Privacy Policy

Last updated: April 10, 2026

Who we are

WBF Solutions is operated by Outer Trip SRL, a company registered in Bucharest, Romania (Commercial Registry ROONRC.J2007001933403, EU VAT RO54337952).

We develop and operate developer tools, MCP (Model Context Protocol) servers, and software products for infrastructure management, e-commerce, and content management.

This privacy policy covers all websites and services operated under the wbf.solutions, wbf.tools, and wbfdev.ro domains, including the client portal, product landing pages, documentation sites, and hosted API services.

Data controller: Outer Trip SRL, Bucharest, Romania
Contact: [email protected]

Data we collect

Information you provide directly

Name and email address when you create an account, subscribe to notifications, or contact us
Password (stored using one-way cryptographic hashing — we never store passwords in plain text)
Payment and billing details (processed entirely by our payment processor — we do not store credit card numbers on our systems)
Company name and VAT number for invoicing purposes
Messages and files you send via support channels, email, or contact forms

Information collected automatically

IP address (used for security, rate limiting, and abuse prevention)
Browser type, device type, and operating system
Pages visited, referral source, time on site, and interactions with our services
Server access logs (retained for security purposes)

Information from third-party services

We use third-party service providers for payment processing, analytics, security, advertising, and infrastructure. These providers may share limited data with us as part of delivering their services. The specific providers we use are listed in our Sub-Processors section below.

How we use your data

Service delivery: To create and manage your account, provide access to products, process payments, deliver purchased services, and respond to support requests
Communication: To send transactional emails (account verification, password resets, billing receipts, service notifications). To send product announcements and launch notifications if you have opted in — you can unsubscribe at any time
Security: To monitor for unauthorized access, detect abuse, enforce rate limits, verify human visitors via bot protection, and maintain server security logs
Analytics and advertising: To understand how visitors use our websites, measure advertising effectiveness, and improve our services. We may use analytics platforms and advertising pixels — these are activated only with your explicit consent where required by law
Legal compliance: To meet obligations under Romanian and EU law, including tax record retention and responding to lawful requests from authorities

Legal basis (GDPR Article 6)

Purpose	Legal basis
Analytics cookies, advertising pixels, marketing tracking	Consent — Article 6(1)(a)
Marketing emails and launch notifications	Consent — Article 6(1)(a)
Account creation and service delivery	Contract performance — Article 6(1)(b)
Payment processing	Contract performance — Article 6(1)(b)
Server security logs, rate limiting, bot protection	Legitimate interest — Article 6(1)(f)
CDN, DDoS protection, and security services	Legitimate interest — Article 6(1)(f)
Tax records and invoices	Legal obligation — Article 6(1)(c)

Data storage and security

All primary data is stored on servers located within the European Union. We implement industry-standard security measures including encryption in transit (TLS 1.2+), access controls, intrusion detection, firewalls, and regular security monitoring.

Data retention

Data type	Retention period
Server access and security logs	90 days
Email subscriber data	Until unsubscription
Client portal account data	Until account deletion, or 3 years of inactivity
Payment and invoice records	10 years (Romanian fiscal law)
Analytics data	Per provider defaults (typically 14–26 months)
Support correspondence	2 years after resolution

Sub-processors

We share personal data only with third-party service providers necessary to operate our services. Each provider processes data under appropriate agreements (DPA, SCCs where applicable).

We maintain a current list of sub-processors. The categories of sub-processors we use include:

Hosting and infrastructure — EU-based cloud hosting for servers and databases
CDN, DNS, and security — content delivery, DDoS protection, bot verification
Payment processing — subscription billing, invoicing, fraud prevention
Analytics — website usage statistics (consent-based)
Advertising and marketing — conversion tracking, retargeting pixels (consent-based)
Email delivery — transactional and marketing email relay
Social media integrations — embedded widgets, share functionality, login providers (if enabled)

For a detailed and current list of specific providers, contact us at [email protected].

We do not sell, rent, or trade personal data to third parties. Data is shared only with processors who need it to provide their services to us.

Your rights (GDPR)

As a data subject under GDPR, you have the right to:

Access — request a copy of your personal data
Rectification — correct inaccurate or incomplete data
Erasure — request deletion of your data (“right to be forgotten”)
Restriction — limit how we process your data
Portability — receive your data in a machine-readable format
Object — object to processing based on legitimate interest
Withdraw consent — revoke consent for analytics, marketing, or advertising at any time

How to exercise your rights: Email [email protected] with your request. We will verify your identity and respond within 30 days. Client portal users can also manage their data and delete their account from the Profile settings page.

Supervisory authority: If you are unsatisfied with our response, you may file a complaint with ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal), Romania’s data protection authority, or with the supervisory authority in your country of residence within the EU.

International data transfers

Some of our service providers may process data outside the European Economic Area. Where this occurs, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs), as required by GDPR Chapter V. We evaluate the data protection practices of all international processors and only engage those who maintain adequate protections.

Open-source software

Our open-source software (such as MCP servers published on GitHub under MIT license) runs entirely on your own infrastructure. It does not transmit any data to WBF Solutions, does not include analytics or tracking, and is not covered by this privacy policy. Open-source software is governed solely by its license terms.

Children

Our services are not directed to individuals under 16. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a child, contact us at [email protected] and we will delete it promptly.

Changes to this policy

We may update this policy as our services and legal requirements evolve. The “Last updated” date at the top reflects the most recent revision. For material changes, we will notify registered users via email and post a notice on our websites. Continued use of our services after notification constitutes acceptance.