What kind of businesses do you work with?

Mid-market operators who need real outcomes rather than another tool, restaurants, e-commerce, professional services, hospitality groups, B2B teams under ~200 people. Different sectors, common thread: there's a business decision to make, not just a build to ship.

How is wola different from a regular agency or dev shop?

Most agencies sell capability. Most dev shops build what's asked. We sit in the middle: strategic enough to push back on the brief, technical enough to ship the answer. We pick the right lever first, then we deliver it.

When do you NOT recommend AI?

Often. AI is a tool, not an outcome. If a clearer form, a better email flow, or a process change moves the number more reliably, we'll say so. We sell what works, not what's trendy.

What does an engagement look like end to end?

It starts with a conversation, no template. From there: a short discovery, a focused proposal, a 4–12 week build window, and a launch followed by measured iteration. You'll always know what we're doing and why.

Where are you based, and how do you work with clients abroad?

Florida and Portugal, one foot in the US, one in the EU. We work in both timezones, in English and Portuguese, with a remote-first process and deliberate in-person moments when they earn the trip.

Legal · for the European market

Privacy, in plain English.

We're a small studio. We don't sell data, we don't ad-target, and we don't set tracking cookies on this site. This page explains, in language a human can read, exactly what we collect when you contact us, and the rights GDPR gives you over that data.

Last updated: 22 May 2026
Effective: 1 June 2026
Applies to: wola.ai and all sub-domains
Jurisdiction: EU (GDPR) · US (Florida)

01 · Who we are

The “we” in this policy.

wola.ai is a small product studio operating from two bases. For the purposes of the GDPR, the data controller for personal data collected through this site is:

Legal entity: wola.ai, Lda. (Portugal), for visitors from the EEA, UK, and Switzerland.
US entity: wola.ai LLC (Florida), for visitors from the United States and elsewhere.
EU contact: Lisbon, Portugal · privacy@wola.ai
US contact: Miami, Florida, USA · privacy@wola.ai

If you'd like a written response to a privacy question, email privacy@wola.aiand we'll get back to you within five working days.

02 · What we collect

Only what you give us, and only what we need to reply.

When you fill in the contact form, send us email, or schedule a call, we collect these categories of personal data:

From the form: Your name, work email, the brief you write, and (optionally) a budget range you select.
From email or calls: Whatever you send us: addresses, attachments, content of your messages, the time and date of contact.
From scheduling: If you book through cal.com/wolaai, cal.com processes your name, email, and selected slot on our behalf.
Server logs: Standard request logs (IP address, user agent, requested URL, HTTP status, timestamp) for the standard short window needed for security and debugging.

We do not collect special-category data (health, religion, political opinions, etc.) and we ask you not to send any. We do not buy lists, enrich data, or pull anything from social profiles.

What we don't collect. No advertising IDs. No third-party tracking cookies. No fingerprinting. No precise location. We do not have a Facebook pixel, a Google Ads pixel, or any equivalent.

03 · Legal basis

Why we're allowed to hold this, under GDPR Art. 6.

For each thing we do with your data, there is a lawful basis under Article 6 of the GDPR. The ones we rely on are:

Art. 6(1)(b): Performance of a contract, or steps to enter one. When you contact us about a project, we use your data to reply, scope work, send proposals, and (if we go ahead) deliver the engagement.
Art. 6(1)(a): Your consent. For the optional newsletter: we only send it if you actively signed up. You can withdraw at any time via the unsubscribe link.
Art. 6(1)(f): Legitimate interests. For security logs, fraud prevention, and basic privacy-respecting analytics. We've balanced this against your rights and the impact is minimal.
Art. 6(1)(c): Legal obligation. For invoices and tax records we have to keep for a fixed number of years.

04 · How we use it

The specific things we do.

Reply to your message. A real person reads briefs and writes back, usually within one business day.
Scope and quote work. If we're a fit, we use the brief to draft a proposal and ballpark a timeline.
Run the engagement. If we sign a contract, we use your details to invoice, schedule meetings, share deliverables, and operate the build.
Stay in touch (only if you ask). The newsletter is opt-in. We send it ~every two weeks. Each issue carries a one-click unsubscribe.
Keep the site running. Server logs help us debug errors and block abuse. We aggregate or delete them quickly.

We don't use your data to train models. We don't feed your brief into a public LLM. We don't auto-share inquiries with anyone outside the people directly working on a reply.

06 · Transfers

When data leaves the EEA.

Some of our processors operate outside the European Economic Area (notably in the United States). When personal data is transferred outside the EEA, we rely on:

The EU–US Data Privacy Framework, where the recipient is self-certified; or
Standard Contractual Clauses approved by the European Commission, supplemented with the technical and organisational measures recommended by the EDPB.

You can request a copy of the transfer mechanism for any specific processor by emailing privacy@wola.ai.

07 · Retention

We delete on a schedule.

Inquiries that don't progress: Deleted 12 months after the last reply.
Inquiries that become engagements: Kept for the contract term + 24 months, then deleted (project history, references).
Invoices & tax records: 10 years (Portuguese tax code) / 7 years (Florida), as required by law.
Newsletter subscribers: Kept while you remain subscribed. Unsubscribe purges within 30 days.
Server logs: 30 days, then aggregated or deleted.

08 · Your rights

GDPR gives you specific rights. Here they are.

If you live in the EEA, the UK, or Switzerland, you have the rights listed below. To exercise any of them, email privacy@wola.ai. We will respond within one month (extendable to three for complex requests, as permitted by GDPR Art. 12(3)).

Access · Art. 15: You can ask for a copy of the personal data we hold about you.
Rectification · Art. 16: You can ask us to correct anything inaccurate or incomplete.
Erasure · Art. 17: “The right to be forgotten.” You can ask us to delete your data, unless we have a legal obligation to keep it.
Restriction · Art. 18: You can ask us to stop processing temporarily while a question is being resolved.
Portability · Art. 20: You can ask for your data in a machine-readable format to take elsewhere.
Objection · Art. 21: You can object to processing we do on the basis of legitimate interests.
Withdraw consent · Art. 7(3): Where we rely on consent (e.g. newsletter), you can withdraw it any time.
Automated decisions · Art. 22: We don't make decisions about you with automated systems. If we ever do, you'll have a right to human review.

We will not ask you to prove your identity beyond what's necessary to confirm the request is genuine.

09 · Cookies & analytics

This site uses one cookie. Maybe two.

We do not use tracking cookies. The site stores a small amount of data in your browser's localStorage:

wola.lang: Your language preference (EN or PT). Strictly necessary; no consent required.
wola.currency: Your preferred display currency on pricing pages. Strictly necessary.

For analytics we use Plausible, an EU-hosted, privacy-friendly product that doesn't set cookies and doesn't collect personal data. It records aggregate page views, referrers, and rough country-level location. It cannot identify you.

Because nothing on this site requires consent under the ePrivacy directive, you won't see a cookie banner. If we ever change this, we'll add a banner before anything new is set.

10 · Security

What we do to keep it safe.

We hold ourselves to the kind of standards we'd expect of a client's vendor. Specifically:

TLS 1.3 on every request, HSTS preload, modern cipher suites only.
Encryption at rest for all stored personal data.
Two-factor authentication is required on every team account.
Access to client data is restricted to the people actively working on that engagement.
We run a quarterly review of vendors, access lists, and retention timers.
In case of a personal data breach, we notify the supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR Art. 33–34.

11 · Children

This site is not for under-16s.

Our services are for businesses, founders, and operators. We do not knowingly collect personal data from anyone under 16. If you believe a child has submitted information through our site, please email privacy@wola.ai and we will delete it.

12 · Changes

What happens when we update this policy.

When we change anything material, we update the “Last updated” date at the top and, for substantive changes, we publish a short changelog at the bottom of the page. For changes that would expand our processing, we contact subscribers directly before they take effect.

13 · Complaints

If something is wrong, write to us first.

Email privacy@wola.aiand we'll fix it. We mean that. A one-person team replies to that inbox.

If we've not resolved your complaint and you're in the EEA, you have the right to lodge a complaint with your national supervisory authority. For Portugal that's the CNPD; for other countries, see the EDPB members list. In the UK, that's the ICO.

Terms · Overview

Terms of service, in plain English.

These terms govern your use of wola.ai and any engagement we agree on. Specific projects are governed by a Master Services Agreement and Statement of Work that sit on top of these terms. Where they conflict, the signed agreement wins.

T1 · Acceptance

By using the site, you accept these terms.

Browsing this site, sending us a brief, or signing a Statement of Work constitutes acceptance of these terms in the form published at the time of that action. If you don't accept them, please don't use the site or contract us.

T2 · Services

What we do, and what we don't.

We offer design, engineering, AI, and marketing services on a project basis or as ongoing retainers. The scope, deliverables, timelines, and acceptance criteria for each engagement live in a signed Statement of Work.

We do not provide legal, tax, financial, medical, or regulated advice. Where our work touches a regulated domain (e.g. financial services, healthcare), you're responsible for compliance review by qualified counsel.

T3 · Engagements & payment

Money, milestones, and how we work.

Engagements are scoped in a Statement of Work signed by both parties.
Standard payment terms are 50% up front, 50% on delivery for fixed-scope work, or monthly in advance for retainers.
Invoices are due within 14 days of issue. Late payments accrue interest at the statutory rate.
Change requests are scoped, priced, and signed before work begins. We don't surprise you.
Currencies: EUR for EU clients, USD for US clients. Other currencies on request.

T4 · Intellectual property

You own what we build. We own our tools.

On full payment, all foreground IP we create for you: the code, the designs, the copy, transfers to you in full. You can use it, modify it, license it, sell it.

What we keep is our background IP: the internal tooling, design systems, code patterns, and general know-how we developed before or independently of your project. We grant you a perpetual licence to use any background IP embedded in your deliverables, but we retain ownership of it ourselves.

We may reference the work publicly (case studies, portfolio, talks) unless you explicitly ask us not to in the SOW.

T5 · Confidentiality

What's yours stays yours.

Anything you share with us in the course of an engagement: financials, roadmaps, customer lists, source code, strategic plans, is confidential. We don't share it with anyone outside the project team. We sign mutual NDAs on request.

Confidentiality survives the end of the engagement indefinitely for trade secrets, and for three years for other confidential information.

T6 · Warranties & liability

Honest about what we guarantee.

We warrant that our work will be performed with reasonable skill and care, and that deliverables will substantially conform to the acceptance criteria in the SOW for 30 days after delivery.

To the extent permitted by law, our total liability for any single engagement is capped at the fees paid for that engagement in the 12 months preceding the claim. We're not liable for indirect, consequential, or speculative damages (lost profits, lost revenue, lost data of a third party).

Nothing in these terms limits liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be limited by applicable law.

T7 · Termination

How to walk away cleanly.

Either party can terminate an engagement for material breach if the other party doesn't cure the breach within 14 days of written notice. Either party can terminate a retainer with 30 days' written notice for any reason.

On termination, we hand over all completed and in-progress deliverables, you pay for work done up to the termination date, and the confidentiality and IP clauses survive.

T8 · Governing law

Which courts decide what.

For clients contracting with our EU entity, these terms are governed by the laws of Portugal, and disputes fall under the exclusive jurisdiction of the courts of Lisbon. Where mandatory consumer-protection law in another EEA member state would apply, that protection is not displaced.

For clients contracting with our US entity, these terms are governed by the laws of the State of Florida, and disputes fall under the exclusive jurisdiction of the state and federal courts of Miami-Dade County.

Questions about either? Email legal@wola.ai.