Privacy Policy

Last updated: April 7, 2026 · Effective: April 7, 2026

This Privacy Policy describes how World Corporation ("CWho", "we", "us", or "our") collects, uses, and protects information when you use our website at cwho.com and our web analytics, uptime monitoring, and related SaaS services (collectively, the "Service").

1. Who We Are

CWho is operated by World Corporation, a company registered in the United States.

World Corporation
500 Westover Dr #16900
Sanford, NC 27330 USA
Email: legal@worldcorp.co

For privacy-related inquiries, contact: privacy@cwho.com

2. Two Roles: Platform Users and End-Users

This policy covers two categories of people:

• Platform Users — people who register for a CWho account and use the dashboard to monitor their websites. When we say "you" in this policy, we typically mean you as a Platform User.
• End-Users — visitors to websites that have the CWho tracking snippet installed. We collect minimal, anonymised data about End-Users on behalf of Platform Users (our customers). CWho acts as a data processor in this context; the Platform User is the data controller.

3. Information We Collect About Platform Users

When you create a CWho account, we collect:

• Your email address (used for login, alerts, and service communications)
• Your name (optional, used for display purposes)
• Your password (stored as a bcrypt hash — never stored in plain text)
• Your timezone preference
• Billing information — processed by Stripe. We store only the Stripe customer ID and subscription metadata. We never see or store your full card number.
• Your IP address at registration and login, for security and fraud prevention. Not stored long-term.

4. Information Collected by the Tracking Snippet

When a visitor lands on a website using the CWho tracking snippet, the following information is sent to our servers:

What is collected

• Page URL, path, and title
• HTTP Referrer (the page the visitor came from)
• UTM campaign parameters from the URL query string
• Screen width and height
• User-Agent string (parsed server-side into device type, browser, and OS)
• Preferred language (navigator.language)
• Time on page (sent on page unload via visibilitychange)
• IP address — used only for country/city GeoIP lookup and daily visitor hashing (see below). Never stored.

What is NOT collected

• No cookies are set by the tracking snippet
• No localStorage or sessionStorage is used for tracking
• No IP addresses are stored in our database
• No cross-site tracking or device fingerprinting
• No individual user profiles or persistent identifiers
• No advertising or marketing profiling

Cookie-less visitor identification

To count unique visitors without cookies, CWho uses a daily-rotating hash:

visitor_hash = SHA256(ip_address + ":" + user_agent + ":" + date)

The hash rotates every day, meaning a visitor on Monday and the same visitor on Tuesday are treated as different visitors. The IP address is never stored — only the hash is persisted, and it cannot be reversed to obtain the original IP. This approach is consistent with GDPR guidance on pseudonymisation.

5. How We Use Information

We use collected information to:

• Provide and operate the CWho Service
• Send transactional emails (account verification, password reset, uptime alerts, digest reports)
• Process payments via Stripe
• Display analytics dashboards to Platform Users
• Detect and prevent fraud, abuse, and security threats
• Comply with legal obligations
• Improve the Service (using aggregated, anonymised usage patterns)

We do not:

• Sell your data or End-User data to third parties
• Use End-User data for advertising or marketing purposes
• Share your data with third parties except as described in Section 6

6. Third-Party Services

CWho uses the following third-party services to operate the platform:

• Stripe — payment processing. Stripe's Privacy Policy applies to payment data.
• Resend — transactional email delivery (alerts, password resets, digest emails).
• Cloudflare — DNS, CDN, and DDoS protection. Cloudflare may process IP addresses in transit.
• Cloudflare R2 — object storage for session replay recordings and heatmap data.
• Hetzner — server infrastructure. Your data is hosted on servers located in the EU/US.
• Sentry — application error tracking. Error logs may contain request metadata (no PII).
• MaxMind GeoLite2 — IP-to-country/city lookup. Lookups happen server-side; the IP is not sent to MaxMind.

7. Data Retention

Analytics event data is retained based on your plan:

• Free: 7 days
• Starter: 90 days
• Pro: 1 year
• Agency: 2 years

Data beyond your retention period is automatically purged in scheduled cleanup jobs. Uptime check data and server metric data follows the same retention policy.

Account data (your email, name, subscription status) is retained for the lifetime of your account and for up to 90 days after account deletion for legal and dispute purposes.

8. GDPR Compliance

For Platform Users located in the European Economic Area (EEA) or United Kingdom, the following applies:

• Legal basis: We process your account data under the contract legal basis (to provide the Service you signed up for). We process payment data under legal obligation (tax, accounting).
• Your rights: You have the right to access, rectify, erase, restrict, or port your personal data. To exercise these rights, email privacy@cwho.com.
• Data transfers: Your data may be processed on servers located outside the EEA (e.g., US). We rely on Standard Contractual Clauses (SCCs) where required by GDPR Article 46.
• Data Protection Officer: We have not appointed a DPO as we do not process data at a scale that requires one. Contact privacy@cwho.com for any data protection queries.

No consent banner required

Because CWho does not use cookies and does not collect PII about End-Users, you are not required to include CWho in a GDPR or ePrivacy consent management flow on your website. You may wish to mention CWho in your own privacy policy as a data processor that collects anonymised analytics.

9. CCPA (California) Compliance

CWho does not sell personal information as defined by the California Consumer Privacy Act. California residents may request access to or deletion of their personal information by emailing privacy@cwho.com.

10. Data Security

We take the following measures to protect your data:

• All data transmitted to and from CWho is encrypted via TLS (HTTPS).
• Passwords are hashed using bcrypt with a cost factor of 12.
• Database access is restricted to internal services only — never publicly exposed.
• API keys and session tokens are stored hashed or encrypted at rest.
• Regular automated backups to encrypted Cloudflare R2 storage.
• Security updates are applied promptly to all system packages.

No method of transmission over the internet is 100% secure. In the event of a data breach that affects your personal data, we will notify you in accordance with applicable law.

11. Cookies and Tracking on CWho.com

CWho.com (this website) uses only strictly necessary cookies for session management (a session cookie to keep you logged in). We do not use advertising cookies or third-party tracking cookies on our own website.

12. Children's Privacy

CWho is not directed to children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, please contact us at privacy@cwho.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered Platform Users of material changes via email. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

World Corporation
500 Westover Dr #16900
Sanford, NC 27330 USA
Email: legal@worldcorp.co
Privacy inquiries: privacy@cwho.com