Privacy Policy & GDPR Compliance Statement

Last updated: December 2025

StudioStacks B.V. (“Company”, “we”, “our”, “us”), trading as NowButtons, Call Now Button, and NowChats, is committed to protecting your privacy and ensuring transparent, GDPR-compliant handling of personal data.

This single document replaces and merges our previous Privacy Policy and GDPR Compliance Statement into one comprehensive, internationally compliant policy.

Our services include:

  • NowButtons floating action buttons
  • WhatsApp widget
  • Live Chat (NowButtons Chat)
  • Meeting Scheduler (Google Calendar integration)
  • WordPress plugin
  • Analytics, performance monitoring, and customer dashboard

1. Who We Are

StudioStacks B.V. Dr. Huber Noodtstraat 84 E 7001 DZ Doetinchem The Netherlands

Data Protection Contact: [email protected]

We operate globally and comply with the EU General Data Protection Regulation (GDPR).

Note to Users (Controllers): Our Data Processing Agreement (DPA) forms an integral part of our Terms of Service. By creating an account and using our services, you automatically accept this DPA, ensuring your use of NowButtons is compliant with Article 28 of the GDPR.

2. Key Definitions

  • “User” = website owners using our services
  • “Visitor” = visitors on websites where our scripts/widgets run
  • “Controller” = determines purposes of data processing
  • “Processor” = processes data on behalf of a controller

When we are the Controller

For data you provide directly to us when creating or managing your NowButtons account.

When we are the Processor

For data collected from visitors via your website using:

  • Live Chat
  • WhatsApp widget interactions
  • Buttons with contact actions
  • Meeting Scheduler
    We process this data strictly under your instructions.

3. What Data We Collect

We collect data from Users (account owners) and Visitors (on your sites).

3.1 Data We Collect From Users (Account Owners)

When creating an account (Free or Pro):

  • Email address
  • Domain name(s)

For paid plans:

  • Name
  • Billing address
  • Country
  • Company name (optional)
  • VAT number (if applicable)

Optional:

  • Support requests
  • Feedback forms
  • Newsletter subscriptions

We do NOT:

  • Track account-owner logins
  • Store IP logs for account-owner actions
  • Maintain behavioral or usage logs beyond essential error reporting

3.2 Data Collected From Visitors

A) Before interacting with any widget

We do not collect or store:

  • IP address
  • Personal data
  • Cookies
  • Session IDs
  • Metrics or analytics of any kind

B) When a visitor starts a Live Chat

We collect:

  • Name
  • Email
  • Chat message
  • Consent checkbox (boolean)
  • IP address (once, at chat start)
  • Start page URL
  • Activity timestamps (for chat threading)

We do not collect:

  • Phone number (unless added in the future)
  • Custom fields (except the Meeting Scheduler, which stores nothing)
  • Sensitive data (unless voluntarily provided)

C) LocalStorage data (stored on visitor’s device)

When a chat begins, the widget stores locally (not on our servers):

  • ably-transport-preference
  • cnb.channel-id
  • cnb.chat-client-persona-id
  • cnb.chat.client-persona containing:
    • visitor name
    • visitor email
    • visitor IP
    • start page URL
    • terms accepted boolean

This data remains on the visitor’s device and allows:

  • Returning to the active chat
  • “Resume chat” links (which only link back to the chat's start page)

D) Meeting Scheduler (Google Calendar)

To enable scheduling functionality, we connect to your calendar provider via OAuth.

We store:

  • Authentication Tokens: Strictly to maintain the connection with your calendar provider (stored securely in the User database).

We do not store or log meeting content on our servers:

  • No meeting details (title, description, location)
  • No attendee PII (names, emails) in our database
  • No event history logs

All booking information flows directly into the Google Calendar of the User.

E) No Button-Click Tracking

We do not log:

  • Phone button clicks
  • WhatsApp or Messenger or Telegram or Signal or Zalo or Viber or Line or Skype or WeChat button clicks
  • SMS or email button clicks
  • Link or anchor clicks
  • Map/location click-throughs

F) WhatsApp Widget Input

If a visitor types a message within our WhatsApp widget, this text is used solely to generate the wa.me link on the visitor's device. This input data is transient (client-side) and is not sent to, processed by, or stored on our servers.

G) Google Analytics (GA4)

Visitors may be tracked via the User’s own Google Analytics configuration.

If you use our hosted tools, we use Google Analytics with:

  • IP discarded for EU traffic
  • Event retention: 2 months
  • User data retention: 14 months
  • Advertising features: disabled

4. How Data Is Used

4.1 For Users

  • Providing and managing your NowButtons account
  • Delivering subscription services
  • Sending information about your account (renewals, updates)
  • Billing and invoicing

4.2 For Visitors

We process visitor data strictly to:

  • Deliver chat functionality
  • Route messages between visitor ↔ user
  • Display visitor’s approximate location (based on one-time IP lookup)
  • Resume conversations
  • Deliver missed messages to User via Brevo
  • Support Google Calendar event creation (no storage on our side)

We do not:

  • Profile visitors
  • Use visitor data for marketing
  • Sell or share visitor data

5. How Data Is Stored

5.1 Chat Data

Chat messages, visitor name/email, and metadata are stored on our servers for:

Retention: 12 months (default), adjustable by plan in the future.

5.2 LocalStorage

Chat state and identifiers remain in the visitor’s browser only.

5.3 Meeting Scheduler Data

We only retain the necessary OAuth tokens to keep the integration active. All actual meeting data (events, attendees) is ephemeral to our system and resides solely in your Google Calendar environment.

5.4 Security and Data Protection

We utilize technical and organizational security measures to protect your information, specifically regarding data accessed via Google APIs.

  • Encryption: All data in transit is encrypted via SSL/TLS (HTTPS). Sensitive data at rest, including authentication tokens, is stored in encrypted databases.
  • Network Security: We utilize Cloudflare CDN for secure traffic routing and protection against distributed denial-of-service (DDoS) attacks.
  • Access Controls: Access to production databases and sensitive user data is restricted to authorized personnel via secure authentication.

Google API Services User Data Policy

NowButtons' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

6. How Data Is Shared

We share only what is necessary to deliver our services.

6.1 Third-Party Processors

Brevo (Transactional emails and marketing communications)

Used as our email service provider for all transactional emails and marketing communications. This includes:

  • New account creation and welcome emails
  • Account verification and plugin activation emails
  • Lost password and password reset emails
  • Subscription confirmations, renewals, upgrades, cancellations
  • Billing notifications and payment-related emails
  • Security alerts and important account status messages
  • Missed chat notifications to Users
  • Emails to Visitors that contain a link back to the page where the chat started
  • Newsletters and marketing emails (only if you opted in)

To send these messages, Brevo processes data such as:

  • User name (if provided)
  • User email address
  • Domain name(s) associated with the account
  • Subscription and billing status where relevant
  • For missed chat notifications: Visitor name and the first message of the chat
  • For emails to Visitors: a link back to the page where the chat started (no identifiers are included)

We never include IP addresses in emails.

Return-to-chat emails contain only a link to the webpage, relying on LocalStorage in the visitor’s browser to reopen the active chat.

DigitalOcean

Primary database for:

  • Chat messages
  • Visitor-provided contact details
  • Timestamps
  • IP (once, at chat start)

Sentry

Used for error monitoring. Receives:

  • Visitor IP at chat start
  • URL
  • Device/browser metadata
  • Error context

Never receives:

  • Chat messages
  • Names or emails
  • Form data

Ably

WebSocket provider. Receives:

  • Live chat message transport only
  • No name, email, or stored data
  • Messages persist for max 2 minutes and then are deleted

Cloudflare

Content Delivery Network (CDN). Receives transient data including:

  • Visitor IP
  • Browser request metadata
    We do not access Cloudflare logs.

Google Analytics (GA4)

Receives:

  • Event data
  • Anonymized geo reference
  • No persistent IP
  • No PII

Google Calendar API (Meeting Scheduler)

Receives:

  • Event details directly from visitor form
  • No PII stored on our servers
  • No meeting logs stored

Postmark

Used for DMARC services and transactional emails regarding user signups.

Receives:

  • User email
  • IP address

Grafana Labs

Used for API observability and logging to ensure service stability.

Receives:

  • API logs which may include transient chat metadata and contact details involved in widget actions.

Slack

Used for internal team notifications regarding new account signups.

Receives (user data only, not visitor data):

  • User email
  • Domain name
  • Country

Google Cloud Platform

Used for storage of specific widget action values and supporting infrastructure.

Receives:

  • Action values
  • Widget configurations

Stripe

Handles billing. We do not see or store card data.

Other Providers

  • Tally (optional support forms)
  • e-Boekhouden (accounting)

7. International Data Transfers

Some of our processors may store or process data outside the EU.
When transfers occur, we rely on:

  • Standard Contractual Clauses (SCCs)
  • Data Processing Agreements (DPAs)
  • GDPR-compliant safeguards

All vendors listed above maintain GDPR-compliant commitments.

8. Cookies & LocalStorage

Cookies Used

  • SESSION: required for account functionality (Users only)

LocalStorage Used (Visitors)

Used exclusively for Live Chat session continuity:

  • Chat persona ID
  • Name, email, IP (locally stored)
  • Terms acceptance
  • Channel identifiers

None of this data is transmitted until the visitor chooses to start a chat.

9. Legal Bases for Processing (GDPR)

We rely on the following:

Consent

  • Visitors submitting name/email in chat
  • Visitors booking meetings
  • Users subscribing to newsletters

Contractual Necessity

  • Delivering NowButtons services
  • Managing subscriptions
  • Processing payments

Legitimate Interests

  • Error logging (Sentry)
  • Security and fraud prevention
  • Service performance and stability
  • Event delivery (chat throughput)

Legal Obligations

  • Accounting (e-Boekhouden)
  • Tax compliance

10. Visitor Rights (GDPR)

Visitors have the right to:

  • Access their data
  • Rectify data
  • Request erasure (“right to be forgotten”)
  • Restrict processing
  • Object to processing
  • Data portability
  • Withdraw consent at any time

Users can submit requests via: [email protected]

11. US State Privacy Rights (CCPA/CPRA)

For Users and Visitors located in California and other US states with specific privacy laws:

  • Service Provider Status: We act strictly as a “Service Provider” (and not a “Business” or “Third Party” that sells data) regarding visitor data.
  • No Sale of Data: We do not sell or share personal information as defined by the CCPA/CPRA.
  • Purpose Limitation: We process visitor data solely to fulfill our contractual obligations to the User and to improve the functionality of the service.

12. Data Deletion

Users (Account Owners)

  • Delete data manually in the dashboard
  • Request full account deletion via email
  • We purge all data within 14 business days, barring tax requirements

Visitors (Chat Data)

Users control deletion of their visitors’ chats.
On account deletion, all visitor chat data is deleted.

13. WordPress Plugin

The WordPress plugin transmits:

  • Site URL
  • WP version
  • Plugin version

It does not transmit:

  • Admin emails
  • Visitor data
  • Debug logs
  • PII

It does not proxy website visitor traffic.

14. Children’s Privacy

Our services are not intended for children under 16.
Users may not use our service to collect data from minors without valid legal basis.

15. Changes to This Policy

We may update this policy periodically. The “Last Updated” date at the top will reflect the current version.

Significant changes will be communicated via:

  • Email to account owners
  • Banner notices in the dashboard
  • Updated publication on our website(s)

16. Contact Information

StudioStacks B.V.
Dr. Huber Noodtstraat 84 E
7001 DZ Doetinchem
The Netherlands [email protected]

The only buttons your website needs!

And get ready to triple* your inbound business!
*C. Mansfield from Manco Media (UK) reported his phone calls/messages trippled after installing it.