This Privacy Policy explains how Woolmoot ("we", "us", "our") collects, uses, and protects your personal data when you use our platform. It should be read alongside our Terms of Service.
Our core principle is simple: your data is yours. We collect only what is strictly necessary to provide the Service. We do not sell, rent, trade, or monetise your personal data or content. Ever.
The data controller responsible for your personal data is Woolmoot. For any privacy-related inquiry, contact us at contact@woolmoot.com.
| Category | Data | Purpose |
|---|---|---|
| Account | Name, email, password (hashed), language, currency | Account creation and authentication |
| Profile (optional) | Shop name, contact email, social handles, links | Personalisation of exported PDFs |
| Patterns | Sections, rows, notes, materials, settings, usage rights, translations | Pattern creation, PDF generation, translation |
| Images | Illustrations, in-pattern images, profile picture | PDF rendering, profile display |
| Preferences | Auto-save interval, default pattern language, marketing consent | Service personalisation |
| Data | Purpose | Retention |
|---|---|---|
| IP address | Security, fraud prevention, abuse detection | Duration of session |
| User agent (browser/device) | Session management, compatibility | Duration of session |
We do not collect browsing history, location data, keystroke patterns, or any form of behavioural tracking data.
Under GDPR Article 6, we process your data on the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Account creation, pattern storage, PDF generation | Performance of contract (Art. 6(1)(b)) |
| Session security (IP, user agent) | Legitimate interest (Art. 6(1)(f)) |
| Pattern translation via third-party text processing | Performance of contract (Art. 6(1)(b)) |
| Marketing emails | Consent (Art. 6(1)(a)) |
| Billing record retention | Legal obligation (Art. 6(1)(c)) |
| Abuse prevention (post-deletion log retention) | Legitimate interest (Art. 6(1)(f)) |
Your data is used exclusively to:
We do not use your data for profiling, automated decision-making, behavioural advertising, or any purpose not listed above.
| Data | Retained for | Reason |
|---|---|---|
| Account & profile data | Account lifetime + 30 days | Deletion processing window |
| Patterns, images, translations | Account lifetime + 30 days | Deleted with account |
| Session data (IP, user agent) | Session duration | Purged on session expiry |
| Backup copies | 90 days after deletion | Disaster recovery cycle |
| Billing records | 7 years | Tax law requirement |
| Anonymised email in logs | 12 months after deletion | Abuse prevention |
When retention periods expire, data is permanently and irreversibly deleted. We do not archive User Content after account deletion.
We never sell, rent, or trade your personal data. We share data only with the following sub-processors, strictly as needed to deliver the Service:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Neon | Database hosting | All account & pattern data | EU (AWS Frankfurt) |
| Cloudflare R2 | Image storage & CDN | Uploaded images | Global edge network |
| LemonSqueezy | Payment processing | Email, billing info | US |
| Resend | Transactional email | Email address | US |
| OAuth authentication | Name, email, picture | US | |
| Text processing provider | Text translation | Generic text only, sent anonymously | US |
| Vercel | Application hosting & deployment | HTTP requests, server-side rendering | Paris (FR), Frankfurt (DE), Washington DC (US) |
| Plausible Analytics | Privacy-friendly analytics | Aggregated page views (no personal data) | EU |
Each sub-processor is bound by a data processing agreement. We will notify you at least 14 days before adding or changing a sub-processor.
Only generic text (titles, notes, free-form descriptions) is sent anonymously to our text processing provider for translation. Stitch terms and abbreviations are translated locally using our built-in lexicon. No account identifier or sensitive pattern data is transmitted.
We may disclose your data only if required by law, court order, or to:
In such cases, we will notify you unless legally prohibited from doing so.
Your primary data (account, patterns, images) is stored within the EU (Neon on AWS Frankfurt, Cloudflare R2 with European edge nodes). Some sub-processors (LemonSqueezy, Resend, our text processing provider, Vercel) are located in the United States. For these transfers, we rely on:
No pattern content or account data is transferred outside the EU for storage purposes. Payment processing, transactional email, on-request text translation, and application hosting (Vercel) may involve US-based infrastructure. Vercel primarily serves requests from EU regions (Paris, Frankfurt) but may route traffic through US nodes.
We implement the following measures to protect your data:
No system is 100% secure. If we discover a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Article 33.
Woolmoot uses only strictly necessary cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| Session token | Keep you logged in | Until session expiry |
| CSRF token | Prevent cross-site request forgery | Per request |
We use Plausible Analytics for anonymous, aggregated usage statistics. Plausible is cookie-free and does not collect personal data. We do not use advertising cookies, tracking pixels, or any third-party cookies. Since we use only strictly necessary cookies as defined by the ePrivacy Directive, no consent banner is required.
Regardless of where you are located, you have the following rights over your personal data:
To exercise any right, email contact@woolmoot.com. We will respond within 30 days. If we need more time, we will inform you of the extension and the reason within that initial period.
You have all rights under GDPR Articles 15‑22. You may lodge a complaint with your local Data Protection Authority if you believe your rights have been violated.
You benefit from equivalent protections under the UK GDPR and the Data Protection Act 2018. Complaints may be filed with the Information Commissioner's Office (ICO).
Under the CCPA/CPRA, you have the right to:
Woolmoot does not sell or share personal information as defined by the CCPA. There is nothing to opt out of, but you may still submit a request and receive confirmation.
We respect data protection laws worldwide, including the French Loi Informatique et Libertés, German BDSG, Spanish LOPDGDD, Italian Codice della Privacy, Norwegian Personal Data Act, and Russian Federal Law No. 152‑FZ. Where local law provides stronger protections, those protections apply.
Woolmoot is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has created an account, contact us at contact@woolmoot.com and we will delete the account promptly.
Woolmoot does not use automated decision-making or profiling that produces legal effects or similarly significant effects on you. The automated translation feature is a tool you explicitly trigger, and its output is always subject to your review and editing before export.
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email or a prominent notice on the Platform at least 30 days before they take effect. The "Effective date" at the top of this page indicates the latest revision.
For any questions, concerns, or requests related to your privacy, contact us at contact@woolmoot.com.
See also our Terms of Service for the full terms governing your use of Woolmoot.