Data processing

Data processing summary

This page explains WOPA's processor posture for business users. WOPA is operated by WOPA LTD (company number 17242400, 11 Raglan Close, Hounslow, United Kingdom, TW4 5EF). For data-processing questions, contact admin@mywopa.com.

Roles

For invoice and customer data entered by a tradesperson, the tradesperson is generally the controller and WOPA LTD acts as a processor. For WOPA's own waitlist, analytics, security, and account administration, WOPA LTD acts as controller.

Data categories

Seller business details, contact details, and bank payment details.
Customer names, email addresses, job addresses, and invoice details.
Invoice PDFs, payment status, reminder settings, and message metadata.
Support messages and operational logs needed to run the service.

Processing purposes

WOPA processes data to create invoice drafts, generate PDFs, send invoice emails, schedule reminders, maintain customer records, show outstanding invoice summaries, provide support, prevent abuse, and operate the service.

Subprocessors

We use the following subprocessors. Where a subprocessor processes data outside the UK, we rely on UK adequacy decisions or the UK International Data Transfer Addendum / Standard Contractual Clauses as a safeguard.

Cloudflare — site hosting, the WhatsApp webhook gateway, and waitlist storage. EU/global.
Meta Platforms (WhatsApp Business Cloud API) — delivery and receipt of WhatsApp messages. US/global.
OpenRouter and Anthropic — AI processing of message text to interpret instructions and transcribe voice notes. US.
Supabase (PostgreSQL) — the application database storing seller, client, and invoice records. EU region.
Resend — sending invoice and reminder emails to your customers. US/EU.
Stripe — subscription billing and payment processing. US/EU.
Google (Drive) — optional archive of invoice PDFs where a seller enables it. US/global.
PostHog — product and landing-page analytics, where consented. EU region.
Sentry — error monitoring and diagnostics (stack traces and technical context; no user IP addresses or personal data sent). EU region.

We will update this list before adding or changing a subprocessor that handles personal data.

Security measures

Encrypted HTTPS connections for the public site and API.
Access limited to people who need it to operate or support WOPA.
Approval gates before customer-facing invoices and firm reminders are sent.
Operational logs for troubleshooting and abuse prevention where needed.

Personal data breaches

If a personal data breach occurs that affects controller data we process, we will notify the affected controller without undue delay after becoming aware of it, and assist with their obligations to notify the ICO and affected individuals where required.

Retention and deletion

Waitlist records are deleted on request. Product records are retained only as long as needed to provide WOPA or to meet a legal obligation. In particular, invoices and VAT records are kept for the period UK tax law requires (typically up to six years) even after deletion of the rest of an account; outside that, data is deleted on request as described in the privacy notice.