Privacy Policy

Last updated: 9 April 2026

This policy explains how Cadu handles personal data. It applies to you, the Cadu customer — the person who signs up to build a website using Cadu.

For information about how Cadu handles personal data submitted to a Customer's website by website visitors, see Section 8 below and the Data Processing Agreement.

1. Who we are

Cadu ("we", "us", "our") is a WhatsApp-based website builder. For the purposes of this policy, Cadu is the data controller of personal data relating to its customers and the operation of cadu.app.

Contact: privacy@cadu.app

2. What data we collect

When you use Cadu as a customer, we collect:

• Your WhatsApp phone number, used to identify your account and deliver responses.
• WhatsApp messages you send to Cadu, including text and media attachments. These are used to understand and carry out your website edits, and form part of your account history.
• Website content you create through Cadu, including HTML, images, and other assets published to your site.
• Account and usage data, including subscription status, message budget, language preferences, and operational logs needed to run the service.
• Payment information if you subscribe or purchase credits. Card details are processed directly by our payment processor (currently Dodo Payments, which is the merchant of record for all Cadu subscriptions); we never receive or store card details. From the payment processor we retain a customer ID, the email address you provided at checkout (so we can match billing support enquiries to your account), subscription status, billing period, and other basic billing metadata.
• Referral data, if you join via a referral link or refer others.

3. Lawful bases for processing

We process your personal data on the following lawful bases under Article 6 of the GDPR:

• Performance of a contract — to provide the Cadu service to you under our Terms of Service.
• Legitimate interests — to operate, secure, debug, and improve the service, to prevent abuse, and to communicate operational updates. Where we rely on legitimate interests, you have the right to object (see Section 6).
• Legal obligation — to comply with applicable law, including tax and accounting requirements for paid plans.
• Consent — where applicable for any non-essential processing that requires it. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

4. How we use your data

• To build, edit, and host your website as you instruct via WhatsApp.
• To maintain version history so you can undo changes.
• To process payments and manage your subscription.
• To send you operational messages about your account and service.
• To detect and prevent abuse, fraud, and security incidents.
• To improve and debug the Cadu service.

5. Sub-processors and third parties

We use a small number of trusted sub-processors to deliver the service. The current list is published at cadu.app/sub-processors and includes Cloudflare, Anthropic, Dodo Payments, Meta (WhatsApp), and GitHub.

Some of these sub-processors are located outside the European Economic Area and the United Kingdom. Where personal data is transferred to such countries, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, the UK International Data Transfer Addendum, as the legal mechanism for the transfer.

6. Your rights

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with comparable data protection law, you have the following rights with respect to your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — ask us to delete your data, subject to legal retention obligations.
• Restriction — ask us to restrict processing in certain circumstances.
• Portability — ask us to provide your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdrawal of consent — withdraw any consent you have given.
• Complaint — lodge a complaint with your local data protection supervisory authority. Cadu's lead supervisory authority is the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP). You can also complain to the supervisory authority in your country of residence.

To exercise any of these rights, email privacy@cadu.app. We will respond within one month.

7. Data retention

We retain your website content and message history for as long as your account is active. If you cancel your subscription, your site will be taken offline and your data will be retained for 30 days in case you wish to reactivate. After that, it is permanently deleted, except where we are required to retain it by law (for example, billing records for tax purposes).

8. Data on Customer websites

When visitors interact with a website built using Cadu — for example by submitting a contact form — Cadu processes that information on behalf of the Customer. In that role, Cadu acts as a data processor, and the Customer is the data controller.

Cadu's obligations as processor are set out in the Data Processing Agreement, which forms part of every Customer's Terms of Service. If you are a website visitor and have a question about how your data is being handled, you should contact the operator of the website you visited. We will forward any direct requests we receive to the relevant Customer.

9. Security

We implement technical and organisational measures appropriate to the risk, including TLS encryption in transit, per-customer data isolation, restricted administrative access, and logging for incident detection. A summary of our security measures is set out in Annex 1 of the Data Processing Agreement. No system is perfectly secure, but we take reasonable steps to protect personal data.

10. Children

Cadu is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact privacy@cadu.app and we will delete it.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. If we make material changes, we will notify you via WhatsApp or email before the changes take effect.

12. Contact

For questions about this policy, to exercise your rights, or to raise a data protection concern, email privacy@cadu.app.