← Back

Legal

Privacy Policy

Last updated: March 4, 2026

1. Who we are

Witflow (“we”, “us”, “our”) is a creative studio based in Lisbon, Portugal, operating the CMS platform available at this domain. We provide brand strategy, web design, content management, and digital marketing services. Our registered contact address is available at witflow.co.

2. What data we collect

We collect the following categories of personal data:

  • Account data: Email address, display name, and encrypted password when you register.
  • Client data: Your website domain and business information you provide during onboarding.
  • Google OAuth tokens: If you connect your Google account, we store OAuth access and refresh tokens to read your Google Analytics and Search Console data on your behalf. We never post to your accounts.
  • Usage data: Pages visited, actions taken, and timestamps within the CMS, used to improve the service.
  • Content data: Blog posts, images, and SEO metadata you create or that are generated on your behalf.

3. How we use your data

We use your data to:

  • Provide and maintain the CMS platform and your account.
  • Generate AI-powered blog content tailored to your website and audience.
  • Fetch Google Analytics and Search Console data to improve content quality.
  • Send essential service communications (account creation, password resets).
  • Comply with legal obligations under EU and Portuguese law.

We do not sell your personal data to third parties, use it for advertising, or process it for any purpose beyond what is described above.

4. Legal basis (GDPR)

We process your data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

  • Contract: Processing necessary to provide the service you have signed up for.
  • Legitimate interest: Improving and securing our platform.
  • Consent: Google OAuth connection, which you can revoke at any time.

5. Data storage & security

Your data is stored on Supabase infrastructure (PostgreSQL), hosted in the European Union. Media files are stored in Supabase Storage. We use industry-standard encryption in transit (TLS) and at rest. Google OAuth tokens are stored encrypted and accessed only for authorised API calls.

6. Third-party services

We use the following third-party processors:

  • Supabase: Database, authentication, and file storage.
  • Google LLC: OAuth authentication and Analytics/Search Console API access.
  • Google Gemini / Imagen: AI content and image generation using your post context.
  • Vercel Inc.: Application hosting and edge delivery.

7. Your rights

Under GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your account and associated data.
  • Withdraw consent for Google OAuth at any time via your Google Account settings.
  • Lodge a complaint with the Portuguese data protection authority (CNPD) at cnpd.pt.

To exercise any of these rights, contact us at privacy@witflow.co.

8. Data retention

We retain your account data for as long as your account is active. If you request deletion, we will remove your personal data within 30 days, except where retention is required by law. Generated content you have published remains on your website under your own responsibility.

9. Changes to this policy

We may update this Privacy Policy from time to time. We will notify active users of material changes via email. Continued use of the platform after changes constitutes acceptance of the updated policy.

10. Contact

For any privacy-related questions, contact us at privacy@witflow.co or visit witflow.co.

Terms of useBack to login