Privacy Policy

Last updated: June 21, 2026

This Privacy Policy explains how We4Max ("We4Max", "we", "us") collects, uses, and protects your personal data when you use we4max.com and related services (the "Service"). We4Max is currently operated by We4Max, acting as the data controller. If you have any questions, contact us at privacy@we4max.com.

1. Scope

This policy applies to all users of the Service. By using the Service, you acknowledge the practices described here.

2. Data We Collect

We collect the following categories of personal data:

  • Account data: your email address; and, if you sign in with Google, the name and profile picture Google provides. Passwords (for email sign-up) are stored only as secure cryptographic hashes — we never see or store your plaintext password.
  • Profile & profiling data: answers you give to self-improvement questions, your chosen language, and the segments derived from your answers.
  • Tasks & evidence: the tasks assigned to you, your submissions, and any evidence you upload to prove completion (photos, screenshots, links, or short text).
  • Gamification data: experience points, levels, streaks, your wCoin balance and transaction history, and your Impact Circle progress.
  • Referral data: your referral code, who referred you (if anyone), and limited technical details (IP address, browser user-agent) captured at signup to prevent abuse.
  • Device & security data: a device fingerprint computed in your browser from hardware and browser characteristics, plus technical signals (IP address, browser user-agent, event type) recorded for security and fraud prevention.
  • Usage data: the dates on which you are active, used to measure engagement and retention.
  • Communications: feedback, bug reports, and suggestions you submit, including any optional screenshots.

3. How We Collect It

  • Directly from you — when you sign up, answer profiling questions, submit task evidence, or send feedback.
  • Automatically — your device fingerprint, IP address, browser details, and activity dates.
  • From Google — if you choose Google sign-in (your email, name, and profile picture).

4. Why We Use Your Data & Legal Bases

We process your data to create and manage your account; assign and verify tasks; operate the rewards system; personalize tasks to your profile; prevent fraud and abuse; secure the Service; communicate with you; and improve the Service.

We4Max is a global service. We apply the protections of the EU General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law (KVKK) to all users, wherever you are located, as our baseline standard.

Our legal bases for processing are: performance of our contract with you (providing the Service); our legitimate interests (security, fraud prevention, and service improvement); your consent where specifically requested; and compliance with applicable legal obligations.

5. Automated AI Screening of Evidence

When you submit a photo or screenshot as task evidence — and, for some tasks, short text submissions — it is sent to Anthropic’s Claude API for an automated pre-screening check that helps verify your submission matches the task. This automated check assists human review; it does not, by itself, finally approve or reject your task. Please do not include sensitive personal information in the evidence you upload.

6. Service Providers

We use the following providers to run the Service. Each processes data only as needed to provide its function:

  • Vercel (United States) — application hosting.
  • Hetzner (United States) — server hosting for our database, authentication, and file storage.
  • Cloudflare (United States / global) — DNS, content delivery, bot protection, and encrypted backups.
  • Anthropic (United States) — AI pre-screening of task evidence (see Section 5).
  • Resend (United States) — delivery of transactional emails such as password resets and the weekly digest.
  • Google (United States) — authentication, only if you choose Google sign-in.
  • Sentry (United States) — application error monitoring (diagnostic error reports only; configured to exclude personal data and session recordings).

Your device fingerprint is computed in your own browser using open-source software and stored by us; it is not sold or shared with any fingerprinting vendor.

7. International Data Transfers

Our infrastructure and several providers are located in the United States. If you access the Service from outside the United States, your data is transferred to and stored there. Where required, we rely on appropriate safeguards (such as standard contractual clauses) together with your consent or the necessity of the transfer to perform our contract with you.

8. Cookies and Similar Technologies

We use only essential cookies needed to operate the Service: a session cookie to keep you signed in, a cookie to remember your language preference, and a security cookie used by our bot-protection check. We do not currently use advertising or third-party tracking cookies. If we add any in the future, we will update this policy and request consent where required.

9. Data Retention

We keep your account and related data for as long as your account is active. In-app notifications are automatically deleted after 30 days, and backups are retained for 30 days. Security and fraud-prevention records are kept as long as necessary for those purposes. When you ask us to delete your account, we remove your personal data, except where we must retain limited information to comply with legal obligations or resolve disputes. Account deletion is currently handled on request — see Section 11.

10. Security

We protect your data with encryption in transit (HTTPS/TLS), hashed passwords, database-level access controls, and our fraud-prevention system. No system is perfectly secure, but we take measures reasonable for a service of our size.

11. Your Rights

We extend the following rights to all users, wherever you are located: to access your data, correct it, delete it, restrict or object to its processing, and request a copy in a portable format. These mirror the rights granted under the GDPR and the KVKK (Article 11), including the right to learn whether your data is processed and to request information about it.

To exercise any right — including account deletion or a copy of your data — contact us at privacy@we4max.com. We currently handle these requests manually and will respond within a reasonable time. You also have the right to lodge a complaint with the data protection authority that applies to you.

12. Children

The Service is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us their data, contact privacy@we4max.com and we will delete it.

13. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date shown above and, where appropriate, notify you within the app.

14. Contact

For any privacy question or to exercise your rights, email privacy@we4max.com.