Privacy Policy

Last updated: February 4, 2026

This Privacy Policy describes how WineFlow CRM ("we", "us", or "our") collects, uses, and shares your personal information when you use our website and services (collectively, the "Service"). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Information We Collect

1.1 Information You Provide

We collect information you provide directly to us, including:

• Account Information: When you create an account, we collect your name, email address, company name, and password.
• Profile Information: Additional information you add to your profile, such as phone number, address, and business details.
• Customer Data: Information about your customers that you upload or enter into the Service, including names, contact details, and purchase history.
• Communications: When you contact us, we collect the content of your messages and any attachments.

1.2 Information We Collect Automatically

When you access or use our Service, we automatically collect:

• Log Data: IP address, browser type, operating system, referring URLs, pages visited, and timestamps.
• Device Information: Device type, unique device identifiers, and mobile network information.
• Usage Data: Features you use, actions you take, and time spent on the Service.
• Cookies and Similar Technologies: See our Cookie Policy for more information.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Service
• Process transactions and send related information
• Send technical notices, updates, security alerts, and support messages
• Respond to your comments, questions, and requests
• Monitor and analyze trends, usage, and activities
• Detect, investigate, and prevent fraudulent transactions and abuse
• Personalize and improve your experience
• Send promotional communications (with your consent)

3. Legal Basis for Processing (GDPR)

Under the GDPR, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide you with our Service and fulfill our contractual obligations.
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our Service, preventing fraud, and ensuring security.
• Consent: Where you have given explicit consent, such as for marketing communications.
• Legal Obligation: Processing necessary to comply with applicable laws and regulations.

4. Data Sharing and Disclosure

We may share your information in the following circumstances:

• Service Providers: With third-party vendors who perform services on our behalf (hosting, analytics, email delivery).
• Business Transfers: In connection with a merger, acquisition, or sale of assets.
• Legal Requirements: When required by law or to protect our rights, privacy, safety, or property.
• With Your Consent: In any other circumstances where you have given consent.

4.1 Third-Party Services

We use the following third-party services that may process your data:

• Google APIs: For email sending (Gmail API) and lead generation (Google Search API)
• FattureInCloud: For Italian e-invoicing compliance
• Cloudflare: For website security and performance

5. Data Retention

We retain your personal data for as long as necessary to:

• Provide you with our Service
• Comply with legal obligations
• Resolve disputes and enforce agreements

When you delete your account, we will delete or anonymize your personal data within 30 days, unless retention is required by law.

6. Your Rights Under GDPR

If you are a resident of the European Economic Area (EEA), you have the following rights:

• Right to Access: Request a copy of your personal data.
• Right to Rectification: Request correction of inaccurate data.
• Right to Erasure: Request deletion of your personal data ("right to be forgotten").
• Right to Restrict Processing: Request limitation of how we use your data.
• Right to Data Portability: Request a machine-readable copy of your data.
• Right to Object: Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

To exercise these rights, please contact us at [email protected]. We will respond within 30 days.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure password hashing using Argon2id
• Role-based access controls
• Regular security assessments and monitoring
• Data isolation between tenants

8. International Data Transfers

Your data may be transferred to and processed in countries outside the EEA. When we transfer data internationally, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission
• Transfers to countries with an adequacy decision
• Binding Corporate Rules where applicable

9. Children's Privacy

Our Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice via email.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

12. Supervisory Authority

If you are in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

For Italy: Garante per la protezione dei dati personali - www.garanteprivacy.it