Privacy Policy | wakesys

This Privacy Policy explains how wakesys sàrl ("wakesys", "we", "us", or "our") collects, uses, and protects your personal information when you use our booking platform.

Who We Are

wakesys provides booking and management software for activity-based entertainment venues such as aqua parks, trampoline parks, climbing gyms, and similar facilities ("Parks").

Data Controller:

wakesys sàrl
3, montée St. Hubert
8387 Koerich
Luxembourg

Contact: info@wakesys.com

The Multi-Park Account Model

When you create a wakesys account, you create a single account that works across all Parks using our platform worldwide. Here's how it works:

•One account, many Parks: You register once and can book at any wakesys-powered Park without re-registering.
•Parks see your data only after you book: A Park cannot access your profile until you make a booking or register on-site at that Park.
•Each Park is responsible for their customers: When you book at a Park, that Park becomes a data controller for your booking and visit data. wakesys acts as a data processor on their behalf.

What Data We Collect

Information You Provide

Data	Why We Need It
Name	To identify you and personalize your experience
Email address	Account login, booking confirmations, receipts
Phone number	Account recovery, booking confirmations
Date of birth	Age verification for activities, waiver requirements
Gender	Some Parks require this for safety equipment sizing
Address	Required for waivers and some Parks
Emergency contact	Safety requirement for many activities
Photo	Some Parks take your photo on-site to link you to your profile for identification at check-in
Payment information	Processed by our payment providers (Stripe, PayPal, Adyen, Omise); we never see your full card number

Information We Collect Automatically

Data	Purpose
Device and browser information	Security, fraud prevention, improving our service
IP address	Security, approximate location for language/currency
Pages visited and interactions	Understanding how to improve our platform
Session recordings (sampled)	Understanding how users interact with our platform to fix issues and improve usability. Personal information and payment details are automatically masked. Not all sessions are recorded.

Information About Your Visits

When you book at a Park, we collect:

What you booked and when
Check-in times
Signed waivers (including your signature)
Purchase history and receipts

How We Use Your Data

We use your data to:

Provide our service — Process bookings, send confirmations, manage your account
Safety and legal compliance — Manage waivers, verify age requirements, maintain records as required by law
Improve our platform — Analyze usage patterns, fix bugs, develop new features
Communicate with you — Booking confirmations, receipts, account notifications
Measure advertising effectiveness — Understand which ads lead to bookings (see "Advertising Measurement" below)
Marketing — With your consent, send you relevant offers

Legal Basis (GDPR)

Purpose	Legal Basis
Processing bookings	Contract performance
Sending booking confirmations	Contract performance
Waiver management	Legal obligation / Legitimate interest
Fraud prevention	Legitimate interest
Platform analytics and improvement	Legitimate interest
Financial record keeping	Legal obligation
Advertising measurement	Legitimate interest
Marketing emails	Consent

Who We Share Data With

Parks

When you book at a Park, that Park can access:

Your profile information (name, email, phone, date of birth)
Your booking history at their Park
Your waiver status and signed waivers for their Park
Your purchase history at their Park

Parks cannot see your activity at other Parks.

Parks may use your contact information to send you marketing communications. Each Park is responsible for their own marketing practices and compliance. To opt out of a Park's marketing, use the unsubscribe link in their emails or contact the Park directly.

Service Providers

Service	Purpose	Location
Amazon Web Services (AWS)	Database and hosting	Frankfurt, Germany (EU)
Stripe	Payment processing	USA (with EU data processing)
PayPal	Payment processing	Luxembourg (EU) / USA
Adyen	Payment processing	Netherlands (EU)
Omise	Payment processing (Asia-Pacific)	Thailand / Singapore
SendGrid	Email delivery	USA
Omnisend	Email marketing (Park integration)	USA / Lithuania (EU)
Hotjar	Session recordings and heatmaps (sampling only, personal data masked)	Malta (EU)

Advertising Measurement

When you complete a booking, we share data with advertising platforms to measure the effectiveness of our advertising campaigns. This helps us understand which ads lead to bookings so we can improve our marketing. Personal identifiers are hashed (one-way encrypted) before sharing; technical data is shared unhashed.

Partner	Purpose	Data Shared
Meta (Facebook/Instagram)	Conversion measurement	Hashed contact info (email, phone), hashed demographics (name, DOB, gender), hashed location (city, state, zip, country), IP address, browser info, purchase details
Google	Conversion measurement	Hashed contact info (email, phone), IP address, browser info, purchase details
TikTok	Conversion measurement	Hashed contact info (email, phone), IP address, browser info, purchase details

Important:

We only share data when you complete a booking, not when you browse
Personal identifiers (email, phone, name, DOB, gender, address) are hashed (one-way encrypted) before sharing
Technical data (IP address, browser info) and purchase details are shared unhashed
This is based on our legitimate interest in measuring advertising effectiveness
You can opt out (see "Your Rights" below)

Legal Requirements

We may disclose your data if required by law, court order, or to protect our rights, safety, or property.

International Data Transfers

Your data is primarily stored in the European Union (AWS Frankfurt). However, some of our service providers are based in the United States. Where we transfer data outside the EU, we ensure appropriate safeguards are in place, such as:

EU Standard Contractual Clauses
Adequacy decisions by the European Commission
Certification under recognized frameworks

Cookies

We use only essential cookies required for our service to function:

Cookie	Purpose	Duration
Session cookie	Keeps you logged in	Session
Security cookies	Prevents fraud and abuse	Session

We do not use advertising or tracking cookies.

Data Retention

Data Type	Retention Period
Account information	Until you request deletion
Booking history	Until you request deletion
Signed waivers	Retained indefinitely for legal protection
Receipts and invoices	Minimum 10 years (legal requirement)
Acceptance of legal terms	Retained indefinitely for legal protection
Visit records	Retained indefinitely for legal protection
Payment records	Minimum 10 years (legal requirement)

When you request account deletion, we:

Delete your personal profile information (name, email, phone, etc.)
Retain anonymized records of waivers, receipts, and legal acceptances as required by law
Cannot delete data already shared with Parks you've visited

Your Rights

Under GDPR, UK GDPR, and other privacy laws, you have the right to:

Right	What It Means
Access	Request a copy of your personal data
Rectification	Correct inaccurate data
Erasure	Request deletion of your data (subject to legal retention requirements)
Restriction	Limit how we process your data
Portability	Receive your data in a portable format
Objection	Object to processing based on legitimate interest, including advertising measurement
Withdraw consent	Withdraw consent for marketing at any time

How to Exercise Your Rights

To exercise any of these rights, including opting out of advertising measurement, contact us at info@wakesys.com with the subject line "Privacy Request".

Response Time: We will respond to your request within 30 days. If your request is complex or we receive many requests, we may extend this by an additional 60 days, but we will notify you within the first 30 days.

Identity Verification: To protect your privacy, we may ask you to verify your identity before processing your request.

Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights. You will not receive different pricing or quality of service for exercising your rights.

Right to Object to Advertising Measurement

You have the right to object to our processing of your data for advertising measurement purposes. If you object, we will stop sending your hashed data to advertising platforms (Meta, Google, TikTok) for conversion tracking.

To opt out, email info@wakesys.com with subject line "Opt Out of Advertising Measurement".

Supervisory Authorities

You have the right to lodge a complaint with a data protection supervisory authority:

Luxembourg: Commission Nationale pour la Protection des Données (CNPD) — cnpd.public.lu
United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
Other EU countries: Your local data protection authority

Marketing

From wakesys

We may send you:

Transactional emails: Booking confirmations, receipts, account notifications, booking reminders (necessary for the service)
Marketing emails: Promotional offers and new features (only with your consent; you can unsubscribe anytime)

Email Tracking

Our emails may contain tracking pixels and links that help us understand whether you opened the email and which links you clicked. This helps us improve our communications and ensure important messages are being received. You can disable image loading in your email client to prevent pixel tracking.

From Parks

When you book at a Park, they may contact you about offers, events, and promotions related to their services. Each Park is the data controller for their customer communications and is responsible for their own marketing compliance. To opt out, use the unsubscribe link in their emails or contact the Park directly.

Parks may use email marketing platforms (such as Omnisend) integrated with wakesys to send you marketing communications. When a Park uses these integrations, your data at that Park (email address, name, booking history at that Park) may be transferred to the email marketing platform on the Park's behalf.

Children's Privacy

Protecting the privacy of children is important to us. You must be at least 18 years old to create a wakesys account.

Children under 18 can be added to a booking by a parent or legal guardian, who provides information on their behalf and accepts responsibility for their data.

We do not knowingly collect personal information from children under 18 without parental involvement. If we learn that personal data has been collected from a person under 18 years of age without parental consent, we will take appropriate steps to delete this information.

If you are a parent or guardian and discover that your child under 18 has created an account without your consent, please contact us at info@wakesys.com and we will delete that child's personal data from our systems.

Security

We protect your data using:

Encryption in transit (HTTPS/TLS)
Encryption at rest for sensitive data
Secure password hashing
Regular security reviews
Access controls limiting who can view your data

However, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security. If you believe your personal data has been compromised, please contact us immediately at info@wakesys.com.

If we become aware of a security breach affecting your personal data, we will inform you and the relevant authorities in accordance with applicable law.

Administrative Access

wakesys team members are authorized to access the administrative sections of the platform when fulfilling customer service requests, providing technical support, and investigating errors or issues. In such cases, they may be able to view:

Your profile information
Your booking history and transaction records
Your waiver and consent records
Park settings and configurations (for Park operators)
Financial and billing information

All wakesys team members are trained in data protection and privacy, and are bound by confidentiality obligations. We only access customer data when necessary to provide support or maintain the service.

We will not disclose any personal data without your consent, unless required by law, necessary to enforce our Terms of Service, or needed to provide services through third-party providers as described in this policy.

Additional Disclosures

For California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Categories of Personal Information Collected:

Identifiers (name, email, phone number, IP address)
Commercial information (booking history, purchases)
Internet activity (pages visited, interactions with our platform)
Geolocation data (approximate location from IP address)

Sharing for Advertising:

We share data with advertising partners (Meta, Google, TikTok) to measure advertising effectiveness. This includes hashed contact and demographic information, as well as unhashed technical data (IP address, browser info) and purchase details. Under CCPA, this may constitute "sharing" of personal information.

Your California Rights:

Right to Know: Request what personal information we've collected, used, and disclosed
Right to Delete: Request deletion of your personal information
Right to Correct: Request correction of inaccurate information
Right to Opt-Out of Sharing: Opt out of sharing for advertising measurement
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To Opt Out of Sharing for Advertising:

Email us at info@wakesys.com with subject line "Do Not Share My Information"

We will respond to your request within 45 days.

For United Kingdom Residents

If you are a UK resident, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply to your personal information. Your rights are substantially the same as under EU GDPR.

International Transfers:

Your data may be transferred to countries outside the UK. Where we transfer data internationally, we rely on:

UK adequacy regulations
International Data Transfer Agreement (IDTA) or Addendum to EU SCCs
Other lawful transfer mechanisms

Complaints: You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

For Australian Residents

If you are an Australian resident, the Australian Privacy Principles (APPs) under the Privacy Act 1988 apply to your personal information.

Cross-Border Disclosure:

Your personal information may be disclosed to recipients in countries outside Australia, including:

United States (Stripe, PayPal, SendGrid, Omnisend, Meta, Google, TikTok)
European Union (AWS Frankfurt, Adyen, PayPal, Omnisend)
Asia-Pacific (Omise - Thailand/Singapore)

These overseas recipients may not be subject to the Privacy Act 1988 or the APPs. By using our service, you acknowledge and consent to this disclosure. If an overseas recipient handles your information in breach of the APPs, you may not be able to seek redress under Australian law.

Access and Correction:

You may request access to or correction of your personal information by contacting us at info@wakesys.com. We will respond within 30 days.

Complaints:

If you have a complaint about how we handle your personal information, contact us first at info@wakesys.com. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

Posting the updated policy on our website
Updating the "Last updated" date
For material changes, emailing you or displaying a notice in the app

Contact Us

If you have questions about this Privacy Policy or your personal data:

Email: info@wakesys.com

Address:
wakesys sàrl
3, montée St. Hubert
8387 Koerich
Luxembourg