NewMulti-currency support is here — sell across 14 markets out of the box. Read more →
Start Free Trial →

GDPR

Effective: April 27, 2026

Who’s who

WerOrg powers branded buyback websites for independent resellers. That creates two distinct GDPR roles:

  • The Operator (the reseller running the storefront) is the controller of Seller data submitted through their storefront. They decide what to collect, why, and for how long.
  • WerOrg is the processor — we host the platform, store the data on the Operator’s behalf, and act only on their documented instructions. Our processor commitments live in the DPA.

For our own marketing site (wer.org), our Operator dashboard, and our billing relationship with Operators, WerOrg is the controller. That’s covered by our Privacy Policy.

Lawful basis

  • Contract performance — processing a Seller’s buyback quote, generating a shipping label, paying them out.
  • Legal obligation — tax records, anti-fraud requirements (e.g. stolen-IMEI checks where mandated).
  • Legitimate interest — preventing fraud, debugging, securing the platform. We balance this against Seller rights and never use it for marketing or profiling.

Your rights

If you submitted data to a buyback site powered by WerOrg, you have the right to:

  • Access — request a copy of the data held about you.
  • Rectification — correct inaccurate data.
  • Erasure (“right to be forgotten”) — subject to retention requirements for completed buybacks.
  • Restrict processing — pause processing while a dispute is resolved.
  • Portability — receive your data in a structured machine-readable format.
  • Object to legitimate-interest processing.
  • Lodge a complaint with your local supervisory authority.

How to exercise them

Email the Operator first — they’re the controller and can resolve most requests directly. The URL of the storefront you submitted on identifies them. If you can’t reach them or need WerOrg’s help, email [email protected] from the address you used to submit. We respond within 30 days, free of charge for reasonable requests.

Data residency & transfers

Operator and Seller data is stored in the United States (Supabase Postgres, US region; DigitalOcean App Platform). For EU/UK Sellers this constitutes an international transfer; we rely on the EU Standard Contractual Clauses (SCCs) and the UK addendum, executed with our sub-processors. Encryption at rest, RLS, and our 12-month IMEI auto-purge serve as supplementary measures.

Sub-processors

Current sub-processors and what they do:

  • Supabase (Postgres + Auth + Storage) — primary database
  • DigitalOcean App Platform — application hosting
  • Cloudflare — edge proxy
  • Approximated — custom-domain SSL termination
  • Stripe — subscription billing for Operators
  • Resend — transactional email delivery
  • EasyPost — carrier shipping label generation
  • CheckMEND — stolen-IMEI lookup (US/UK)
  • Upstash — precomputed-quote cache

We’ll email Operators 30 days before adding a new sub-processor.

Breach notification

If we confirm a security incident affecting your data, we notify affected Operators within 72 hours of confirmation, with the scope, impact, and remediation. Operators are then responsible for notifying their Sellers per Article 34.

Data Protection contact

We don’t currently have a designated DPO (we’re below the threshold). GDPR enquiries go to [email protected].