Privacy Policy

followtheduck (followtheduck.app) is operated by OKQ (BE0677.687.629), Rue Louise Colen 10, 5004 Bouge, Belgium, Belgium ("we", "us", "our"). For privacy-related questions, contact us at privacy@followtheduck.app.

This Privacy Policy explains how we process personal data when you use followtheduck as a waitlist owner (account holder) or when you join a waitlist as a subscriber. It also describes the tools we provide to waitlist owners to honour data-subject requests.

If you join a waitlist, the waitlist owner is the data controller for your email and related signup data. OKQ acts as a data processor, handling that data on the owner's instructions to provide the waitlist service. If you create a followtheduck account, OKQ is the data controller for your account data.

Waitlist owners: email address, optional full name, account metadata (creation dates, session data), waitlist configuration, and audit logs of privacy-related actions in your account.

Subscribers: email address (normalized to lowercase), signup timestamps, consent version and consent text snapshot, validation status, referral and queue data where enabled, and unsubscribe history.

Technical data: server logs, session identifiers, and security-related metadata necessary to operate and protect the service.

We use personal data to provide and improve followtheduck, authenticate owners via magic links, deliver transactional emails (sign-in links, signup confirmations, unsubscribe links), operate hosted pages and embed widgets, enforce service limits, maintain security, comply with legal obligations, and support waitlist owners in responding to privacy requests.

Account holders: contract performance and legitimate interests in operating a secure SaaS platform.

Subscribers: the waitlist owner's legal basis (typically consent given when submitting the signup form). We process subscriber data on the owner's instructions as processor.

Security and compliance: legitimate interests and, where applicable, legal obligation.

Waitlist owners set a retention period per waitlist (default 24 months from consent). After that period, subscriber records are automatically purged. Owners may delete subscriber data earlier through the Privacy requests workspace or when a subscriber unsubscribes (permanent deletion). Account data is retained while your account is active and for a reasonable period thereafter where required by law or legitimate business needs.

We use trusted providers to run followtheduck, including:

- Supabase — EU-hosted PostgreSQL database (primary data storage) - Resend — transactional email delivery - Railway — application hosting

Where a provider is located outside the European Economic Area, we rely on appropriate safeguards such as Standard Contractual Clauses and supplementary measures where required.

Primary subscriber and account data is stored in the EU. Some sub-processors may process limited data in the United States or other countries. We assess transfers and apply contractual and technical safeguards consistent with GDPR requirements.

If we are the controller (e.g. for your owner account), you may request access, rectification, erasure, restriction, portability, or object to processing where applicable. Contact privacy@followtheduck.app.

If you joined a waitlist, contact the waitlist owner first — they are your controller. Owners can search, export, and erase subscriber data through the in-app Privacy requests workspace. Subscribers can unsubscribe via the link in their confirmation email.

We implement appropriate technical and organisational measures including encrypted sessions, hashed authentication tokens, access controls, and audit logging for privacy workspace actions. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

We use essential cookies for owner authentication and form security. When analytics is enabled, we use PostHog to measure page visits (data processed in the EU) without advertising profiles or cross-site ad tracking. Before you sign in, visits are anonymous. After you sign in, we link analytics to your account using a numeric account identifier only — we do not send your email address to PostHog for analytics. For details, see our Cookie Policy.

If you are in the EEA or Belgium and believe we have not addressed your concern, you may lodge a complaint with the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit) or your local supervisory authority.

We may update this Privacy Policy from time to time. We will post the revised version on followtheduck.app and update the "Last updated" date. Continued use after changes constitutes acceptance of the updated policy where permitted by law.