01 Who we are
Wherebly is a small independent publication about local food and neighbourhood places. We're run by a 16-person team out of a shared office in Lisbon, Portugal, with a tiny satellite in Berlin. The company name on our paperwork is Wherebly Lda., registered at Rua do Loreto 15, 1200-241 Lisbon.
When this policy says "we," "us," or "Wherebly," we mean that company. When it says "you," we mean anyone visiting wherebly.com, reading our stories, signing up for an account, or sending us a message.
in plain english We're a small team. There's no parent corporation you've never heard of. No shell company. The person responsible for your data is Pedro, and his email is
privacy@wherebly.com.
02 What we collect
We split everything we hold into two buckets: what we need to run the site and what you choose to give us. Nothing in bucket two is required. Here's the full list.
| Data | Why | Type |
| Email address | To create an account, send the weekly newsletter, and recover your login. | Required |
| Display name | Shown next to any notes or submissions you post (can be a nickname). | Required |
| Password (hashed) | Stored only as a salted argon2id hash. We never see the plaintext. | Required |
| Approximate city | So we can feature places near you on the homepage. | Optional |
| Tasting notes & submissions | The short reviews and place suggestions you choose to publish. | Optional |
| Saved lists | Places you bookmark. Private by default unless you publish a list. | Optional |
| Device & browser | Coarse diagnostics (browser version, screen width) so we can fix bugs. | Required |
| IP address (truncated) | Stored hashed + truncated for 30 days to block abuse & spam waves. | Required |
Things we never collect
- Precise GPS coordinates. Ever. "City" is as granular as it gets, and only if you opt in.
- Your contacts, calendar, camera roll, or mic — none of that is asked for.
- Payment card numbers. Stripe handles those and we only see the last four digits for receipts.
- Behavioural fingerprinting, canvas fingerprinting, audio fingerprinting, or any similar dark pattern.
- Data you sent to us "off the record" (e.g. a private email tip) is never added to a public profile.
03 Why we collect it
Under GDPR terms, each piece of data needs a "lawful basis." Here's ours, in one sentence per purpose, using regular words:
- Contract — to give you the account you asked for (login, saves, newsletter opt-in).
- Legitimate interest — to keep the site working, stop spam, fix bugs, and run aggregate analytics that can't identify you.
- Consent — for anything extra: email marketing beyond the newsletter, location-near-me features, or the two optional cookies (see §05).
- Legal obligation — for things like responding to a valid court order or keeping invoice records for tax purposes.
translation We take your email because we have to (you asked us to send you things). We keep error logs because without them the site breaks. Everything else? We ask first.
04 Who sees your data
We use a short, stable list of service providers — "sub-processors" in legal-ese — who each see only the slice of data they need to do their job. Here's everyone:
| Vendor | Role | Where |
| Fly.io | Runs the web servers & database | Amsterdam, NL |
| Backblaze B2 | Stores your uploaded photos | Amsterdam, NL |
| Postmark | Sends transactional email (login links) | United States |
| Buttondown | Sends the weekly newsletter | United States |
| Stripe | Payment processing (restaurant partners only) | Ireland / US |
| Plausible | Cookie-free page-view analytics | Frankfurt, DE |
| Sentry | Error tracking (IPs truncated before storage) | Frankfurt, DE |
Who we never share with
- Data brokers. Not one. Not ever.
- Ad networks. We don't run ads, display or otherwise.
- Restaurants — your saved lists and notes are yours. Owners see only the public comments you post on their page, same as any reader.
- "Analytics partners" that aggregate across sites to profile users.
05 Cookies & trackers
The site uses exactly three cookies. There's a longer legal habit of putting thirty. We're proud of the short list.
| Name | What it does | Lifespan |
| wb_sess | Keeps you logged in. First-party, httpOnly. | 30 days (sliding) |
| wb_theme | Remembers dark/light mode & font size. | 1 year |
| wb_ref | Attributes first visits (e.g. referred by a newsletter). | 14 days |
That's the full list. We use Plausible for analytics, which is entirely cookie-free and GDPR-exempt — it works by hashing a daily salt, so the same visitor can't be traced from one day to the next.
heads-up No banner. When a site has three first-party cookies and no ad trackers, EU law doesn't require a consent modal. So we skip the popup you hate clicking through.
06 Where we store it
Your account data and uploaded photos live on servers in Amsterdam (EU). Backups are encrypted and held in a second EU data centre in Frankfurt for 30 days.
🇳🇱
Primary — Amsterdam
Live database, user-uploaded photos, sessions.
🇩🇪
Backup — Frankfurt
Encrypted snapshot, 30-day rolling window.
🇺🇸
Transactional email — US
Login links processed by Postmark, retained 7 days.
🇵🇹
Finance — Lisbon
Invoices & tax records, kept 10 years per EU law.
Any time we transfer your data outside the EU (e.g. to Postmark in the US), it happens under the EU Commission's Standard Contractual Clauses, the same agreement the European Data Protection Board approves for such transfers.
07 How long we keep it
- Your account — until you delete it. We don't auto-expire inactive accounts.
- Notes & submissions — as long as the place exists on Wherebly, unless you remove them.
- Login audit log — 90 days, then wiped.
- Error logs (Sentry) — 30 days, with IPs truncated on arrival.
- Newsletter open/click data — 6 months, then deleted.
- Invoices / VAT records — 10 years, because that's what Portuguese tax law requires.
- Deleted accounts — removed from live systems within 48 hours, purged from backups within 30 days.
08 Your rights & controls
No matter where you live, these are available from your account settings page under "Data & privacy" — no email-us-and-wait-forever song and dance.
Correct it
Fix anything inaccurate. Most fields are self-serve, edge cases via email.
Edit profile
Delete your account
One button. Gone in 48h from live systems, 30 days from backups.
Delete account
Pause & restrict
Freeze your account without deleting — useful during a social detox.
Pause account
Object to processing
Opt out of any legitimate-interest processing (e.g. the welcome series).
Preferences
Lodge a complaint
If we don't fix it, Portugal's CNPD is your data protection authority.
cnpd.pt one more thing Californian residents: you have the equivalent of the above under the CCPA — "right to know," "right to delete," "right to opt-out of sale" (we don't sell, so this one is automatic). Same settings page covers it.
09 Kids & teens
Wherebly is not directed at anyone under 16. We don't knowingly collect data from children under 16. If you believe we've accidentally collected data from a child, email privacy@wherebly.com and we'll purge it within 72 hours.
10 Changes to this policy
When we change something meaningful, we'll email every account-holder at least 30 days before it takes effect and post a notice on the homepage. Typo fixes, formatting tweaks, and clarifications don't require an email — they show up in the changelog below.
Changelog
- March 28, 2026 Added Backblaze B2 as photo storage sub-processor; removed Cloudinary. Tightened retention for newsletter click data from 12 → 6 months.
- November 5, 2025 Switched analytics from Fathom to Plausible. Functionally identical (both cookie-free), but Plausible is EU-hosted, which simplifies transfers.
- July 14, 2025 Initial policy published alongside the public launch.
11 Contact the Data Steward
Pedro runs data protection at Wherebly. He's the person who answers when you email, and will usually reply within two working days. No ticket numbers, no chatbots — a real human who has read this policy forty-two times.
privacy@wherebly.com Rua do Loreto 15, 1200-241 Lisbon, Portugal Replies within 2 working days