Privacy & Data Requirements

How Whatalo handles developer data and what developers must do to protect merchant and end-user data.

Effective Date: April 1, 2026 | Last Updated: April 1, 2026

This document has two sections. Section A describes how Whatalo collects and processes Developer data. Section B defines the data protection obligations every Developer must follow when handling Store Owner and End User data through the Whatalo Platform.

These requirements are grounded in Dominican Republic Law 172-13 on the Protection of Personal Data, GDPR principles for Developers serving European users, and industry-standard data protection practices.

Section A — How Whatalo Handles Developer Data

A.1 Data We Collect

When you register for the Whatalo Developer Program, we collect and process the following data:

Data Category	Examples	Purpose
Account Information	Full name, email address, company name, country	Account management, communication, identity verification
Plugin Metadata	Plugin name, description, version history, manifest data, icon, screenshots	Marketplace listing, review process, distribution
Usage Statistics	API call volume, error rates, Plugin installation/uninstallation events	Platform stability monitoring, rate limit enforcement, analytics
Payment Information	Bank account details, tax identification numbers	Revenue share payouts, tax compliance
Support Communications	Messages, tickets, and correspondence with Whatalo	Issue resolution, service improvement
Technical Logs	IP addresses, API request logs, authentication events	Security monitoring, debugging, abuse prevention

A.2 How We Use Developer Data

We use your data exclusively for:

Service Delivery — Operating the Developer Program, processing submissions, and facilitating Marketplace distribution.
Communication — Sending review decisions, policy updates, security alerts, and platform announcements.
Payments — Processing revenue share payouts and generating tax documentation.
Security — Detecting and preventing abuse, fraud, and unauthorized access.
Platform Improvement — Aggregated and anonymized usage data to improve API performance, documentation, and developer tools.

We do not sell Developer personal data to third parties.

We share Developer data only in these circumstances:

Recipient	Data Shared	Purpose
Payment Processors	Bank details, tax IDs, payout amounts	Processing revenue share payments
Store Owners	Developer name, company, support URL	Transparency for Plugin users
Legal Authorities	As required by law	Compliance with legal obligations
Service Providers	Operational data (encrypted)	Infrastructure, hosting, email delivery

A.4 Data Retention

Data Type	Retention Period
Account information	Duration of active account + 2 years after closure
Plugin metadata	Duration of listing + 1 year after removal
API and access logs	90 days (rolling)
Payment records	7 years (legal/tax compliance)
Support communications	3 years

A.5 Developer Rights

Under Dominican Republic Law 172-13 and applicable data protection laws, you have the right to:

Access — Request a copy of all personal data Whatalo holds about you.
Correction — Request correction of inaccurate or incomplete personal data.
Deletion — Request deletion of your personal data, subject to legal retention obligations.
Portability — Receive your data in a structured, machine-readable format.
Objection — Object to processing of your data for specific purposes.

To exercise these rights, submit a request through the Developer Portal. We will respond within thirty (30) calendar days.

A.6 Data Security

Whatalo implements the following measures to protect Developer data:

Encryption in transit (TLS 1.3) and at rest (AES-256).
Role-based access controls with principle of least privilege.
Regular security audits and penetration testing.
Incident response procedures with defined notification timelines.
Infrastructure hosted in SOC 2-compliant data centers.

Section B — Developer Data Protection Obligations

Non-compliance with these data protection obligations may result in immediate Plugin suspension, developer account termination, and potential legal liability.

B.1 Data Minimization

Only collect and process data that is strictly necessary for your Plugin's stated functionality.
Do not request OAuth scopes beyond what your Plugin actively uses.
Do not collect data "for future use" or speculative purposes.
Regularly audit your data collection practices and remove any unnecessary data.

Clearly inform Store Owners and End Users about what data you collect, why you collect it, and how you use it.
Obtain explicit consent before collecting any data not inherently required for the Plugin's core functionality.
Provide a clear, accessible privacy policy that covers all data collection and processing activities.
If your Plugin collects data from End Users (store customers), ensure the Store Owner has appropriate notices in place.

B.3 Data Security Requirements

Requirement	Standard
Encryption in Transit	TLS 1.2 or higher for all data transmission
Encryption at Rest	Encrypt all stored personal data using industry-standard algorithms (AES-256 or equivalent)
Access Controls	Implement role-based access controls; limit data access to personnel who need it
Authentication	Enforce strong authentication for all systems that process Platform data
Logging	Maintain audit logs of data access for a minimum of 90 days
Vulnerability Management	Regularly update dependencies and patch known vulnerabilities

B.4 Data Deletion on Uninstall

When a Store Owner uninstalls your Plugin:

You will receive an uninstall webhook notification.
Within thirty (30) calendar days of receiving the uninstall notification, you must delete all data associated with that store.
Exceptions: You may retain data required by law (e.g., tax records, transaction logs) for the legally mandated period, but must delete all other data.
You must be able to demonstrate compliance with deletion requirements upon request.

B.5 Prohibition on Data Sales

You must NEVER sell, rent, lease, or otherwise commercially transfer Store Owner or End User data to any third party. This prohibition survives termination of your developer account.

This includes:

Selling anonymized or aggregated data derived from Platform data.
Sharing data with advertising networks or data brokers.
Using Platform data to build or enrich profiles for sale.
Providing data to third parties for marketing purposes without explicit Store Owner consent.

B.6 Data Breach Notification

In the event of a data breach affecting data obtained through the Whatalo Platform:

Action	Timeline
Notify Whatalo	Within 48 hours of discovering the breach
Contain the breach	Immediately upon discovery
Notify affected Store Owners	Within 72 hours, in coordination with Whatalo
Provide incident report	Within 14 calendar days

Your breach notification to Whatalo must include:

Nature and scope of the breach (what data, how many records).
Date and time of discovery.
Containment measures taken.
Planned remediation steps.
Contact person for ongoing communication.

B.7 Privacy Policy Requirements

Your Plugin's privacy policy must, at minimum, include:

Identity — Your company name, contact information, and data protection officer (if applicable).
Data Collected — Specific categories of data your Plugin collects.
Purpose — Clear explanation of why each data category is collected.
Legal Basis — The lawful basis for processing (consent, legitimate interest, contractual necessity).
Third Parties — Any third parties with whom data is shared, and why.
Retention — How long data is retained and criteria for determining retention periods.
User Rights — How Store Owners and End Users can exercise their data rights.
Security — Overview of security measures protecting the data.
Updates — How changes to the privacy policy are communicated.

B.8 Legal Compliance

You must comply with all applicable data protection laws in the jurisdictions where your Plugin operates:

Jurisdiction	Applicable Law
Dominican Republic	Law 172-13 (Protection of Personal Data)
European Union	General Data Protection Regulation (GDPR)
United States	Applicable state laws (CCPA/CPRA for California, etc.)
Colombia	Law 1581 of 2012 (Habeas Data)
Mexico	Federal Law on Protection of Personal Data (LFPDPPP)
Other	Applicable local data protection laws in your markets

B.9 Data Subject Rights

You must provide mechanisms for Store Owners and End Users to exercise their data rights:

Right of Access — Provide copies of personal data upon request within 30 days.
Right of Correction — Correct inaccurate data upon request within 15 days.
Right of Deletion — Delete personal data upon request within 30 days (subject to legal retention).
Right of Portability — Provide data in a structured, machine-readable format upon request.
Right to Object — Allow individuals to object to specific processing activities.

B.10 Sub-Processors

If you use third-party services (sub-processors) to process data obtained through the Platform:

Maintain a list of sub-processors and make it available upon request.
Ensure sub-processors provide at least the same level of data protection as required by this policy.
Execute data processing agreements with all sub-processors.
You remain fully liable for the acts and omissions of your sub-processors.

Compliance Audits

Whatalo reserves the right to audit Developer compliance with these data protection requirements. Audits may be conducted:

As part of the Plugin review process (initial and updates).
In response to a data breach or security incident.
On a periodic basis (with reasonable notice).
In response to Store Owner complaints.

You agree to cooperate with audits and provide reasonable access to documentation, systems, and personnel as necessary.

For data protection inquiries, contact the Whatalo Developer Relations team through the Developer Portal.

On this page