Last updated: 28 May 2026 · Effective: 28 May 2026
Summary: WaitlessFlow collects only the data necessary to deliver our queue management service. We do not sell your personal data to third parties. Business customers act as Data Controllers; WaitlessFlow acts as a Data Processor on their behalf.
1. Who We Are
WaitlessFlow Inc. (“WaitlessFlow”, “we”, “us”, or “our”) operates the cloud-based virtual queue management platform available at waitlessflow.com and associated subdomains.
Registered address: Shevs Soft Technology, Licensed DET: 1106490, Jebel Ali, Dubai, UAE
General contact: hello@waitlessflow.com
This Privacy Policy explains how we handle personal data when you visit our website, use our platform, or interact with us as a business customer or an end-user (a customer of one of our business clients).
2. Information We Collect
2.1 Account and Business Data
When you register as a business customer we collect:
- Full name, job title, work email address
- Company name, industry, and business address
- Billing information (processed securely via Stripe - we do not store raw card numbers)
- Phone number (optional)
2.2 End-User Queue Data
When a member of the public joins a queue managed by one of our business customers, we collect on that customer’s behalf:
- Mobile phone number (for SMS or WhatsApp notifications)
- First name (optional, provided by the customer)
- Queue position, service type, and estimated wait time
- Timestamp of queue entry and service completion
2.3 Website and Usage Data
We automatically collect certain technical data when you visit our website:
- IP address and approximate location (country/region)
- Browser type, version, and operating system
- Pages visited, time on page, referrer URL
- Device type and screen resolution
- Cookie identifiers (see our Cookie Policy)
2.4 Communications Data
If you contact us via email, live chat, or our contact form, we retain records of that correspondence including your name, email address, and the content of your messages.
3. How We Use Your Information
We use personal data for the following purposes:
- Service delivery: Providing, operating, and improving the WaitlessFlow platform
- Account management: Creating and managing your business account
- Communications: Responding to support requests and sending service-related notifications
- Billing: Processing subscription payments and issuing invoices
- Analytics: Understanding how the platform is used to improve features and performance
- Marketing: Sending promotional emails (only with your consent; you may opt out at any time)
- Legal compliance: Meeting our obligations under applicable law
- Security: Detecting and preventing fraud, abuse, and security incidents
We do not use personal data to make fully automated decisions that produce legal or similarly significant effects without human review.
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA) and United Kingdom, we process personal data under the following legal bases:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the services you have subscribed to
- Legitimate interests (Art. 6(1)(f)): Fraud prevention, network security, service improvement, and direct marketing to existing customers
- Legal obligation (Art. 6(1)(c)): Compliance with tax, financial, and regulatory requirements
- Consent (Art. 6(1)(a)): Marketing communications to non-customers and the use of non-essential cookies (consent can be withdrawn at any time)
Controller vs Processor: Where WaitlessFlow processes personal data of your end-users (e.g. queue participants), your business is the Data Controller and WaitlessFlow is the Data Processor. A Data Processing Agreement (DPA) is available upon request and is included in our Enterprise contracts.
5. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data. We may share data with:
5.1 Service Providers (Sub-processors)
- Stripe Inc. — Payment processing (PCI-DSS Level 1 certified)
- Google LLC — Analytics and workspace tools
All sub-processors are bound by data processing agreements and provide at least equivalent data protection to this policy.
5.2 Legal Requirements
We may disclose personal data if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of WaitlessFlow, our customers, or the public.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, personal data may be transferred as part of that transaction. We will notify you by email and/or a prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.
6. Data Retention
We retain personal data only as long as necessary for the purposes set out in this policy:
- Account data: Retained for the duration of your subscription plus 90 days after account closure, then deleted
- End-user queue data: Retained for the period specified in your subscription plan (7 days on Free; up to 2 years on Growth; custom on Enterprise)
- Billing records: Retained for 7 years to comply with tax and accounting regulations
- Support communications: Retained for 3 years from last interaction
- Server logs: Retained for 90 days for security purposes
You may request deletion of your data at any time (see Section 8). Certain data may be retained longer if required by law.
7. International Data Transfers
WaitlessFlow is headquartered in the United States. If you are located in the EEA, UK, or Switzerland, your data may be transferred to and processed in the United States or other countries.
We ensure such transfers comply with applicable data protection laws through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The UK International Data Transfer Agreement (IDTA)
- Data Processing Agreements with all sub-processors
EU customers: We offer EU-hosted data storage (Frankfurt, Germany) on Business, Growth, and Enterprise plans. Contact
dpo@waitlessflow.com to activate EU-only data residency.
8. Your Privacy Rights
8.1 Rights Under GDPR (EEA / UK)
- Right of access: Request a copy of the personal data we hold about you
- Right to rectification: Request correction of inaccurate or incomplete data
- Right to erasure: Request deletion of your personal data (“right to be forgotten”)
- Right to restriction: Request that we limit how we use your data
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to object: Object to processing based on legitimate interests or for direct marketing
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time
8.2 Rights Under CCPA (California)
California residents have the right to know what personal information we collect, the right to delete it, the right to opt-out of sale (we do not sell personal data), and the right not to be discriminated against for exercising these rights.
8.3 How to Exercise Your Rights
Submit requests to privacy@waitlessflow.com or by post to our registered address. We will respond within 30 days (GDPR) or 45 days (CCPA). We may ask you to verify your identity before processing your request. Requests are free of charge; we may charge a reasonable fee for manifestly unfounded or excessive requests.
If you believe we have not adequately handled your request, you have the right to lodge a complaint with your local data protection authority.
9. Security
We implement industry-standard technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration:
- All data encrypted in transit using TLS 1.3
- All data encrypted at rest using AES-256
- ISO 27001 certified information security management system
- Regular third-party penetration testing
- Multi-region AWS infrastructure with automatic failover
- Role-based access controls and multi-factor authentication (MFA) for all staff
- SOC 2 Type II audit in progress
In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of it, as required by GDPR Article 33.
10. Children’s Privacy
WaitlessFlow is a business-to-business service and is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@waitlessflow.com and we will promptly delete it.
11. Cookies
We use cookies and similar tracking technologies on our website. For detailed information about the cookies we use, why we use them, and how you can control them, please see our Cookie Policy.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:
- Update the “Last updated” date at the top of this page
- Notify registered business customers by email at least 30 days before the change takes effect
- Where required by law, obtain your consent before processing your data in a new way
Your continued use of WaitlessFlow after the effective date constitutes acceptance of the updated policy.