Privacy Policy

Definitions

For the purposes of this Privacy Policy, the following terms have the meanings set out below.

Personal Data (Article 4 No. 1 GDPR): any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Processing (Article 4 No. 2 GDPR): any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Usage Data: information collected automatically, which may include IP addresses, domain names, browser type and parameters, operating system, pages visited within the platform, time and date of visits, time spent on each page, unique device identifiers, and other diagnostic data.

User: the individual who uses the Wexio platform. Unless otherwise specified, the User coincides with the Data Subject.

Data Subject: the natural person to whom the Personal Data refers.

Data Processor (Article 4 No. 8 GDPR): the natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.

Data Controller (Article 4 No. 7 GDPR): the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. Unless otherwise specified, the Data Controller is Wexio.

Service: the service provided by Wexio as described in the Terms of Service and on wexio.io.

European Union (EU): unless otherwise specified, all references to the European Union include all current member states of the European Union and the European Economic Area (EEA).

Data Controller

The controller responsible for the processing of your Personal Data under this Privacy Policy is identified below. The Data Controller is responsible for the technical setup, administration, and distribution of the platform.

If you have any questions about this Privacy Policy, the information we hold about you, or wish to exercise any of your privacy rights, please contact us:

Legal Basis for Processing

We process your Personal Data only when we have a legal basis to do so under applicable data protection law. We may process your Personal Data if one or more of the following conditions applies:

• Consent: The Data Subject has given consent to the processing of their Personal Data for one or more specific purposes (Article 6(1)(a) GDPR).
• Contractual Necessity: Processing is necessary for the performance of a contract to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract (Article 6(1)(b) GDPR).
• Legal Obligation: Processing is necessary for compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c) GDPR).
• Public Interest: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (Article 6(1)(e) GDPR).
• Legitimate Interest: Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data (Article 6(1)(f) GDPR).

Users may contact the Data Controller at any time to find out the specific legal basis applied to each particular processing activity, including whether providing Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

Data Collection & Processing

The data collected by Wexio is either provided directly by you or collected automatically when you use our platform. All data requested by Wexio is obligatory unless stated otherwise. Failure to provide required data may make it impossible for Wexio to provide its services.

Automatically Collected Data

Wexio may collect the following data automatically when you access the platform:

• Date and time of access
• Browser type and settings
• Operating system
• Referring page URL
• Data transferred and access status (HTTP status code)
• IP address

Temporary storage of the IP address by the system is necessary to enable delivery of the platform to the User's device. For this purpose, the User's IP address must remain stored for the duration of the session. Storage in log files is carried out to ensure the functionality of the platform and to optimise it, as well as to ensure the security of our information technology systems. Our legitimate interest in data processing in accordance with Article 6(1)(f) GDPR lies in these purposes.

Data Provided by You

Your data is stored on our servers. We do not store this data together with other Personal Data beyond what is described above. We do not evaluate data on a personal basis for marketing purposes.

The storage and hosting of our platform is performed by our cloud infrastructure providers (Amazon Web Services, Vercel). These providers process inventory data, contact data, content data, contract data, usage data, metadata, and communication data of visitors. They are contractually bound by Data Processing Agreements (DPAs) to process data only on our documented instructions.

GDPR Rights (EU/EEA/UK)

If you are based in the EU, EEA, or United Kingdom, you are entitled to exercise the following rights free of charge under the General Data Protection Regulation:

• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal (Article 7(3) GDPR).
• Right of Access: You have the right to obtain confirmation as to whether your Personal Data is being processed, and if so, to access the Personal Data and certain information about the processing (Article 15 GDPR).
• Right to Rectification and Erasure: You have the right to obtain the rectification of inaccurate Personal Data. You also have the right to obtain the erasure of your Personal Data where any of the grounds set out in Article 17 GDPR applies (Articles 16 & 17 GDPR).
• Right to Restriction: You have the right to obtain restriction of processing where one of the grounds set out in Article 18 GDPR applies (Article 18 GDPR).
• Right to Data Portability: You have the right to receive the Personal Data you have provided in a structured, commonly used, and machine-readable format, and to transmit it to another controller (Article 20 GDPR).
• Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your Personal Data based on Article 6(1)(e) or (f), including profiling. The Data Controller shall no longer process the Personal Data unless it demonstrates compelling legitimate grounds (Article 21 GDPR).

You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement (Article 77 GDPR).

Third Country Transfers

Where we transfer Personal Data to a third country (outside the EU/UK/EEA), we ensure that such transfers comply with applicable data protection legislation:

• We only transfer data to third countries with a recognised level of data protection by way of an adequacy decision (Article 45 GDPR), or in the presence of appropriate safeguards such as EU Standard Contractual Clauses (Article 46(2)(c) GDPR).
• As part of the EU-US Data Privacy Framework, the European Commission has recognised the data protection level of certain US companies as adequate. Our key US-based providers (Google, Stripe, Vercel) are certified under this framework.
• All sub-processors are bound by Data Processing Agreements and act solely on our documented instructions. They are carefully selected, authorised, and regularly monitored for compliance.

Data Security

We implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure, or access. Our security measures are continuously reviewed and improved in line with technological developments.

• TLS 1.2+ encryption for all data in transit (HTTPS enforced with HSTS headers)
• AES-256 encryption for all data at rest
• Access controls and role-based permissions for internal systems
• Regular security audits and vulnerability assessments
• Encrypted database backups with documented recovery procedures

Children's Privacy

Wexio does not address anyone under the age of 16. We do not knowingly collect personally identifiable information from anyone under the age of 16. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from anyone under the age of 16 without verification of parental consent, we take steps to remove that information from our servers.

Data Retention

In accordance with Articles 17 and 18 GDPR, we store Personal Data only for as long as is necessary for the respective purpose of processing. Once the purpose has been fulfilled, the data is routinely deleted or restricted from further processing in accordance with the statutory provisions.

• Server log files are deleted after 30 days.
• Account data is retained for the duration of your active subscription and deleted upon account deletion, subject to any applicable legal retention periods.
• Data may be retained beyond the original purpose only where required by law (for example, statutory retention obligations under commercial or tax law).
• Backup data is retained for up to 90 days after deletion from production systems.

Cookies & Tracking Technologies

Our platform uses cookies and similar tracking technologies. A cookie is a small text file stored on your device when you visit our website. Cookies are widely used to make websites work more efficiently and to provide reporting information.

We use both first-party and third-party cookies. For complete details about the types of cookies we use, their purposes, and how to manage them, please see our Cookie Policy.

Analytics & Third-Party Services

We use analytics services to understand how our platform is used and to improve our services. These services may process information such as your IP address, browser type, pages visited, and session duration.

Newsletter & Communications

If you subscribe to our newsletter, we use a double opt-in process to confirm your subscription. We process your email address for newsletter delivery based on your consent (Article 6(1)(a) GDPR).

You can unsubscribe at any time by clicking the unsubscribe link in any email or by contacting us directly. We may analyse newsletter campaigns to measure open rates and click-through rates using web beacon technology for optimisation purposes. Technical information (time of retrieval, IP address, browser type, and operating system) is collected during this process.

Payment Processing

We use Stripe for payment processing and subscription management. When you make a payment, Stripe may collect your name, email address, billing address, and payment method details. Stripe is certified as a PCI Level 1 Service Provider - the highest level of certification available in the payments industry.

We do not store credit card numbers, CVV codes, or full payment details on our servers. All payment data is handled directly by Stripe.

Social Media Integrations

Our website may contain links to social media platforms. If you interact with these links, the respective social media provider may collect data about your visit. We have no control over the data collected by these third parties. Please review the privacy policies of the respective providers:

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Any material changes will be communicated to you through appropriate means, such as a prominent notice on our platform or an email notification, at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically. The date at the top of this policy indicates when it was last updated. Your continued use of the platform after changes take effect constitutes your acceptance of the revised policy.

Contact Us

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your data, please contact us: