Winxtra GDPR Compliance Statement

Last updated: April 2025

Winxtra Ltd. is committed to ensuring full compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the UK GDPR. As a data processor supporting B2B organizations with win-loss analysis and post-sale customer research, we prioritize data privacy, residency, and transparency across all operations.

1. Lawful Basis for Processing

We process personal data on the basis of:

  • Performance of a contract: As required to deliver services under a signed agreement with our clients.

  • Legitimate interests: For purposes of product improvement, research analysis, or anonymized insight generation.

  • Consent: When contacting individuals (e.g., buyers or interviewees) for voluntary interviews or surveys.

2. What Personal Data We Process

We process only the minimum data necessary to provide our services. This may include:

  • Name, job title, and company affiliation

  • Work email or contact information (provided by the client)

  • Voluntary opinions shared in interviews or surveys

  • CRM opportunity data (deal size, stage, notes, outcomes)

We do not process sensitive data (as defined by Article 9 of the GDPR).

3. How We Collect Data

We collect data through:

  • Client-provided CRM exports or Salesforce integrations

  • Voluntary interviews with buyers (conducted by us)

  • Internal web-based surveys with client employees

  • Publicly available information to support outreach

4. Data Hosting and Residency

All personal data is:

  • Stored in AWS London (eu-west-2) via our Supabase infrastructure

  • Processed exclusively in the UK or EU

  • Not transferred outside the EEA unless anonymized or subject to Standard Contractual Clauses (SCCs)

We do not use U.S.-based processors for long-term storage of personal data unless compliant with GDPR transfer mechanisms.

5. Security Measures

Winxtra implements technical and organizational measures including:

  • Data encryption in transit and at rest

  • Access control via role-based permissions

  • 2FA on all internal tools

  • Secure API management via Cloudflare

  • Internal confidentiality agreements and least-privilege access for staff

6. Subprocessors

We maintain a transparent list of subprocessors here, which includes only GDPR-compliant vendors. All subprocessors are bound by DPAs and standard contractual clauses where necessary.

7. Data Retention & Deletion

We follow strict data retention policies:

  • Interview recordings are deleted after transcription

  • All personal data is deleted within 30 days of client offboarding

  • Anonymised data may be retained for product research or benchmarking, in a non-identifiable format

8. Data Subject Rights

Under GDPR, individuals have the right to:

  • Access their data

  • Correct inaccuracies

  • Request erasure or restriction of processing

  • Object to processing

  • Withdraw consent (where applicable)

To exercise these rights, contact us at privacy@winxtra.co.uk. We will respond within 5 business days.

9. International Transfers

Where data is transferred outside the UK/EEA (e.g., for transcription), we:

  • Anonymise content where possible

  • Use vendors with active Data Privacy Framework (DPF) certification or SCCs

  • Delete data from those services immediately after use

10. Contact

Winxtra Ltd.
London, United Kingdom
Email: daniel@winxtra.co.uk