public website but will not be able to use the full WhereTheyTalk platform.
We process personal data strictly for the following purposes, in accordance with GDPR principles:
We use account and profile data to create your account, authenticate you, and enable you to use WhereTheyTalk's core features. This processing is necessary to perform our contract with you as a user of the Service (Art. 6(1)(b) GDPR). Without this information, we can't provide you with an account or the Service functionality.
We use your email to send critical notifications (for example, email verification, password reset, essential product updates, or administrative messages). The legal basis is contract necessity (to provide support and inform you of issues with the Service) and/or our legitimate interests in ensuring effective customer service (Art. 6(1)(f) GDPR). If you signed up to our waitlist or newsletter, we send you updates based on your consent (Art. 6(1)(a)); you can unsubscribe any time.
If you consent, we use analytics data (via PostHog) to understand how our users engage with features. This helps us identify trends or problems and improve the platform. The legal basis for analytics is consent (Art. 6(1)(a)), as indicated by your choice on the cookie banner. You can withdraw consent at any time via the cookie settings, and we will stop collecting your analytics data. We ensure that any analytics data we collect is pseudonymized and does not directly identify you (PostHog can be configured to avoid capturing personally identifiable information).
We may process certain data (like IP addresses, log-ins, and user activity logs) to maintain the security of our service, troubleshoot access issues, and prevent misuse of the platform. The legal basis for this is our legitimate interest (Art. 6(1)(f)) in protecting our Service and users, as well as compliance with legal obligations related to security. For example, we might log IP addresses to detect multiple failed login attempts (to guard against fraud or hacking).
In rare cases, we may need to process or retain personal data to comply with a legal obligation, such as a law enforcement request or tax/legal record-keeping requirements (Art. 6(1)(c) GDPR). We only do so when required by law and will inform you if permitted.
If we need to process your data for a new purpose that is incompatible with the above, we will seek your consent or provide a relevant legal justification and inform you accordingly.
WhereTheyTalk relies on a few trusted third-party services (processors) to operate our platform. We carefully select these providers and ensure they are GDPR-compliant and bound by data protection agreements. We do not sell or trade your personal information to third parties. The third-party services we use, and what they do, are listed below:
We use Supabase as our cloud database and authentication provider. Supabase stores all the data that backs our Service – this includes your account information (email and hashed password), content you generate within the app (like saved searches or settings), and other metadata. Supabase also provides the authentication cookies and session management for logging you in. Our Supabase database is hosted in an EU data center (for example, in eu-west-1) to keep data within Europe. Supabase, as a company, is based in the U.S., but we have signed their Data Processing Addendum (DPA) to ensure GDPR compliance. This means Supabase is contractually bound to protect your data, and if any transfer of data to the U.S. occurs (for maintenance or support), it will be under EU Standard Contractual Clauses or equivalent safeguards.
We use PostHog for product analytics. PostHog helps us understand how users navigate our application (e.g., which features are most used). We have configured PostHog in a privacy-friendly manner: we do not send it any personal identifiers like your name or email, and we respect the cookie consent (PostHog only runs if you've agreed to analytics). We have opted to use PostHog's EU cloud infrastructure whenever possible, meaning analytics data is stored on servers in Frankfurt, Germany. PostHog is GDPR-compliant and offers features to anonymize data. If PostHog data is ever processed outside the EU, it will be protected via Standard Contractual Clauses. You can opt out of PostHog analytics at any time through the cookie settings, as noted above.
We use Mailjet to send out transactional emails and other communications (for example, verification emails, password reset emails, or any email notifications you opt into). When we send you an email, your email address and the email content go through Mailjet's platform. Mailjet is an email service based in the EU (France) and stores data on servers in the European Union (in Frankfurt, Germany and Saint-Ghislain, Belgium). Mailjet is fully GDPR-compliant and does not access or use your email data except as needed to send messages on our behalf. We have a DPA in place with Mailjet as well. According to Mailjet, your contact lists and personal data remain confidential and are not disclosed to third parties.
We may also use other processors for ancillary services (for example, web hosting or backup services), but those would similarly be subject to GDPR-compliant contracts. We ensure that all third-party processors only process your data for the specific purposes we've defined (e.g. sending emails, providing infrastructure or analytics) and not for their own purposes.
We do not sell, rent, or exchange your personal data with any third-party for marketing or any other purposes. The only instances where we share your data are with the service providers listed above, and each of those is acting on our instructions (as "data processors") to support our Service delivery.
We might have to share personal data if required by law or lawful requests by public authorities (e.g., to comply with a court order or regulatory requirement). In such cases, we will only share the minimum data necessary and, if possible, inform you of the request.
If in the future WhereTheyTalk or Perjan Professional Product Partners FlexKapG undergoes a business transaction (such as a merger, acquisition, or asset sale), user data could be transferred to a successor or new owner. If that happens, we will ensure the new owner has to respect the same privacy commitments described in this policy, and we will notify you of any change in data control.
Our primary operations are based in Austria, and we aim to store personal data in the European Union whenever feasible. For instance, as noted, our databases and email servers are EU-hosted. However, some of our service providers are companies located outside the EU (e.g., Supabase and PostHog are headquartered in the United States). This means personal data may be accessed or processed in countries outside the European Economic Area (EEA).
Whenever we transfer or allow access to your personal data outside the EEA, we take appropriate safeguards to ensure it remains protected. These safeguards include: (1) ensuring the recipient is in a country with an EU adequacy decision (if applicable), or more typically, (2) signing the European Commission's Standard Contractual Clauses (SCCs) with the non-EU service provider, which contractually require them to protect your data to EU standards. We also rely on measures like data encryption and pseudonymization where possible when transferring data.
For example, Supabase and PostHog are both subject to SCCs and robust encryption protocols in transit and at rest. PostHog additionally allows EU-only event storage which we utilize. Mailjet's data stays in the EU, so no cross-border transfer is involved in that case.
If you'd like more information about our international data transfer safeguards, feel free to contact us (see the Contact Us section below). We will happily provide you with further details, such as copies of relevant contractual clauses upon request.
We keep your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by law. The retention periods can vary depending on the type of data and the purpose of processing:
We retain your account information (like your email and profile info) for as long as you maintain an account with us. If you delete your account or request deletion, we will remove or anonymize your personal data within a reasonable timeframe (unless we are required to keep it for legal reasons – see below). Backup copies of data might persist for a short period (due to routine backup and archiving), but will be overwritten or destroyed in the normal course of business.
If you provided your email for a waitlist or newsletter and you haven't created a full account yet, we retain that information until we have sent you an invitation or relevant updates. If you choose not to join and ask for deletion, or if our invite email bounces, we may remove your email from our records. You can also unsubscribe from newsletters at any time, and we will stop sending and delete or suppress your contact info accordingly.
Analytics information collected via PostHog is retained for internal analysis. We typically retain granular analytics data for a limited period (e.g. 12-14 months) and may retain aggregated, non-identifiable data for longer to spot long-term trends. If you withdraw consent for analytics, no new analytics data will be collected, and we will stop processing your previously collected analytics data (we may continue to use aggregate statistics that no longer identify any individual).
Server logs, which may include IP addresses and usage logs for security, are generally retained for a short period (a few weeks up to a few months) unless we need to keep them longer to investigate specific incidents (for example, a security breach). We remove or anonymize logs when they are no longer needed for security or analysis.
In some cases, we might need to retain certain data for a longer period if required by law. For example, if you made any purchases or there are financial records, we might keep billing records for accounting and tax purposes for the duration required by Austrian law. Also, if a dispute arises or we receive a legal request, we would preserve relevant data until the issue is resolved.
After the applicable retention period has elapsed, we will either delete your personal data or anonymize it so it can no longer be associated with you. Data deletion is irreversible – when we delete your data from the production database, we also aim to purge it from our backups and archives within a reasonable period.
As an individual in the European Union (or other regions with similar laws), you have certain rights regarding your personal data. WhereTheyTalk is committed to upholding these rights. You have the right to:
You can request a copy of the personal data we hold about you, and information about how we process it. This is often called a Subject Access Request. We will provide you with a summary of your data, and we typically do so within one month of your request.
If any of your personal data is inaccurate or incomplete, you have the right to have it corrected or updated. For example, if you change email addresses or notice an error in your profile information, you can update it in your account settings or ask us to update it.
You may request that we delete your personal data. If you no longer want to use WhereTheyTalk, you can delete your account via the settings (where available) or contact us to request deletion. We will then erase your personal data from our systems, provided we don't have a legitimate reason to keep it (such as a legal obligation or a compelling legitimate interest).
You can ask us to restrict (temporarily halt) the processing of your data in certain circumstances – for instance, if you contest the accuracy of data or have objected to processing and we are evaluating that request. When processing is restricted, we will still store your data but not use it until the issue is resolved.
You have the right to obtain your personal data that you provided to us in a structured, commonly used, machine-readable format, and you have the right to transmit that data to another controller. In practice, if you request it, we can export data such as your account details and any content you've contributed in a CSV or similar format for you.
You have the right to object to our processing of your data in certain scenarios. In particular, you can object to processing that we base on legitimate interests (Art. 6(1)(f)), such as any direct marketing or certain analytics. If you lodge an objection, we will evaluate whether our legitimate grounds override your privacy rights. If they do not, we will stop the processing in question. You also have an absolute right to object to any direct marketing use of your data (currently, we do not use your data for third-party marketing, and any product-related emails are sent based on either contract necessity or your opt-in consent).
Where we rely on your consent to process data (e.g., for optional analytics or for sending a newsletter), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the legality of any processing done before the withdrawal, but it means we will stop the specific processing going forward. For example, you can turn off analytics cookies, and we will stop collecting analytics data about you; or you can unsubscribe from our newsletter, and we will stop emailing you.
We do not make any legal or similarly significant decisions about you using purely automated processing (like profiling algorithms). If that ever changes, you would have rights related to such automated decision-making (including the right to human intervention).
If you believe we have infringed your data protection rights, you have the right to file a complaint with a supervisory authority, particularly in the EU country where you live or work, or where the issue occurred. For example, in Austria the supervisory authority is the Österreichische Datenschutzbehörde. We encourage you to contact us first so we can address your concerns directly, but you are free to reach out to the authorities at any time.
These rights are core to GDPR and we respect them fully. To exercise any of your rights, please contact us at privacy@wheretheytalk.com with your request. We may need to verify your identity before fulfilling certain requests (to ensure we don't disclose your data to someone else). Typically, we will respond to requests within one month. There is no fee for making a request, though in rare cases if a request is manifestly unfounded or excessive, GDPR allows us to charge a reasonable fee or refuse the request (we will explain the reasons in such cases).
We take security measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction. These measures include technical safeguards and organizational policies:
Despite our efforts, no system can be 100% secure. We therefore also have a data breach response plan. In the unlikely event of a data breach that affects your personal data, we will notify you and the relevant authorities as required by law (GDPR Art. 33/34 mandates notification within 72 hours in case of certain breaches).
We may update this Privacy Policy from time to time to reflect changes in our Service or legal requirements. If we make substantial changes, we will notify users by email or by posting a prominent notice on our site before the change becomes effective. The "Last Updated" date at the top of this Policy indicates when the latest changes were made. We encourage you to review this Policy periodically to stay informed about how we are protecting your data.
If we update the Policy, we will not reduce your rights under this Policy without your explicit consent. Any changes will be effective when posted on this page or as communicated otherwise. Your continued use of WhereTheyTalk after an update signifies your acceptance of the revised Policy.
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us:
Perjan Professional Product Partners FlexKapG (WhereTheyTalk)
Email: privacy@wheretheytalk.com
Mailing Address: Heiligenstädter Lände 29/2. OG, 1190 Vienna, Austria
We will be happy to assist you with any queries or issues. Your privacy is important to us, and we are committed to resolving any questions to your satisfaction.
By using WhereTheyTalk, you acknowledge that you have read and understood this Privacy Policy.