Last updated: March 1, 2025
Webyn SAS ("Webyn", "we", "us", or "our") is a company incorporated under French law, registered in Paris, France. We operate an AI-powered A/B testing and conversion rate optimization platform accessible at webyn.org (the "Service"). This Privacy Policy explains how we collect, use, store, share, and protect personal data when you visit our website, use our platform, or interact with us in any way.
We are committed to processing your personal data lawfully, fairly, and transparently, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the French Data Protection Act (Loi Informatique et Libertés), and other applicable privacy regulations. This policy applies to all visitors to webyn.org, users of the Webyn platform, employees of our customer organizations, and anyone else whose personal data we process.
Please read this policy carefully. If you have questions about anything in this document, you can contact us at the address provided in Section 15 below. Your continued use of our website or Service after the "Last updated" date above constitutes your acknowledgement of the terms described in this policy.
For visitors to webyn.org and for our own marketing and sales activities, Webyn acts as the data controller — we determine the purposes and means of processing your personal data. Our registered address is in Paris, France. You can reach our data protection contact by email at the address listed in Section 15.
For data processed through the Webyn experimentation platform on behalf of our customers — including visitor behavioral data from our customers' websites — Webyn acts as a data processor. In this capacity, we process personal data strictly on behalf of and under the instructions of our customers, who are the data controllers. Our Data Processing Agreement (DPA), available to all customers, governs this relationship.
The distinction matters: if you are a visitor to a website that uses Webyn's technology (rather than a visitor to webyn.org directly), the privacy notice provided by that website's operator is the primary disclosure for data collected through their use of our platform. This policy covers Webyn's own processing activities as controller.
When you visit webyn.org: We collect data that your browser automatically sends when you visit any website. This includes your IP address (which we truncate to the first three octets for anonymization purposes after processing), browser type and version, operating system, referring URL, pages visited, time spent on pages, and the date and time of your visit. This data is collected automatically through server logs and analytics tools.
When you create an account: We collect your name, email address, company name, job title, and the password you choose (stored as a one-way cryptographic hash). If you register through a single sign-on provider such as Google Workspace, we receive the name and email address associated with that account, subject to your settings with that provider.
When you contact us: When you submit an inquiry through our contact form, request a demo, or email us directly, we collect the information you provide, including your name, email address, phone number (if given), company name, and the content of your message.
When you use the platform: We collect data about how you use the Webyn platform, including experiments you create, configuration settings, user actions within the interface, and support interactions. This data is used to operate the Service and improve it.
Payment data: When you subscribe to a paid plan, payment processing is handled by our third-party payment processor Stripe, which stores and processes your payment card data under its own privacy policy and PCI-DSS compliance program. We receive a payment token and summary information (card type, last four digits, expiry date) but do not store full card numbers on our systems.
Cookies and similar technologies: We use cookies and similar technologies as described in our Cookie Policy, available at webyn.org/legal/cookies.html. This includes essential cookies required for the Service to function, analytics cookies to understand how visitors use our website, and marketing cookies where you have consented to their use.
To provide and operate the Service: We use your account information to authenticate you, provide access to the platform features you have subscribed to, and maintain the security of your account. This processing is necessary to perform the contract between you and Webyn (GDPR Article 6(1)(b)).
To process payments: We use billing information to charge you for your subscription, issue invoices, manage payment failures and dunning, and comply with accounting and tax obligations. This processing is necessary for contract performance and for compliance with legal obligations (GDPR Article 6(1)(b) and 6(1)(c)).
To communicate with you: We send you transactional emails related to your account — signup confirmation, password resets, billing notifications, and important product updates. These communications are necessary to perform the contract and are not optional while you maintain an account. We also send product update and marketing communications with your consent, from which you can unsubscribe at any time.
To improve the Service: We analyze aggregated usage data to understand which features are used most, where users encounter problems, and how to prioritize product development. This analysis uses anonymized or pseudonymized data where possible. Where individual-level data is necessary, this processing is based on our legitimate interests in improving our product (GDPR Article 6(1)(f)), subject to your rights to object as described in Section 10.
For security and fraud prevention: We process access logs and behavioral data to detect and prevent unauthorized access, fraud, abuse, and security threats. This processing is based on our legitimate interests in protecting the security and integrity of the Service and the data of all our customers.
To comply with legal obligations: We retain certain data to comply with French and European legal requirements including tax law, accounting regulations, and obligations imposed on service providers by data protection authorities. Retention periods for legally required data are described in Section 7.
For marketing and sales: With your consent, or where we have a legitimate interest that outweighs your privacy interests, we may use your contact information to send you information about Webyn products, industry content, and relevant events. You can withdraw consent or object to this processing at any time using the unsubscribe mechanism in any marketing email or by contacting us directly.
Under GDPR, we must have a lawful basis for processing personal data. The bases we rely on are as follows:
Contract performance (Article 6(1)(b)): Processing your data to provide the Service you have subscribed to, including account management, platform access, billing, and essential communications.
Legitimate interests (Article 6(1)(f)): Processing for security monitoring, fraud prevention, product improvement, and marketing to existing customers where our interests are proportionate to your privacy interests. We have conducted legitimate interest assessments for these activities and found them appropriate.
Legal obligation (Article 6(1)(c)): Processing required by applicable law, including tax and accounting records retention, and responses to lawful demands from competent authorities.
Consent (Article 6(1)(a)): Processing for non-essential cookies, marketing emails to non-customers, and any other processing where we have explicitly asked for your agreement. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
We do not sell your personal data to third parties. We do not share your personal data with third parties for their own marketing purposes without your explicit consent. We share data in the following limited circumstances:
Service providers: We engage third-party companies to provide infrastructure, payment processing, customer communication, analytics, and support services on our behalf. These companies are processors under GDPR and are contractually required to process data only on our instructions and to maintain appropriate security measures. Current major categories of sub-processors include cloud infrastructure (hosted in the EU), payment processing, email delivery, and customer support tooling. Our current sub-processor list is available on request.
Professional advisors: We may share data with our lawyers, accountants, and auditors as necessary for them to provide professional services to us, subject to professional confidentiality obligations.
Business transfers: If Webyn is involved in a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
Legal requirements: We may disclose personal data when required to do so by law, court order, or other governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
With your consent: We may share your data with third parties in other ways with your explicit prior consent.
We retain personal data for no longer than is necessary for the purposes for which it was collected, taking into account legal retention obligations and business necessity. Our retention guidelines are as follows:
Account data: We retain your account data for the duration of your subscription and for a period of three years after account closure, to allow for account reactivation requests, to resolve disputes, and to comply with any outstanding legal obligations. After this period, account data is deleted or anonymized.
Billing records: Invoice and payment records are retained for ten years from the date of the transaction to comply with French accounting and tax law (Article L123-22 of the French Commercial Code).
Experiment and platform data: Data created through use of the Webyn platform — including experiment configurations, variant definitions, and aggregated result statistics — is retained for the duration of your subscription plus 90 days, to allow you to export your data after cancellation. Visitor-level event data from experiments is retained for a maximum of 24 months from collection and then deleted.
Marketing contact data: If you have consented to marketing communications, we retain your contact information for this purpose until you unsubscribe or withdraw consent. We will also periodically review and remove contacts who have not engaged with our communications in 36 months.
Website analytics data: Pseudonymized website visitor data collected through our analytics tools is retained for 26 months from collection, consistent with CNIL guidance on analytics cookie retention.
Security logs: Access and security logs are retained for 12 months for security monitoring purposes and then deleted.
Webyn processes data primarily in the European Union. Our primary infrastructure is hosted on servers located in France and Germany. Where we use sub-processors that process data outside the EEA — for example, a customer support tool hosted in the United States — we ensure that appropriate safeguards are in place as required by GDPR Chapter V.
These safeguards include: Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR, adequacy decisions where the destination country has been assessed as providing equivalent protection (such as transfers to the UK under the UK GDPR adequacy decision), and supplementary measures where required by the Transfer Impact Assessment applicable to the specific transfer.
If you would like more information about the specific safeguards applicable to your data transfer, or to obtain a copy of the relevant SCCs, please contact us at the address in Section 15.
We use cookies and similar technologies on webyn.org. Essential cookies are necessary for the website and platform to function and cannot be disabled. Analytics cookies help us understand how visitors use our site. Marketing cookies are used where you have consented to receive targeted communications. Full details of the cookies we use, their purposes, durations, and your options for managing them are set out in our Cookie Policy at webyn.org/legal/cookies.html.
You can update your cookie preferences at any time by clicking the "Cookie Settings" link in the footer of our website. Withdrawing consent for non-essential cookies will not affect the functioning of the core Service for logged-in customers, but may affect the personalization of our marketing website.
As a data subject under GDPR, you have the following rights with respect to your personal data that we process as controller:
Right of access (Article 15): You have the right to obtain confirmation of whether we process personal data about you, and to receive a copy of that data along with information about how it is processed. We will respond to access requests within one month of receipt.
Right to rectification (Article 16): You have the right to have inaccurate personal data corrected and incomplete data completed. You can update most of your account information directly through the platform settings. For data you cannot update yourself, contact us at the address in Section 15.
Right to erasure (Article 17): You have the right to request deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purpose for which it was collected, where you have withdrawn consent and there is no other lawful basis, or where you have objected to processing and there are no overriding legitimate grounds. Note that we may be required to retain some data to comply with legal obligations.
Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, while you contest the accuracy of the data or while an objection to processing is being resolved.
Right to data portability (Article 20): Where processing is based on your consent or on a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller.
Right to object (Article 21): You have the right to object to processing based on legitimate interests (including profiling) on grounds relating to your particular situation. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or where the processing is for the establishment, exercise, or defense of legal claims. You have an absolute right to object to direct marketing processing.
Rights related to automated decision-making (Article 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects concerning you. Webyn does not make such automated decisions about individuals.
To exercise any of these rights, please contact us at the address in Section 15. We will verify your identity before processing a rights request and will respond within one month. We may extend this period by a further two months where necessary, in which case we will notify you within the first month. We do not charge a fee for the exercise of data subject rights unless requests are manifestly unfounded or excessive.
We implement technical and organizational measures appropriate to the risk of processing personal data, in accordance with GDPR Article 32. These measures include: encryption of personal data in transit using TLS 1.2 or higher; encryption of data at rest using AES-256; access controls limiting personal data access to employees with a legitimate need; two-factor authentication requirements for systems holding personal data; regular security assessments and penetration testing; and an information security policy covering all employees.
Our infrastructure is hosted in ISO 27001-certified data centers within the European Union. We conduct regular backups of customer data and test our recovery procedures to ensure business continuity in the event of an incident.
In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, we will notify the CNIL (Commission Nationale de l'Informatique et des Libertés) within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to individuals, we will also notify affected data subjects directly without undue delay.
If you discover a security vulnerability in our systems, please report it responsibly to our security contact at the address in Section 15. We will investigate all reports and respond within five business days.
The Webyn Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that data. If you believe we have inadvertently collected data from a child, please contact us immediately at the address in Section 15.
Our website may contain links to third-party websites and services that are not operated by Webyn. When you follow a link to a third-party site, that site's privacy policy governs the collection and use of your personal data, not this policy. We have no control over and accept no responsibility for the privacy practices of third-party sites. We encourage you to review the privacy notice of any third-party site you visit through a link on our website.
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this policy and, where we have your contact information, notify you by email. We encourage you to review this policy periodically to stay informed about how we protect your data. Your continued use of the Service after the updated policy is posted constitutes your acceptance of the updated terms.
If you have questions about this Privacy Policy, wish to exercise your data subject rights, or want to raise a concern about our data processing practices, please contact us:
Webyn SAS
Data Protection Contact
Paris, France
Email: vincent@webyn.org
General inquiries: contact@webyn.org
If you are located in the European Union and believe that we have not addressed your concerns adequately, you have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés), the French supervisory authority for data protection:
CNIL
3 Place de Fontenoy
TSA 80715
75334 PARIS CEDEX 07
France
Website: www.cnil.fr
You may also contact the supervisory authority in the EU member state where you reside, work, or where the alleged infringement occurred.