Privacy Policy
Last updated: 14 June 2026
This policy explains what personal data Refendr collects when you join our waitlist, why we collect it, who we share it with, and the rights you have over it. We are based in the EU and aim to be GDPR-correct from day one: we ask for explicit consent, use double opt-in, keep your data in the EU, and collect as little as possible.
Who we are
Refendr ("we", "us") is the data controller for the personal data described here. You can reach us about anything in this policy — including to exercise your rights — at hello@refendr.com.
What we collect
When you submit the waitlist form, we collect:
| Data | Why |
|---|---|
| Your email address | To send the confirmation email and, once confirmed, occasional updates and your beta invite. |
| Your consent — the fact you ticked the box, the exact wording shown, and the time | To prove we have a valid basis to email you (a GDPR record-keeping requirement). |
| Attribution — UTM parameters (source, medium, campaign, term, content), the referring page, and the page you signed up from | To understand which channels bring people to Refendr so we can improve. |
| Approximate country, where available | Coarse, optional analytics. Derived from request metadata — we do not store your IP address. |
| Technical timestamps (created/confirmed) | To operate the double opt-in flow. |
We do not collect payment details, and we do not ask for any data beyond the above.
Legal basis
We process your data on the basis of your consent (GDPR Article 6(1)(a)), given when you tick the consent box and submit the form. You can withdraw consent at any time (see Your rights) — it's as easy to opt out as it was to opt in.
Double opt-in
After you submit the form we send a confirmation email. Your address is only added to our mailing audience once you click the link in that email. If you never confirm, we don't email you again, and unconfirmed entries are not used for any broadcast.
Who we share it with
We don't sell your data or share it for advertising. We use a small number of processors to run the service:
| Processor | Purpose | Location |
|---|---|---|
| Resend | Sending email + storing the confirmed contact list | United States (under appropriate data-transfer safeguards / a data processing agreement) |
| Google Cloud (Cloud Run, Cloud SQL) | Hosting the service and storing the waitlist database | European Union (europe-west1) |
Where your data lives
Our database and application run in the EU (Google Cloud europe-west1). Email delivery is handled by Resend in the US; only your email address and confirmation status are processed there, under appropriate safeguards.
Cookies
If you arrive via a campaign link, we set one first-party cookie (refendr_attr, ~90 days) to remember which campaign brought you, so a signup is attributed correctly. It contains only the attribution fields above — no advertising or cross-site tracking. You can clear it any time in your browser.
How long we keep it
We keep your waitlist entry until you unsubscribe or ask us to delete it, or until we no longer operate the waitlist — whichever comes first. When you unsubscribe, we remove you from the mailing audience and delete or anonymise your record.
Your rights
Under the GDPR you can:
- Access the data we hold about you, and get a copy
- Correct it if it's wrong, or ask us to delete it ("right to be forgotten")
- Restrict or object to our processing, and ask for portability
- Withdraw consent at any time — every email has a one-click unsubscribe, or email us
- Complain to your local data protection authority if you think we've got it wrong
To exercise any of these, email hello@refendr.com and we'll respond within the timeframe the law requires.
Changes to this policy
If we change how we handle your data, we'll update this page and adjust the "last updated" date above. Material changes affecting how we email you will be communicated directly.