Privacy Policy
Last updated: 12 June 2026
Wodoco B.V. ("Wodo", "we", "us") builds project management software. This policy explains how we handle personal data we control directly — about visitors to this site, account holders, billing contacts, and people who contact us. We aim to collect as little as possible and to keep it in the European Union.
For personal data that your organisation puts into Wodo about other people — your colleagues, customers, suppliers, anyone whose data appears inside a workspace — our Data Processing Agreement governs how we handle it on your organisation's behalf. Your organisation is the controller for that data; we are the processor.
What data do we collect?
You are not obliged to provide your personal data. But without certain data — such as your email address and account information — we can't provide Wodo to you. For each kind of data below, we note the legal basis on which we process it.
When you visit this website
This website does not use analytics, tracking pixels, or third-party scripts. We do not fingerprint your browser or track you across sessions.
The server that hosts this website may log your IP address and request metadata (URL, timestamp, user agent). We process these logs on the basis of our legitimate interest (Article 6(1)(f) GDPR) in keeping the site secure and preventing abuse. They are rotated automatically and not shared with third parties.
When you sign up and use Wodo
Account. You sign in via an OAuth provider (Google, Microsoft, or a custom OIDC provider configured by your organisation). We store the provider's stable user identifier, your email address, and your display name. We do not store passwords — authentication is delegated entirely to your identity provider. We process this to create and run your account and to perform our contract with you (Article 6(1)(b) GDPR).
Invited guests who do not have a supported identity provider can register a passkey (WebAuthn / FIDO2) for passwordless access instead. In that case we store the public key credential; the private key never leaves your device.
Billing. If your organisation has a paid plan, we store the contact and invoicing details needed to bill it. We process this to perform our contract with your organisation (Article 6(1)(b) GDPR) and to comply with our statutory accounting and retention obligations (Article 6(1)(c) GDPR). Card and bank details are handled by our payment processor Mollie, an EU-licensed payment institution — we do not see or store full card numbers ourselves.
Cookies. We use HTTP-only, secure cookies for authentication. These are functional cookies required to keep you signed in. We do not use cookies for tracking or advertising.
Telemetry. The Wodo application does not collect telemetry, usage analytics, or behavioural data.
Your workspace content. When you use Wodo as part of an organisation, the items, documents, comments, and attachments inside your workspaces are governed by the Data Processing Agreement between us and your organisation — not by this Privacy Policy. In short: your organisation is the controller, we are the processor, we do not sell or share that data and we do not use it to train models.
When we send you emails
Transactional emails (sign-in links, invitations, notifications) are sent through Lettermint, an EU-based email provider. We send only what is necessary: your email address and the message content. We do not send marketing emails.
When you contact us
Messages you send via email or a contact form are stored in our email system. We handle these on the basis of our legitimate interest (Article 6(1)(f) GDPR) in responding to you — or, where relevant, to take steps at your request before entering into a contract (Article 6(1)(b) GDPR). We retain them for as long as needed to resolve your request (see "How long we keep your data"). You can ask us to delete them at any time.
Where is your data stored?
Your account, billing, and other data we control directly are stored on OVHcloud, a European cloud provider with extensive independent security and compliance certifications. The infrastructure delivering Wodo to your browser also runs on bunny.net, a European content delivery network. bunny.net routes your requests to our servers but does not store the contents of your work — your browser's IP address is visible to bunny.net as part of normal network routing.
Workspace content (items, documents, attachments) is stored in the region your organisation chose for each space — see the Data Processing Agreement for details.
When you sign in with Google, Microsoft, or another identity provider, your browser communicates directly with that provider during the sign-in process. We do not control where those providers process your data.
How long we keep your data
We keep personal data only as long as we need it, then delete or anonymise it.
| Data | Retention |
|---|---|
| Account & profile (name, email, provider identifier, passkeys) | Life of your account + 60 days |
| Sign-in tokens / sessions | Session; maximum 30 days |
| Server & CDN access logs (may include your IP address; our CDN bunny.net blanks the last octet) | Up to 30 days |
| Administrative audit log (your organisation's admin actions and sign-in events) | 12 months |
| Billing & accounting records | 7 years (Dutch tax law, art. 52 AWR) |
| Support & contact correspondence | 2 years after the request is closed |
| Transactional email delivery logs | 90 days |
After the retention period, data is securely deleted or anonymised. We may keep data longer where a law requires it, or place a legal hold during a dispute or investigation — we'll tell you if that affects a request you've made.
Workspace content your organisation puts into Wodo follows the retention rules in the Data Processing Agreement, not this table.
What we do not do
- We do not sell your personal data.
- We do not show advertisements.
- We do not use your data to train machine-learning models.
- We do not share your personal data with third parties, except with the service providers (processors) we use to run Wodo. For the data this policy covers, those are: OVHcloud (hosting), bunny.net (content delivery), Lettermint (transactional email), and Mollie (payments). They act on our instructions and only for the purposes above. (For workspace content, where we are a processor, the sub-processors are listed in the DPA.)
- We do not send marketing emails.
What rights do you have?
Whether or not you live in the EU, we extend the following GDPR rights to all individuals whose personal data we hold:
Access. You can request a copy of the personal data we hold about you.
Rectification. If any of your data is inaccurate, you can ask us to correct it — or update it yourself in your account settings.
Erasure. You can ask us to delete your account and associated personal data. Some data may be retained where we have a legal obligation (for example, invoicing records), but we will tell you if that applies.
Restriction. You can ask us to temporarily stop processing your data while we resolve a dispute or verify its accuracy.
Portability. You can request a copy of your personal data in a structured, machine-readable format.
Objection. You can object to further processing of your personal data at any time.
To exercise any of these rights, email us at privacy@wodo.co. We respond within one month, as the GDPR requires; if a request is complex we may extend that and will tell you.
We do not use your personal data for automated decision-making, including profiling.
If the personal data you are asking about is inside a Wodo workspace controlled by an organisation you belong to, your request will reach that organisation — they are the controller. We will forward it and help with the technical side of responding (export, deletion). See the DPA for the full picture.
If you are in the EU, you also have the right to lodge a complaint with your local data protection authority — for Dutch users, the Autoriteit Persoonsgegevens.
Data controller
Wodoco B.V. is the data controller for the personal data described in this policy:
- Wodoco B.V., Veembroederhof 202, 1019 HC Amsterdam, the Netherlands
- Chamber of Commerce (KvK): 42064928
- privacy@wodo.co
For data we process on behalf of an organisation (the processor role), the controller is the organisation — see the Data Processing Agreement.
Changes to this policy
We may update this policy from time to time. Material changes will be announced in the application and by email to account holders. The "Last updated" date at the top reflects the most recent revision.