Privacy policy

How we handle
your data.

Effective May 1, 2026. Winglo is committed to handling customer data with transparency, restraint, and operational integrity.

1. Who we are

Winglo ("we," "us," "our") is an AI-native operational workspace platform. We process data on behalf of businesses ("Customers") and their end users. This Privacy Policy describes our practices as a data controller for our marketing website and as a data processor on behalf of our Customers for the Winglo platform itself.

2. Data we collect

We collect information in two contexts:

Account and workspace data

When you create a Winglo account or workspace, we collect: email address, business name, and any information you voluntarily provide during onboarding. We do not require payment card details to access the beta product.

Operational data you provide

Winglo agents process the operational data you connect or input — including analytics signals, content drafts, and workflow configurations. This data is processed strictly to deliver the service and is never used to train foundation models.

Usage and telemetry

We collect anonymized product usage telemetry (page views, feature interactions, error rates) to understand how to improve the platform. This data cannot be used to identify individual users or their operational content.

Communications

If you contact us or subscribe to product updates, we retain your email address and message history for customer support and product communication purposes.

3. How we use your data

  • To operate and improve the Winglo platform and its agents
  • To authenticate users and manage workspace access
  • To send transactional communications (account alerts, workspace notifications)
  • To provide customer support
  • To detect and prevent fraud, abuse, or security incidents
  • To comply with legal obligations

We do not sell your personal data to third parties. We do not use Customer operational data for advertising or marketing purposes.

4. AI models and data processing

Winglo uses frontier AI models provided by third-party model providers ("Model Providers"). All data shared with Model Providers is subject to contractual no-training clauses — your data is never used to train or fine-tune any foundation model.

Every agent inference is logged with: the model identifier, timestamp, workspace ID, and a hash of the input and output. These logs are available for Customer review and are retained for the duration of your subscription plus 90 days.

5. Data residency and infrastructure

All Winglo Customer data is hosted within the European Union. Primary database storage and authentication run on Supabase infrastructure in Dublin, Ireland (AWS eu-west-1). Application servers and background workers run on Contabo infrastructure in Nuremberg, Germany.

No Customer operational data is transferred outside the EU without explicit Customer instruction. Customers on the Operate and Enterprise plans may request alternative residency regions where supported.

6. Data sharing and sub-processors

We share Customer data only in the following circumstances:

  • With Anthropic (PBC), under a signed Data Processing Addendum, solely to operate agent inference. Inputs are not used for model training and are retained by Anthropic for a maximum of 30 days for abuse monitoring.
  • With Supabase (Dublin, Ireland) for database hosting, authentication, and file storage under a Data Processing Addendum.
  • With Contabo GmbH (Nuremberg, Germany) for application hosting under a Data Processing Addendum.
  • With Resend for transactional email delivery (brief-ready and content-ready notifications).
  • With PostHog (EU cloud) for product analytics when you accept analytics cookies.
  • With Brave Search, Exa, Firecrawl, and Apify for platform-level market research signals (no Customer credentials required).
  • With Orshot for image rendering of marketing designs.
  • With Postiz (self-hosted on Contabo) for social publishing when you connect channels.
  • With Customer-authorized third-party integrations (e.g. Postiz, Canva, Slack) that you explicitly connect.
  • When required by law, legal process, or governmental authority.
  • In the event of a merger or acquisition, with appropriate Customer notice.

6a. Right to erasure

Under Article 17 of the GDPR you have the right to request deletion of your personal data. You can self-serve this from Settings → Danger Zone, which permanently removes your business profile, agent configurations, reports, chat history, alerts, campaigns, and analytics. You may also email privacy@winglo.ai to request a full export and erasure; we respond within 30 days.

7. Data retention

Account data is retained for the duration of your active subscription. Upon cancellation or account deletion, operational data is deleted within 30 days and audit logs within 90 days, unless a longer retention period is required by applicable law or requested by the Customer.

Customers may request full workspace export and erasure at any time by contacting privacy@winglo.ai.

8. Security

Winglo implements encryption at rest (AES-256) and in transit (TLS 1.3). Workspaces are logically isolated per tenant. Access to Customer data by Winglo employees is restricted, logged, and requires Customer-facing authorization in most cases. For full technical details, see our Security overview.

9. Your rights

Depending on your jurisdiction, you may have rights to: access, correct, delete, or export your personal data; withdraw consent; and lodge a complaint with a supervisory authority. To exercise any of these rights, contact privacy@winglo.ai with the subject line "Data rights request." We respond within 30 days.

For EU-based users, Winglo acts as a data processor under the GDPR. Your organization (the Customer) is the data controller. Our Data Processing Addendum governs these obligations — see DPA.

10. Cookies and consent

We use a small set of strictly necessary cookies for authentication, session management, and security. These do not require consent under the ePrivacy Directive. Any non-essential cookies (analytics, product telemetry) are blocked by default until you explicitly accept them via the cookie banner shown on your first visit. You can change your choice at any time by clearing your browser storage for winglo.ai.

11. Changes to this policy

We may update this Privacy Policy as the product evolves. Material changes will be communicated by email to account holders at least 14 days before they take effect. Continued use of the platform following notice constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions, data rights requests, or to report concerns: privacy@winglo.ai

Winglo · privacy@winglo.ai