Whale Laboratories, Inc. Privacy Notice

This Privacy Notice is designed to help you understand how Whale Laboratories, Inc. ("Whale Laboratories," "we," "us," or "our"), the company behind Goby Wifi and bubble.surf, collects, uses, and shares your personal information, and to help you understand and exercise your privacy rights. This Privacy Notice covers all Whale Laboratories websites and services, including those accessible through gobywifi.com, bubble.surf, guest.surf, and wlab.surf.

Last Updated on June 2, 2026

1. SCOPE AND UPDATES

This Privacy Notice applies to personal information processed by us, including on our websites, platforms, and other online or offline offerings. To make this Privacy Notice easier to read, our websites and other offerings are collectively called the "Services."

The Services are intended for use only in the United States, including by users physically present at participating locations where Goby-powered services are offered.

Our Role as Controller vs. Processor.Where we collect information through our own websites, accounts, billing, support, marketing, security tools, and analytics, we act as a controller (or "business" under California law). Where we process data on behalf of our business customers through our platform products (e.g., guest WiFi session logs, captive portal interactions, and access code usage), we act as a processor (or "service provider" under California law). Our processing of such Customer Data is governed by contracts with our business customers, not this Privacy Notice. Questions about Customer Data should be directed to the business you visited.

Changes to This Privacy Notice. We may revise this Privacy Notice from time to time. If there are material changes, we will notify you as required by applicable law. The updated Privacy Notice applies to information processing that occurs after its effective date.

2. PERSONAL INFORMATION WE COLLECT

The categories of personal information we collect depend on how you interact with us, our Services, and the requirements of applicable law. We collect information that you provide to us, information we obtain automatically when you use our Services, and information from other sources such as third-party services and organizations, as described below.

A. Information You Provide to Us Directly

Account Information. When you create an account, we collect your first and last name, position, business email address, and phone number.
Purchases. We collect information associated with your purchases, including billing details. Payments are processed by third-party payment processors; we do not directly collect or store payment card numbers.
Communications. When you contact us for support, request information, or register for our newsletter, we collect your name, business email address, and/or phone number.
Events. We may collect personal information when we attend or host conferences, trade shows, and other events.
Job Applications. If you apply for a job, we may collect your application, CV, cover letter, and related information.

B. Information Collected Automatically

When you use our websites (gobywifi.com, bubble.surf, guest.surf, wlab.surf), we may automatically collect:

IP address, browser type and version, operating system, device type, and Internet service provider.
Cookie identifiers and similar technologies (see below).
Approximate location derived from IP address.
Pages you visit on our websites, referring and exit pages, and timestamps.

C. WiFi and Network Product Data

Our Goby Wifi platform involves hardware and software deployed at our customers' businesses. When end users interact with a Goby-powered captive portal, the following data may be collected on behalf of the business operator (our business customer):

Device identifiers. MAC addresses are collected for network access control purposes. MAC addresses are hashed before storage and are not used for marketing or advertising. They are retained only as long as needed for session management and aggregate analytics.
Session data. Connection timestamps, session duration, and access code usage.
Network metadata. Device type (e.g., laptop, phone) and connection protocol. We do not inspect, log, or store the content of network traffic, browsing history, DNS queries, or search terms of WiFi users.

This data is collected and processed by Whale Laboratories as a processor on behalf of the business operator (the controller). The business operator's own privacy policy governs their use of this data.

D. Cookies and Similar Technologies

We use cookies and similar technologies ("Technologies") on our websites for the following purposes:

Operationally Necessary. Technologies required for website functionality, security, and fraud prevention.
Performance and Analytics. Technologies that help us understand how visitors use our websites and improve our Services.
Functionality. Technologies that enable enhanced features when accessing our websites.

We do not use advertising or targeting cookies on our websites. We do not serve third-party ads on our Services.

E. Information from Other Sources

We may obtain personal information about you from other sources, including through third-party services and organizations. For example, if you access our Services through a third-party application, we may collect personal information that you have made available via your privacy settings.

F. Receipt Verification Images

Some locations offer WiFi access in exchange for proof of a qualifying purchase. If you use this feature, you upload a photo of your receipt through a Goby-powered scanner. Unlike the network and session data described in Section 2.C—which we process as a processor on behalf of the business operator—we act as a controller (or "business" under California law) for receipt images and process them for our own purposes, as described in Section 3.

A receipt image may contain the merchant name, the items purchased, the date and time of the transaction, the transaction total, and, in some cases, the last four digits of a payment card or a loyalty or membership identifier. We do not need, request, or use full payment card numbers, and we ask that you obscure any full card number before uploading. We use receipt images to (i) verify your purchase and issue a WiFi access code; (ii) detect, investigate, and prevent fraudulent or abusive submissions; and (iii) develop, train, test, and improve our machine-learning models and the related features, accuracy, and security of our Services. We retain receipt images as described in Section 7.

G. bubble.surf Content and Social Features

If you use bubble.surf, we may collect information associated with the social features you use, including User Content you post, such as text and images if image posting is enabled; account or profile identifiers; the participating location where the interaction occurs; visibility and interaction information; and moderation records, reports, or enforcement actions related to User Content. User Content may be visible to other users and, where applicable, to the participating business operator.

3. HOW WE USE YOUR PERSONAL INFORMATION

We use your personal information for the following purposes:

A. Provide Our Services. Managing your information and accounts; providing access to features of our Services; responding to support requests; communicating about your account and policy changes; processing payments; processing job applications; and registering you for events.

B. Improve and Secure Our Services. Research and development; network and information security; fraud prevention; detecting security incidents; debugging; measuring interest and engagement; improving and enhancing our Services; ensuring quality control; authenticating identities; and complying with legal obligations.

C. Communicate with You. We may send you service-related communications and, where permitted by applicable law, marketing communications. You can opt out of marketing communications at any time (see Section 5).

D. Verify Receipts, Prevent Fraud, and Train Our Models. For locations that offer receipt-based WiFi access, we use the receipt images you upload (see Section 2.F) to verify your purchase and issue an access code; to detect, investigate, and prevent fraudulent, duplicate, altered, or otherwise abusive submissions, including by auditing submissions through both automated and manual review and, where warranted, limiting, suspending, or banning access; and to develop, train, test, and improve our machine-learning models and the accuracy and security of our Services. We act as a controller for these activities.

4. HOW WE DISCLOSE YOUR PERSONAL INFORMATION

We may disclose your personal information to the following categories of recipients:

Service Providers. Third-party vendors that assist us with providing our Services, such as hosting, payment processing, analytics, and customer support.
Business Partners. Partners that help us provide a product or service you have requested.
Affiliates. Our corporate affiliates.
Legal and Safety. Where required by law, subpoena, or other legal process, or where we believe disclosure is necessary to protect rights, safety, or property.
Business Transfers. In connection with a merger, acquisition, reorganization, or sale of assets.

We do not sell or share your personal information as those terms are defined under the California Consumer Privacy Act (CCPA). We do not disclose personal information to third parties for cross-context behavioral advertising.

5. YOUR PRIVACY CHOICES

Email Communications. You can opt out of marketing emails using the unsubscribe link in any email. Service-related emails (e.g., account notifications, security alerts) are not optional.
Text Messages. You may opt out of text messages by following the instructions in the message or contacting us.
Cookies. You may stop or restrict the placement of cookies on your device by adjusting your browser settings. Disabling cookies may affect website functionality.
Do Not Track and Global Privacy Control. We do not respond to browser Do Not Track (DNT) signals, as there is no industry-standard implementation. We do honor Global Privacy Control (GPC) signals as a valid opt-out request where required by applicable law. If you enable GPC in your browser, we will treat it as an opt-out of the sale or sharing of personal information for that browser/device.

6. U.S. STATE PRIVACY RIGHTS

California. If you are a California resident, you may have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

Right to Know. You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we shared it.
Right to Delete. You may request that we delete personal information we have collected from you, subject to certain exceptions.
Right to Correct. You may request that we correct inaccurate personal information we maintain about you.
Right to Opt Out of Sale/Sharing.You have the right to opt out of the "sale" or "sharing" of your personal information. As stated in Section 4, we do not sell or share personal information as defined under the CCPA.
Right to Limit Use of Sensitive Personal Information. We do not use or disclose sensitive personal information for purposes beyond those permitted under the CCPA.
Right to Non-Discrimination. We will not discriminate against you for exercising any of your privacy rights.

How to Submit a Request. To exercise any of these rights, contact us at hello@gobywifi.com. We will verify your identity before processing your request. You may also designate an authorized agent to submit a request on your behalf; we may require proof of authorization.

Other U.S. States.Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws may have similar rights. To exercise your rights under applicable state law, contact us using the information in Section 14. If your request is denied, you may appeal by contacting us with the subject line "Privacy Rights Appeal."

Nevada. We do not currently sell your personal information as defined in Nevada Revised Statutes Chapter 603A. If you are a Nevada resident and wish to opt out of any future sale, contact us at hello@gobywifi.com.

7. RETENTION OF PERSONAL INFORMATION

We retain personal information only as long as reasonably necessary for the purposes described in this Privacy Notice, or as required by law. Retention periods vary by data type:

Account data: Retained for the duration of your account and for a reasonable period after account closure to resolve disputes and comply with legal obligations.
Billing and transaction records: Retained as required by tax and financial recordkeeping laws (typically 7 years).
Support communications: Retained for up to 3 years after the last interaction.
Marketing data: Retained until you opt out or request deletion.
WiFi session logs (processed as processor): Retention is determined by the operator. Whale Laboratories retains session data for up to 90 days by default unless otherwise configured by the customer.
Security and access logs: Retained for up to 12 months unless needed for an active investigation.
Job applicant data: Retained for up to 2 years after the application.
Receipt verification images: Retained for as long as necessary for the verification, fraud-prevention, and model-training purposes described in this Notice. We review retention periodically and de-identify or delete receipt images when they are no longer needed for these purposes or when required by law.

8. SECURITY OF YOUR INFORMATION

We use reasonable administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit, access controls, and regular security assessments. However, no method of transmission over the Internet or electronic storage is completely secure. If we become aware of a security breach that affects your personal information, we will notify you and relevant authorities as required by applicable law.

9. INTERNATIONAL DATA TRANSFERS

Our Services are primarily operated from the United States. If you access our Services from outside the United States, your personal information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your country.

EU/UK/EEA Residents. If you are located in the European Union, United Kingdom, or European Economic Area, the following applies:

Legal Bases. We process your personal data based on: (a) your consent, where applicable; (b) the performance of a contract with you; (c) our legitimate interests (such as improving our Services, ensuring security, and communicating with you), provided these are not overridden by your data protection rights; and (d) compliance with legal obligations.
Your Rights. You have the right to access, rectify, erase, restrict processing, data portability, and object to processing of your personal data. You also have the right to withdraw consent at any time where processing is based on consent. To exercise these rights, contact us at hello@gobywifi.com.
Supervisory Authority. You have the right to lodge a complaint with a data protection supervisory authority in your country of residence.
International Transfers. When we transfer personal data outside the EU/UK/EEA, we rely on applicable legal mechanisms such as Standard Contractual Clauses.

10. CHILDREN'S INFORMATION

The Services are not directed to children under 13 (or other age as required by local law), and we do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided personal information to us without your consent, please contact us as described in Section 14 and we will take steps to delete such information.

11. THIRD-PARTY WEBSITES AND APPLICATIONS

The Services may contain links to other websites or applications that are not controlled by us. We encourage you to read the privacy policies of each website and application with which you interact. We are not responsible for the privacy practices or content of third-party websites or applications.

12. CLOUDFLARE TURNSTILE

We use Cloudflare Turnstile, a bot detection service provided by Cloudflare, Inc. ("Cloudflare"). Cloudflare's Privacy Policy and Turnstile Privacy Policy also apply to data processed through Turnstile on our Services.

What Turnstile Collects. Turnstile processes minimal signals to protect our websites against bots and malicious activity. According to Cloudflare, these signals may include your IP address, TLS fingerprint, user-agent header, and browser characteristics.

How Turnstile Uses Information. Turnstile evaluates visitor and website signals to distinguish human users from bots. This data is used solely for bot detection and blocking. Cloudflare may also process signals as a data controller to improve its bot detection capabilities.

Cookies.The signals collected by Turnstile are strictly necessary for detecting and blocking bots. For more information, refer to Cloudflare's Cookie Policy.

EU/UK Residents.Our legal basis for deploying Turnstile is our legitimate interest in protecting our websites against automated abuse. When Cloudflare protects our websites under our instructions, it acts as a data processor. When Cloudflare processes signals to improve its bot detection algorithms, it acts as a data controller. For questions regarding Cloudflare's data processing, you may contact Cloudflare's Data Protection Officer at dpo@cloudflare.com.

13. SENSITIVE PERSONAL INFORMATION

We do not intentionally collect sensitive personal information (such as government identifiers, financial account numbers, precise geolocation, racial or ethnic origin, health information, or biometric data) except where specifically required to provide our Services (e.g., billing information). Where we do collect sensitive information, we limit its use to purposes permitted by applicable law and do not use it for profiling or advertising.

Receipt images uploaded for WiFi access (see Sections 2.F and 3.D) may incidentally contain limited financial information, such as the last four digits of a payment card. We do not require or use full financial account numbers, we limit our use of any such incidental information to the purposes described in this Notice, and we do not use it for profiling or advertising.

14. CONTACT US

Whale Laboratories is the controller of the personal information we process under this Privacy Notice. If you have any questions about our privacy practices, wish to exercise your privacy rights, or need to submit a request, please contact us at:

Whale Laboratories, Inc.
Los Angeles, CA
hello@gobywifi.com

For general inquiries: hello@gobywifi.com