Privacy Policy
Pursuant to Articles 13 and 14 of EU Regulation 2016/679 ("GDPR") and Italian Legislative Decree 196/2003 as amended by 101/2018 ("Italian Privacy Code"), this notice describes how we process your personal data.
1. Data controller
Everywhere S.r.l.
VAT: 07050840961
Registered office: [lawyer to complete]
Email: privacy@ew-flow.com
DPO: dpo@ew-flow.com
(appointment under review — see lawyer brief)
2. Categories of data processed
- Account data: email, given name, surname, phone (optional), Azure AD B2C identifier, profile preferences.
- Billing data: legal name, billing address, VAT, fiscal code, SDI recipient code, Stripe customer ID. We do not store payment card data — payments are processed by Stripe.
- Service usage data: workflow definitions, execution logs, AI agent conversations, workspace events.
- Technical data: IP address (truncated where possible), user-agent, authentication logs.
- Consent records: timestamped acceptances with IP and user-agent.
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Service provision (signup, authentication, workspace management) | Art. 6(1)(b) GDPR — contract |
| Billing and tax obligations | Art. 6(1)(c) GDPR — legal obligation (Italian Civil Code art. 2220) |
| IT security and fraud prevention | Art. 6(1)(f) GDPR — legitimate interest |
| AI Agent (in-app assistant) | Art. 6(1)(b) + 6(1)(f), with explicit acknowledgement at first use |
| Marketing communications (newsletter, product updates) | Art. 6(1)(a) GDPR — explicit consent (opt-in) |
| Operational telemetry (Application Insights) | Art. 6(1)(f) for authenticated users; consent for public-site visitors |
4. Recipients and processors
Your data may be processed by service providers acting as processors under Art. 28 GDPR. See the full list at Sub-processors.
- Microsoft Azure (hosting, database, authentication, telemetry) — Italy (Italy North region).
- Stripe Payments Europe Ltd (billing) — Ireland; some processing in the US under DPF.
- [LLM provider for AI Agent — to be defined]
5. International transfers
Data is primarily processed in Italy (Azure "Italy North"). For any transfers to third countries (e.g. Stripe, LLM provider), we rely on Standard Contractual Clauses approved by the European Commission or the EU-US Data Privacy Framework.
6. Retention periods
- Account data: for the duration of the contract; on deletion request: 30-day grace period, then anonymisation.
- Billing data: 10 years per Italian Civil Code.
- AI Agent conversations: 12 months default (configurable).
- Workflow execution logs: 90 days default (configurable per plan).
- Consent records: for the duration of the consent plus statute of limitations.
- Security incident logs: indefinite (compliance evidence).
7. Data subject rights (Arts. 15–22 GDPR)
You have the right to:
- Access your data (Art. 15) — available at
Account → Privacy & Data → Download my data. - Rectify inaccurate data (Art. 16) — editable from the
Accountpage. - Request erasure (Art. 17) — at
Account → Privacy & Data → Delete account. - Restrict processing (Art. 18).
- Receive your data in a structured format (Art. 20) — same export as Art. 15.
- Object to processing (Art. 21).
- Not be subject to significant automated decisions (Art. 22).
- Withdraw consent at any time, without affecting prior lawful processing.
- Lodge a complaint with the Garante per la protezione dei dati personali (www.gpdp.it).
To exercise your rights, write to privacy@ew-flow.com.
8. Automated decision-making and profiling
The AI Agent in the platform produces automated suggestions. This is an assistive feature: the user decides whether to apply suggestions and no decisions with legal or similarly significant effects are taken automatically. Further details are shown at first use of the AI Agent.
9. Minors
The service targets B2B users. In Italy the minimum age for autonomous digital consent is 14 (D.Lgs. 101/2018). We do not knowingly collect data from individuals under that age.
10. Cookies
Our use of cookies is described in the Cookie Policy.
11. Changes
This policy may be updated. The current version is 2026-05-07. Where changes are substantial we will request a new acknowledgement.