Last Updated: January 7, 2026
Compliant with GDPR (EU 2016/679), CCPA, UK GDPR, Australian Privacy Act, Canadian PIPEDA
Whoolt shpk (hereinafter "Whoolt", "we", "our") respects your privacy and is committed to protecting your personal data. This privacy policy describes how we collect, use, share, and protect your information when you use our platform for electric and hybrid vehicle repair assistance, including the WhatsApp Business API (Meta) notification system.
This policy complies with the European Union's General Data Protection Regulation (GDPR) (2016/679), as well as other applicable international data protection regulations.
Whoolt shpk
Address: Tirane Njesia Bashkiake nr.9, Rruga e Barrikadave
Galeria Tirana, zyra nr.49, Tirana 1001, Albania
NUIS: M51827022B
Website: network.whoolt.com
Privacy Email: info@whoolt.com
Legal Representative: Davide Licari
Data Protection Officer (DPO): dpo@whoolt.com
The Data Controller is responsible for determining the purposes and means of processing personal data in accordance with Art. 4(7) of the GDPR.
Whoolt collects the following categories of personal data:
Note: Biometric signature data is processed only with your explicit consent (Art. 9 GDPR) for the legal validity of vehicle acceptance documents.
The processing of your personal data is based on the following legal grounds:
Processing is necessary for the performance of the vehicle repair assistance contract between you and Whoolt, including ticket management, workshop communication, and service provision.
Your explicit consent is requested for:
You can withdraw consent at any time without affecting the lawfulness of prior processing.
Some data must be retained to comply with legal obligations, such as retaining invoices for 10 years under applicable tax regulations.
Our legitimate interest justifies processing for:
Your personal data is used exclusively for the following purposes:
Creating, assigning, tracking, and closing vehicle repair requests
Sending repair status updates (NOT marketing or promotions)
Real-time web chat, document exchange, technical information requests
Processing personalized repair quotes with detailed costs and services
Processing payments via Stripe, issuing invoices, managing transactions
Collecting graphometric signature for legal validity of workshop vehicle acceptance
Platform protection, suspicious activity detection, dispute management
Aggregated (anonymized) statistical analysis to optimize user experience
⚠️ Important
Your data is NEVER used for:
Your personal data may be shared with the following recipients, exclusively for the purposes described:
| Recipient | Purpose | Location |
|---|---|---|
| Whoolt Network Workshops | Repair management, technical communication, quotes | Italy/EU |
| Meta Platforms Ireland Limited | Sending transactional WhatsApp Business API notifications | Ireland (EU) + USA |
| Stripe Payments Europe Ltd | Secure online payment processing | Ireland (EU) |
| Supabase Inc. | Database hosting and user authentication management | EU (Frankfurt servers) |
| Vercel Inc. | Web application hosting and CDN | EU + USA |
| Email SMTP/IMAP Provider | Sending transactional emails (confirmations, quotes, invoices) | Configurable |
🔒 Protection Guarantees
All data recipients are bound by:
Some of our service providers may process your data outside the European Economic Area (EEA). In these cases, we ensure an adequate level of protection through:
Meta and other US providers are certified under the Data Privacy Framework (DPF) approved by the European Commission with Adequacy Decision 2023/1795.
Verify certifications: www.dataprivacyframework.gov
We use Standard Contractual Clauses (SCC) approved by the European Commission (Decision 2021/914) for transfers to countries without an adequacy decision.
Beyond SCCs, we implement supplementary technical measures:
⚠️ Transfers to USA
Some features (WhatsApp Business API, CDN hosting) involve transfers to the United States. These transfers are protected by the safeguards described above. If you wish to exercise your rights regarding these transfers, contact us at info@whoolt.com.
We retain your personal data only as long as necessary for the purposes for which it was collected:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Ticket and Communication Data | 12 months after ticket closure | Contract performance |
| Billing and Payment Data | 10 years | Legal tax obligation |
| WhatsApp Metadata | 30 days | Legitimate interest (troubleshooting) |
| Vehicle Photos and Attachments | 5 years after ticket closure | Contractual rights protection |
| Digital Signature Data | 10 years | Document legal validity |
| Access Logs and IP | 12 months | Information security |
| Marketing Consent (if provided) | Until withdrawal | Explicit consent |
🗑️ Automatic Deletion
At the end of retention periods, your data is automatically and securely deleted from our systems, except for legal obligations requiring longer retention (e.g., tax data).
Under the GDPR, you have the following rights regarding your personal data:
You can request a copy of all personal data we process about you, including information about processing purposes and recipients.
You can request correction of inaccurate data or completion of incomplete data concerning you.
You can request deletion of your personal data ("right to be forgotten"), except for legal retention obligations (e.g., tax data).
You can request restriction of processing of your data in certain circumstances (e.g., disputing data accuracy).
You can receive your data in a structured, machine-readable format (CSV, JSON) and transmit it to another controller.
You can object to processing of your data based on legitimate interest or for direct marketing purposes.
Where processing is based on consent (e.g., WhatsApp notifications), you can withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
You have the right to lodge a complaint with a supervisory authority if you believe the processing of your data violates the GDPR.
EU Supervisory Authorities: Find your authority
All WhatsApp messages are protected by end-to-end encryption (E2EE). This means only you and the workshop can read the message content. Neither Meta nor Whoolt can access encrypted content.
Even with E2E encryption, Meta collects the following metadata:
Meta processes this metadata for:
Note: Meta does NOT use your WhatsApp Business message content for advertising. See WhatsApp Business Policy.
Whoolt has signed a Data Processing Agreement (DPA) with Meta Platforms Ireland Limited in compliance with Art. 28 GDPR. Meta acts as a data processor for WhatsApp metadata.
Meta Platforms Ireland Limited
4 Grand Canal Square, Grand Canal Harbour
Dublin 2, Ireland
You can disable WhatsApp notifications at any time:
Even after opt-out, you'll continue receiving email notifications for ticket management.
Whoolt WhatsApp Business Number: +39 333 123 4567
This number is used ONLY for transactional notifications (ticket updates). We will never send unsolicited promotional or marketing messages.
In addition to GDPR (EU), we comply with the following international data protection regulations:
For California (USA) residents, we guarantee the following rights under CCPA:
To exercise your CCPA rights, contact us at: info@whoolt.com
For UK residents, we comply with UK GDPR and the Data Protection Act 2018.
For UK complaints: Information Commissioner's Office (ICO)
For Australian residents, we comply with the Australian Privacy Principles (APP).
For Australian complaints: Office of the Australian Information Commissioner (OAIC)
For Canadian residents, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).
For Canadian complaints: Office of the Privacy Commissioner of Canada
Whoolt implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk:
In case of a personal data breach, Whoolt:
Our service providers are certified according to:
To exercise any of your rights under GDPR and international regulations:
Privacy Email:
info@whoolt.comData Protection Officer:
dpo@whoolt.comPostal Address:
Whoolt shpk - Privacy Office
Tirane Njesia Bashkiake nr.9, Rruga e Barrikadave
Galeria Tirana, zyra nr.49, Tirana 1001, Albania
Email info@whoolt.com specifying which right you want to exercise (access, rectification, deletion, etc.) and providing sufficient details to identify yourself.
To protect your data, we may request a copy of valid ID (ID card, passport) to verify your identity.
We will respond within 30 days of receiving the complete request, as required by Art. 12(3) GDPR. In complex cases, we may extend the deadline by an additional 60 days, informing you of the reasons.
Exercising your rights is always free. We may charge a reasonable fee only for manifestly unfounded or excessive requests (Art. 12(5) GDPR).
To facilitate exercising your rights, you can use our standard forms:
Forms will be available soon. In the meantime, you can send a free-form request via email.
If you believe the processing of your personal data violates GDPR or other privacy regulations, you have the right to lodge a complaint with a supervisory authority.
You can contact the supervisory authority in your country of residence, place of work, or where the alleged infringement occurred.
Find your EU authority: EDPB Members List
🇮🇹 Italy (Garante Privacy)
www.garanteprivacy.it🇩🇪 Germany (BfDI)
www.bfdi.bund.de🇫🇷 France (CNIL)
www.cnil.fr🇬🇧 United Kingdom (ICO)
www.ico.org.ukNote: We encourage you to contact us before lodging a formal complaint, so we can resolve any issues directly and quickly.
Whoolt reserves the right to modify this privacy policy at any time. Changes will take effect immediately upon posting the updated version on the website.
In case of substantial changes affecting your rights, we will inform you through:
We recommend periodically consulting this page to stay updated on our data protection practices.
Current version: 1.0
Last modified: January 7, 2026
Next scheduled review: July 7, 2026
If you have questions, concerns, or need clarifications about this privacy policy or our data processing practices, please don't hesitate to contact us:
📧 Privacy Email
info@whoolt.com📧 Data Protection Officer
dpo@whoolt.com🌐 Website
network.whoolt.com📍 Address
Tirana 1001, Albania
Our privacy team responds within 48 business hours. For urgent requests, please mark your email as urgent.
© 2026 Whoolt shpk - NUIS M51827022B - All rights reserved
This policy complies with GDPR (EU 2016/679), CCPA, UK GDPR, Australian Privacy Act, Canadian PIPEDA