Privacy Policy

Last updated: 4 April 2026  ·  Effective: 4 April 2026

CaseStories ("we", "us", "our") is operated by Vento Digitale di Marco Forlani (VAT IT03694090139), Italy. This policy explains how we collect, use, and protect your personal data in full compliance with EU Regulation 2016/679 (GDPR), the Italian Privacy Code (D.Lgs. 196/2003 as amended), the UK GDPR, and other applicable privacy laws.

1. Data Controller and Contact Details

The data controller responsible for processing your personal data is:

Data Protection Officer (DPO)

Under GDPR Art. 37, a DPO is mandatory for public authorities, organisations conducting large-scale systematic monitoring, or those processing special categories of data at scale. Vento Digitale di Marco Forlani is a small private operator that does not engage in large-scale systematic monitoring and does not process special categories of personal data (Art. 9). Accordingly, no DPO is legally required. All privacy and data protection matters are handled directly and promptly by the controller at the contact address above.

2. Data We Collect

2.1 Account Data

When you register, we collect:

  • Email address (required — account identifier)
  • First and last name (required)
  • Password — stored as a one-way hash (Argon2id). We cannot retrieve your password.
  • Company name, description, website, city, country, industry, phone (optional)
  • Company logo (image, optional)
  • Preferred interface language

2.2 Content Data

Any case studies, project descriptions, media files (images, videos), and direct messages you create or submit through the platform are stored and associated with your account.

2.3 First-Party Analytics

We operate first-party analytics to understand platform usage. We collect:

  • Hashed IP address — your IP is immediately hashed (SHA-256 + salt); the raw IP is never stored and cannot be recovered. The hash itself is stored for a maximum of 24 months and is technically irreversible.
  • Pages visited and timestamps
  • Browser type and OS (User-Agent string)
  • Referring URL
  • Country (derived from the IP at collection time; raw IP discarded immediately)

We do not use Google Analytics, Meta Pixel, or any third-party tracking scripts on the platform or in our emails.

2.4 Payment Data

Payment processing is handled entirely by Paddle, which acts as Merchant of Record. Paddle is an independent data controller for payment data under its own privacy policy. We do not store credit card numbers, CVV codes, or bank details. We receive and store only Paddle's customer ID, subscription ID, transaction ID, and payment status.

2.5 AI-Generated Content

When you use the AI writing or translation features, the project-related text you provide (challenges, solutions, results) is transmitted to Anthropic's API for processing. We do not transmit personal identifiers (name, email, company name) to Anthropic. Text is processed transiently and is not used to train Anthropic's models under our API Data Processing Agreement.

2.6 OAuth Login Data

If you sign in via Google, LinkedIn, or Facebook, we receive only the email address and display name provided by the OAuth provider. We store the provider name and provider user ID to enable future logins. We do not receive or store OAuth tokens, passwords, or other data from these providers beyond what is listed above.

2.7 Transactional Email Metadata

When we send you transactional emails (account verification, password reset, subscription receipts), we process your email address and delivery status. We do not embed tracking pixels or click-tracking links in our emails.

3. How We Use Your Data

  • Service delivery: Creating and managing your account, publishing case studies, processing payments, AI-assisted writing and translation.
  • Service improvement: Analysing aggregate, anonymised usage patterns to prioritise features.
  • Communication: Sending transactional emails (account verification, password resets, subscription receipts, platform alerts). We do not send marketing emails without your explicit prior opt-in consent.
  • Security: Detecting and preventing fraudulent access, rate limiting, abuse prevention.
  • Legal compliance and accounting: Retaining billing records as required by EU and Italian VAT and accounting law.
  • Disclosure to public authorities: Where required by applicable law, court order, or a legally binding request from a competent authority, we may disclose personal data to law enforcement or regulatory bodies. We will notify you unless legally prohibited from doing so.
  • Support: Responding to your requests and resolving disputes.

We never sell, rent, lease, or otherwise commercialise your personal data to third parties, and we do not use it for advertising targeting or share it with data brokers.

4. Legal Bases for Processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): Processing necessary to deliver the service you subscribed to — account management, case study publishing, payment processing, AI writing.
  • Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and first-party analytics to improve the platform. We have conducted a Legitimate Interests Assessment (LIA): our interest in keeping the platform secure and improving its features is balanced against data subjects' interests; we use privacy-preserving techniques (IP hashing, anonymisation) to minimise any privacy impact. You may object at any time (see §8).
  • Legal obligation (Art. 6(1)(c)): Retaining invoicing and billing records as required by EU and Italian VAT and accounting law (10-year retention).
  • Consent (Art. 6(1)(a)): Currently no consent-based processing beyond account registration (confirmed by verifying your email). Any future optional features (e.g. marketing emails) will be clearly opt-in, with the right to withdraw consent at any time without penalty.

5. Third-Party Processors and Service Providers

5.1 Paddle (Payments — Independent Controller)

Paddle.com Market Ltd (UK / Ireland). Acts as Merchant of Record for all transactions — meaning Paddle is an independent data controller for payment and billing data, not a sub-processor of ours. Paddle handles PCI-DSS-compliant card processing under its own privacy policy: paddle.com/legal/privacy. We receive only the non-sensitive transaction metadata listed in §2.4.

5.2 Anthropic (AI Writing & Translation — Processor)

Anthropic, PBC (San Francisco, US). Used to generate and translate case study content under a signed Data Processing Agreement (DPA). Only project-related text is transmitted — no personal identifiers. Transfer to the US is covered by Standard Contractual Clauses (SCCs, GDPR Art. 46(2)(c)) and supplementary measures. We have conducted a Transfer Impact Assessment (TIA). Privacy policy: anthropic.com/privacy.

5.3 OAuth Providers (Identity — Independent Controllers)

Google LLC, LinkedIn Corporation, Meta Platforms Inc. — only if you choose to sign in via their services. Each provider acts as an independent controller for the OAuth authentication process. Their privacy policies govern their data handling. We only receive the name and email address listed in §2.6. Transfers to the US are covered by the EU–US Data Privacy Framework adequacy decision or SCCs.

5.4 Hosting Infrastructure (Processor)

All servers are located within the European Union. We do not use US-based cloud providers for primary data storage. All hosting providers have signed Data Processing Agreements (DPAs) with us and are bound by GDPR Art. 28 obligations.

5.5 Transactional Email Delivery (Processor)

Outbound transactional emails are transmitted over TLS-encrypted SMTP. Our mail infrastructure is hosted within the EU. Where a third-party SMTP relay is used , it is located within the EU, operates under a signed DPA, and is bound by GDPR Art. 28. Your email address is used solely to deliver the requested system notification and is not used for any other purpose by the delivery provider.

6. Cookies and Similar Technologies

CaseStories uses only strictly necessary cookies. No consent banner is required for these under the ePrivacy Directive (2002/58/EC as amended).

  • Session cookie (PHPSESSID): Keeps you authenticated. Expires when you close your browser or after 30 minutes of inactivity. Flags: HttpOnly, Secure, SameSite=Strict.
  • CSRF token cookie: Prevents cross-site request forgery. Does not identify or track you. Flags: HttpOnly, Secure, SameSite=Strict.
  • Language preference cookie: Stores your chosen interface language. Contains no personal data. Expires after 1 year.

We do not use analytics cookies, advertising cookies, tracking pixels, fingerprinting scripts, or any third-party cookies. No data collected via cookies is shared with external parties.

7. Data Retention

  • Account data: Retained while the account is active. Deleted within 30 days of a verified erasure request (§8), subject to legal retention obligations below.
  • Published case studies: Retained until you delete them or close your account. Removed from public view immediately upon deletion; purged from backups within 90 days.
  • Analytics data (hashed IP + usage statistics): Aggregate, anonymised statistics retained for 24 months. The hashed IP address cannot be reversed to recover the original IP.
  • Billing records (invoices, payment confirmations): 10 years — mandatory under EU VAT Directive and Italian D.P.R. 600/1973 tax law. We cannot delete these records earlier regardless of an erasure request.
  • Support messages: 3 years after the last interaction.
  • Email delivery logs: 30 days, used solely for delivery troubleshooting.
  • Deleted data in backups: Backups are overwritten within 90 days; deleted data cannot be restored after that point.

8. Your Rights Under GDPR and Applicable Law

If you are in the EEA, UK, or Switzerland, you have the following rights:

  • Access (Art. 15): Request a copy of all personal data we hold about you, including information about how it is processed.
  • Rectification (Art. 16): Correct inaccurate or incomplete data. Most profile fields can be edited directly in your account settings.
  • Erasure — "right to be forgotten" (Art. 17): Request deletion of your data within 30 days. Exceptions apply to data we are legally required to retain (e.g. billing records — see §7).
  • Portability (Art. 20): Receive your account and content data in a structured, machine-readable format (JSON). Email us to request an export.
  • Restriction (Art. 18): Request that processing be restricted while a dispute is pending or accuracy is verified.
  • Object (Art. 21): Object at any time to processing based on legitimate interests (Art. 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Not to be subject to solely automated decisions (Art. 22): We do not make decisions based solely on automated processing that produce legal or similarly significant effects. All material decisions involve human review. See §15.

Provision of data — mandatory vs. voluntary (Art. 13(2)(e)): Email address and name are required to create an account. Without them, the service cannot be provided. All other profile fields (company details, phone, logo, etc.) are optional and their omission has no effect on access to core features.

How to exercise your rights: Email support@casestories.com with subject line "GDPR Request", or write by post to: Vento Digitale di Marco Forlani, [ADDRESS]. We will verify your identity before processing the request and respond within 30 days (extendable to 60 days for complex requests, per GDPR Art. 12(3)). No fee is charged for standard requests.

Right to lodge a complaint: You have the right to lodge a complaint with any competent supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement. The lead supervisory authority for this controller is:
Garante per la protezione dei dati personali
www.garanteprivacy.it — Piazza Venezia 11, 00187 Roma — Tel. +39 06.696771
UK residents may also contact the Information Commissioner's Office (ICO): ico.org.uk.

9. Data Security

We implement appropriate technical and organisational measures (TOMs) in accordance with GDPR Art. 32 and the principle of data protection by design and by default (Art. 25), including:

  • HTTPS with TLS 1.2+ for all connections; HTTP requests are redirected to HTTPS
  • Passwords hashed with Argon2id (one-way, salted, not reversible or retrievable)
  • IP anonymisation via SHA-256 + salt hashing (raw IP never stored)
  • CSRF protection tokens on all state-changing requests
  • Rate limiting on authentication, registration, password reset, and API endpoints
  • HttpOnly, Secure, and SameSite=Strict flags on all session cookies
  • SQL injection prevention via prepared statements throughout the codebase
  • Uploaded file validation, MIME-type checking, and storage outside the web root
  • Role-based access control (admin / user separation) with least-privilege principles
  • Regular security reviews and third-party dependency audits
  • Encrypted backup storage within the EU

No system is 100% secure. In the event of a personal data breach, we will notify the Garante within 72 hours of becoming aware (GDPR Art. 33) and affected users without undue delay where the breach is likely to result in a high risk (GDPR Art. 34).

10. International Data Transfers

Your primary data is stored on EU servers. Certain processors operate outside the EU/EEA:

  • Anthropic (US): Transfer covered by Standard Contractual Clauses (GDPR Art. 46(2)(c)) under a signed DPA, supplemented by a Transfer Impact Assessment (TIA) confirming adequate practical safeguards. Processing is limited to AI text generation; no personal identifiers are transmitted.
  • OAuth providers (US) — Google, LinkedIn, Meta: Transfer covered by the EU–US Data Privacy Framework adequacy decision (Commission Decision of 10 July 2023) or, where applicable, SCCs.

UK GDPR: Users in the United Kingdom are covered by the UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018). Transfers to the UK benefit from the EU adequacy decision for the UK. Rights and contact details under §8 apply equally to UK data subjects.

All international transfers are subject to appropriate safeguards. You may request details of the specific safeguards in place by contacting us at support@casestories.com.

11. Children's Privacy

CaseStories is a professional B2B platform not directed to persons under 16 years of age (the GDPR default age of digital consent). We do not knowingly collect personal data from minors under 16. If you believe a child has provided us with personal data, please contact us immediately at support@casestories.com and we will delete it promptly. Note: Italy sets the minimum age for digital services consent at 14 years (D.Lgs. 101/2018 Art. 2-quinquies); we apply the more protective GDPR default of 16 across all jurisdictions.

12. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the Garante (Italian supervisory authority) within 72 hours of becoming aware (GDPR Art. 33), unless the breach is unlikely to result in a risk to individuals' rights and freedoms
  • Notify affected users without undue delay (GDPR Art. 34) where the breach is likely to result in a high risk, unless the data was rendered unintelligible (e.g. encrypted)
  • Include in the notification: nature and scope of the breach, categories and approximate number of affected individuals and records, likely consequences, and measures taken or proposed to address the breach and mitigate its effects
  • Maintain an internal breach register (GDPR Art. 33(5))

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Material changes (changes to the purposes of processing, types of data collected, new processors, or material changes to data subject rights) will be communicated to account holders by email at least 30 days before taking effect, and by a prominent notice on the platform. Continued use of the platform after the effective date constitutes acceptance of non-material updates only.

Non-material changes (e.g. clarifications, formatting, updated contact details) may take effect immediately and will be reflected in the "Last updated" date above.

We recommend reviewing this policy periodically. Previous versions are available upon request.

14. Contact

For any privacy-related inquiry, data subject request, or complaint:

  • Email: support@casestories.com — subject line "Privacy / GDPR" for faster routing
  • Postal address: Vento Digitale di Marco Forlani, [ADDRESS], Italy
  • Response time: Within 30 days of receipt (extendable to 60 days for complex requests, per GDPR Art. 12(3)). We will acknowledge receipt within 5 business days.

We will verify your identity before processing any data subject request. No fee is charged for standard requests; we may charge a reasonable fee only if requests are manifestly unfounded or excessive (GDPR Art. 12(5)).

15. Automated Decision-Making and Profiling

In compliance with GDPR Art. 13(2)(f) and Art. 22, we confirm the following:

  • We do not engage in any form of automated individual decision-making that produces legal effects or other similarly significant effects on data subjects.
  • We do not engage in profiling as defined in GDPR Art. 4(4) — i.e. any automated processing of personal data to evaluate personal aspects relating to a person, in particular to analyse or predict their behaviour, preferences, interests, or other characteristics.
  • First-party analytics (§2.3) are used solely to produce aggregate, anonymised platform statistics and do not involve individual profiling.
  • AI features (§2.5) generate editorial text based on project descriptions provided by the user. This process does not evaluate, score, classify, or make decisions about any individual.
  • Rate limiting and fraud detection (§3 — Security) involve automated checks, but any account restriction resulting from these checks is subject to human review before enforcement.

If this policy changes to include any profiling or automated decision-making with significant effects, we will update this section and notify users in advance as required by Art. 13(2)(f) and, where applicable, seek consent or offer a meaningful opt-out.

16. No Sale or Commercialisation of Personal Data

We explicitly confirm that:

  • We never sell, rent, lease, barter, or otherwise exchange your personal data for monetary or non-monetary consideration to any third party.
  • We do not share personal data with data brokers, advertisers, or advertising networks.
  • We do not use your personal data for behavioural advertising, interest-based targeting, or cross-context behavioural tracking.
  • We do not use your published case study content to train AI models or for any purpose other than delivering the platform service to you.

This commitment applies regardless of your jurisdiction. California residents: this policy satisfies the "Do Not Sell or Share My Personal Information" right under CCPA/CPRA because we do not sell or share personal information as defined by those laws.

17. Additional Jurisdictions

17.1 UK GDPR

UK residents are protected under the UK GDPR (retained EU law) and the Data Protection Act 2018. The rights set out in §8 apply fully. The lead supervisory authority for UK residents is the Information Commissioner's Office (ICO): ico.org.uk — 0303 123 1113. We do not have a dedicated UK representative; contact details in §14 apply.

17.2 Brazil — LGPD

Brazilian data subjects are protected by the Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018). LGPD rights (confirmation of processing, access, correction, anonymisation, portability, elimination, information about sharing, revocation of consent, and review of automated decisions) can be exercised via the contact details in §14. The supervisory authority is the Autoridade Nacional de Proteção de Dados (ANPD): gov.br/anpd.

17.3 Switzerland

Swiss residents are protected by the revised Federal Act on Data Protection (revFADP, in force 1 September 2023). The supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC): edoeb.admin.ch.

17.4 California — CCPA/CPRA

California residents have rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA. As stated in §16, we do not sell or share personal information. California residents may exercise their rights (know, delete, correct, opt-out of sale/sharing, non-discrimination) via the contact details in §14.