Privacy Policy
Last updated: March 31, 2026
1. Introduction
Winly ("we", "us", or "our") is a procurement intelligence platform operated from Lisbon, Portugal (Avenida da Liberdade, 110, 1250-146 Lisboa). We are the data controller responsible for your personal data under the General Data Protection Regulation (GDPR) and applicable Portuguese data protection law.
This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our website at winly.me, our web application, and any related services (collectively, the "Service"). By using the Service, you acknowledge that you have read and understood this policy.
2. Data We Collect
We collect the following categories of personal data:
Account Data — Information you provide when registering: your name, email address, company name, and VAT/NIF number. This data is required to create and maintain your account.
Company Profile Data — Information you provide to configure your procurement profile: CPV codes (Common Procurement Vocabulary), target geographic regions, budget range, and business sector. This data powers our tender matching algorithms.
Usage Data — Information collected automatically as you use the Service: pages visited, features used, tender searches performed, timestamps, browser type, device type, and IP address.
Payment Data — Billing information processed through our payment provider, Lemon Squeezy. Winly does not store credit card numbers, debit card numbers, or other payment card details on its servers. We retain only transaction references, subscription status, and invoicing data.
AI Analysis Data — Tender documents you upload or submit for AI-powered analysis. These documents are processed to extract structured information and risk assessments. Documents are not stored long-term (see Section 7 on data retention).
Cookies & Tracking Data — We use essential cookies for authentication sessions and optional analytics cookies. See Section 9 for details.
3. Legal Basis for Processing (GDPR Article 6)
We process your personal data under the following legal bases:
- Contract performance (Art. 6(1)(b)) — Processing your account data, company profile, and tender matching is necessary to deliver the Service you have subscribed to.
- Legitimate interest (Art. 6(1)(f)) — We use usage data for analytics, product improvement, platform security, and fraud prevention. Our legitimate interest does not override your fundamental rights; you may object at any time (see Section 8).
- Consent (Art. 6(1)(a)) — We rely on your explicit consent for marketing emails and the use of analytics cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.
- Legal obligation (Art. 6(1)(c)) — We retain invoicing and transaction records as required by Portuguese tax law and EU VAT regulations.
4. How We Use Your Data
We use your personal data to:
- Provide and operate the Service — Account management, authentication, and access to platform features.
- Personalize tender matching — Using your company profile (CPV codes, regions, budget, sector) to surface relevant public procurement opportunities.
- Process payments — Managing subscriptions, generating invoices, and handling billing through Lemon Squeezy.
- Communicate with you — Sending transactional emails (account confirmations, password resets, tender alerts, subscription updates) and, with your consent, marketing communications.
- Analyze and improve the platform — Understanding how the Service is used, identifying bugs, and improving features through aggregated analytics.
- Ensure security — Detecting and preventing unauthorized access, abuse, and fraudulent activity.
- Process tender documents — Using AI models to analyze documents you submit, extracting structured data and risk assessments to help you evaluate procurement opportunities.
5. Data Sharing & Sub-Processors
We never sell your personal data. We share data only with the third-party sub-processors listed below, strictly for the purposes described, and under data processing agreements that comply with GDPR requirements.
| Sub-Processor | Purpose | Data Accessed |
|---|---|---|
| Supabase (EU region) | Database hosting, user authentication | Account data, company profile, usage metadata |
| Google Cloud Platform (EU region) | Backend processing, data analytics (BigQuery), AI analysis (Vertex AI / Gemini) | Tender data, company profile, uploaded documents |
| Vercel (global CDN, EU processing) | Frontend hosting and content delivery | IP address, request metadata |
| Lemon Squeezy | Payment processing, subscription management | Name, email, billing address, payment card details |
| PostHog (US cloud) | Product analytics (privacy-friendly configuration, identified-only persons) | Usage data, anonymized interaction events |
| Resend | Transactional email delivery | Email address, name |
We may also disclose personal data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Winly, our users, or the public.
6. International Data Transfers
The majority of your personal data is processed within the European Union (EU) and European Economic Area (EEA). Our primary infrastructure providers — Supabase and Google Cloud Platform — operate in EU regions.
Where data is transferred outside the EEA, we ensure appropriate safeguards are in place:
- PostHog — Hosted in the United States. Transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission, and PostHog is configured in a privacy-friendly mode with identified-only person tracking.
- Vercel — Uses a global CDN for performance. Processing and data storage are configured to EU regions. Edge network requests may be routed through global nodes, with transfers covered by SCCs.
We do not transfer your personal data to any country that lacks an adequate level of data protection without implementing appropriate safeguards under GDPR Article 46.
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:
- Account data — Retained for the duration of your account. Upon account deletion, your data is permanently erased within 30 days, except where retention is required by law.
- Payment and invoicing records — Retained for 7 years after the transaction date, as required by Portuguese tax law (Codigo do IRS / Codigo do IRC) and EU VAT Directive.
- Usage and analytics data — Retained for 12 months from the date of collection, then automatically deleted or anonymized.
- AI analysis results — Processed tender documents and their analysis results are retained for 90 days to allow you to access your results, then permanently deleted.
8. Your Rights Under GDPR
As a data subject, you have the following rights under the GDPR:
- Right of access (Art. 15) — You can request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — You can request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17) — You can request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to restriction (Art. 18) — You can request that we restrict the processing of your data in certain circumstances.
- Right to data portability (Art. 20) — You can request your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21) — You can object to processing based on legitimate interest, including profiling.
- Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
How to exercise your rights: You can manage most data preferences directly in your account settings. For formal requests, contact our Data Protection Officer at privacy@winly.me. We will respond to your request within 30 days. If your request is complex or we receive a high volume of requests, we may extend this period by an additional 60 days, and we will notify you of such an extension.
9. Cookies
We use the following categories of cookies:
- Essential cookies — Required for the Service to function. These include authentication session cookies managed by Supabase. They cannot be disabled.
- Analytics cookies — Used by PostHog to understand how you interact with the Service. These are set only with your consent and can be disabled at any time.
For a complete list of cookies, their purposes, and duration, please see our Cookie Policy.
10. Children's Privacy
The Service is designed for business professionals and is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at privacy@winly.me.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email at least 30 days before the changes take effect and update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.
12. Contact & Complaints
If you have questions about this Privacy Policy or how we handle your personal data, please contact us:
- General support: support.winly@winly.me
- Data Protection Officer: privacy@winly.me
- Address: Avenida da Liberdade, 110, 1250-146 Lisboa, Portugal
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. In Portugal, the competent authority is:
- CNPD — Comissao Nacional de Protecao de Dados
- Rua de Sao Bento 148, 1200-821 Lisboa, Portugal
- www.cnpd.pt