Privacy policy

1. Identity of the data controller

The controller of your personal data is:

2. Data collected

We collect the following data depending on your use:

a) Browsing data

• IP address (anonymized after 30 days)
• Browser type and operating system
• Pages visited and session duration
• Connection country (detected via HTTP header, not stored by name)

b) Account data (partners only)

• First name, last name, professional email address
• Company name, country, phone number
• Connection data (timestamp, last activity)

c) Payment data (end users)

Payments are processed by certified third-party providers (Stripe for the diaspora, Wave / Orange Money for Africa). We do not store your banking details.

d) Cookies and local storage

• wawaw_geo_region, detected region (Africa / Diaspora / Other), 30 days
• wawaw_lang, preferred language, 30 days
• wawaw_admin_session, administrator session (httpOnly, 7 days)
• wawaw_partner_session, partner session (httpOnly, 7 days)

We do not use advertising cookies or cross-site tracking.

3. Legal bases for processing (GDPR art. 6)

4. Retention period

• Browsing data: 30 days (IP anonymized thereafter)
• Partner account data: contract duration + 5 years (legal obligations)
• Transaction data: 10 years (Senegalese accounting obligations)
• Partner audit trail (partner_view_audit): 7 years (contractual limitation period)
• Product telemetry (analytics_events): 12 months aggregated, then deleted
• Technical logs: 90 days
• Session cookies: 7 days maximum
• Preference cookies (language, region, admin theme): 30 days to 1 year

5. Subprocessors and transfers outside the EU

6. Your rights

In accordance with the GDPR (if you are in Europe) and the Senegalese personal data protection law (Law No. 2008-12), you have the following rights:

• Access, obtain a copy of your data
• Rectification, correct inaccurate data
• Erasure, request the deletion of your data
• Portability, receive your data in a structured format
• Objection, object to processing based on legitimate interest
• Restriction, request the suspension of processing

To exercise your rights, contact us at wawawsenegal@gmail.com with the subject "GDPR rights request". We will reply within 30 days.

You also have the right to refer the matter to the Senegalese Personal Data Protection Commission (CDP) or the data protection authority of your country of residence.

7. Security

We implement appropriate technical and organizational measures: TLS 1.3 encryption in transit, httpOnly session cookies, a strict CSP policy, multi-factor authentication (TOTP) for administrator and partner access.

Partner banking details are encrypted at rest via pgp_sym_encrypt (RFC 4880 OpenPGP CFB) with a server key never stored in the code, accessible only by Wawaw operations at the moment of issuing a payment.

8. Traceability on the partner portal

If you are a rights holder using partners.onwawaw.com, each view of a revenue or KPI page writes a row in the partner_view_audit table with a SHA-256 hash of the displayed value. Retention: 7 years (Senegal + EU contractual limitation period). This traceability protects the partner in case of a dispute: we can reproduce at any time what they saw.

Viewing statistics shared with rights holders are systematically anonymized: viewer reference = the last 8 hexadecimal characters of a random identifier (e.g. user_a4f2bc12), irreversible, never linked to a name, email or phone number.

9. Changes

This policy may be updated. In case of a substantial change, we will inform you by email (partners) or via a notification on the site. The last-updated date is shown at the top of this document.