Legal
Privacy Policy
This Privacy Policy explains how WBSync handles personal data. It is the public distillation of our internal Record of Processing Activities; if they ever diverge, we will fix the divergence.
1. Who we are
WBSync Ltd ("WBSync", "we", "us") is a private company limited by
shares registered in the Republic of Ireland (CRO no. 817394), registered office
Irishtown, Ardee, Co. Louth, Ireland. We operate the WBSync platform at
app.wb-sync.com for tracking construction labour and productivity.
For questions about this policy or your personal data, contact our privacy contact:
dpo@wb-sync.com (post: WBSync Ltd, Irishtown, Ardee, Co. Louth, Ireland).
We are not required to appoint a statutory Data Protection Officer under Article 37(1) GDPR; Mark Roddy (Founder) is our acting privacy contact.
2. Controller vs processor — which hat we wear
WBSync handles personal data in two distinct roles:
- We are the controller for data about our own business: prospects and marketing-site visitors, the account holders and administrators of our customers, billing data, support interactions, and security/operational telemetry.
- We are a processor for the operational data our customers load into the workspace about their own workforce (labour entries, clock events, site diaries, claims, notes, photos). For that data the customer is the controller and their privacy notice and instructions govern. Our processing on their behalf is set out in our Data Processing Agreement.
This policy describes mainly our controller activities. If you are a worker whose hours appear in WBSync, your employer (our customer) is the controller — contact them about your data; we will support them in responding.
3. What we collect, why, and our lawful basis (controller)
| Data | Examples | Why | Lawful basis (Art. 6) |
|---|---|---|---|
| Account & identity | Name, work email, password hash, company, role | Create and secure your account; operate the contract | Contract (6(1)(b)) |
| Billing | Billing contact, billing address, VAT number, payment-method token, invoice history | Take payment; meet tax/accounting duties | Contract; Legal obligation (6(1)(c)) |
| Usage & device | Log-in events, IP address, pages used, device/browser, audit logs | Security, troubleshooting, service improvement | Legitimate interests (6(1)(f)) |
| Support | Emails, messages, call notes | Provide support | Contract; Legitimate interests |
| Marketing & prospects | Name, work email, company, demo bookings, marketing-site analytics | Sell and market the service to businesses | Consent (6(1)(a)) where required; otherwise Legitimate interests |
We do not sell your personal data, and we do not use Customer Data for advertising or to train AI models.
Special-category data. We do not intend to collect special-category data. Free-text fields in the product (e.g. diary safety observations) could incidentally contain it; our guidance to customers is never to enter health, racial/ethnic, trade-union or other Article 9 data into free-text fields.
4. Cookies and similar technologies
We use only strictly necessary cookies to run the app (your login session and security/anti-forgery tokens) and browser local storage for offline support and your own interface preferences. We do not currently use analytics, advertising, or cross-site tracking cookies, so no cookie-consent banner is shown. See the Cookie Policy for the full list. If we introduce any non-essential cookie in future, we will obtain consent before setting it.
5. Who we share data with (subprocessors and recipients)
We share personal data only with vetted service providers under contract, and with authorities where legally required. Our current subprocessors are published and kept current at our subprocessor page, and include:
- Railway — EU (Frankfurt) cloud hosting, managed database and cache.
- Stripe Payments Europe, Ltd. — subscription billing, payments, VAT, customer portal.
- Resend — transactional email delivery.
We give customers 30 days' notice before adding or materially changing a subprocessor, as described on that page.
6. International transfers
Customer Data is hosted in the EU (Frankfurt). Some controller-level processing (billing, email) may involve transfers to the United States. Where data leaves the EEA, we rely on appropriate safeguards — the EU-US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses (2021/914) — as detailed on the subprocessor page. You can ask us for a copy of the relevant safeguards.
7. How long we keep data
We keep personal data only as long as needed for the purpose collected:
- Account data — for the life of the account and a short period after, then deleted or anonymised.
- Account deletion — when you delete your account, we suspend it immediately and hard-anonymise after a 30-day reversible grace period; residual copies expire from encrypted backups within the backup-retention window (currently up to 120 days).
- Billing/tax records — retained as long as required by Irish tax and company law (typically six years).
- Marketing data — until you opt out or after a period of inactivity.
Customer Data retention (processor role) is governed by the customer's instructions and the DPA.
8. Your rights
Subject to GDPR, you have the right to access, rectify, erase, restrict, port, and
object to processing of your personal data, and to withdraw consent at any time
where processing is based on consent. To exercise these rights as a WBSync account
holder, email dpo@wb-sync.com; the Service also provides self-service data
export and account deletion. We respond within one month (extendable by up to two
further months for complex requests, of which we will tell you).
If you are a worker whose data is in a customer's workspace, please contact that customer (the controller); we will assist them.
You also have the right to complain to a supervisory authority. Our lead authority is
the Data Protection Commission (Ireland) — www.dataprotection.ie. You may also
complain to the authority where you live or work (e.g. the UK ICO).
9. Security
We apply technical and organisational measures including: EU data residency, AES-256 encryption at rest and TLS in transit, strict per-tenant data isolation, role-based access control with audit logging, rate limiting and abuse protection, encrypted backups with integrity verification, error monitoring with PII scrubbing, and access limited to the founder(s) on managed infrastructure. We maintain a breach-response runbook and will notify affected parties and the DPC as required by Articles 33–34 GDPR. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
10. Children
The Service is a business tool not directed at children and is not intended for use by anyone under 16. We do not knowingly collect data from children.
11. Changes to this policy
We may update this policy. Material changes will be notified (email to billing contacts and/or in-app notice). The current version, with its effective date, is always on this page.
12. Contact
Privacy contact: dpo@wb-sync.com
WBSync Ltd, Irishtown, Ardee, Co. Louth, Ireland (CRO no. 817394)
Lead supervisory authority: Data Protection Commission, Ireland — info@dataprotection.ie
Privacy Policy · Version 1.0 · Effective 8 June 2026 · WBSync Ltd, Irishtown, Ardee, Co. Louth, Ireland · CRO no. 817394