Privacy Policy

Last updated: 8 April 2026  ·  Effective: 8 April 2026

CaseStories ("we", "us", "our") is operated by Vento Digitale di Marco Forlani (VAT IT03694090139), Italy. This policy explains how we collect, use, and protect your personal data in full compliance with EU Regulation 2016/679 (GDPR), the Italian Privacy Code (D.Lgs. 196/2003 as amended), the UK GDPR, and other applicable privacy laws.

1. Data Controller and Contact Details

The data controller responsible for processing your personal data is:

  • Vento Digitale di Marco Forlani
  • VAT IT03694090139 — Italy
  • Registered address: Via Pietro Mascagni, 119 - 24033 Calusco d'Adda (BG) - Italy
  • Platform: CaseStorieswww.casestories.com
  • Email: support@casestories.com

Data Protection Officer (DPO)

Under GDPR Art. 37, a DPO is mandatory for public authorities, organisations conducting large-scale systematic monitoring, or those processing special categories of data at scale. Vento Digitale di Marco Forlani is a small private operator that does not engage in large-scale systematic monitoring and does not process special categories of personal data (Art. 9). Accordingly, no DPO is legally required. All privacy and data protection matters are handled directly and promptly by the controller at the contact address above.

2. Data We Collect

2.1 Account Data

When you register, we collect:

  • Email address (required — account identifier)
  • First and last name (required)
  • Password — stored as a one-way hash (Argon2id). We cannot retrieve your password.
  • Company name, description, website, city, country, industry, phone (optional)
  • Company logo (image, optional)
  • Preferred interface language

2.2 Content Data

Any case studies, project descriptions, media files (images, videos), and direct messages you create or submit through the platform are stored and associated with your account.

2.3 Analytics

2.3.1 Cookie-based analytics — Matomo (consent required)

We use Matomo, an open-source web analytics platform operated exclusively on our own servers within the European Union. No analytics data is ever sent to a third-party analytics service. Matomo is loaded only after you accept cookies via our cookie banner. When active, Matomo collects:

  • Anonymised IP address — the last two octets are masked before storage (e.g. 203.0.113.0.0); the full IP is never stored.
  • Pages visited and timestamps
  • Browser type and OS (User-Agent string)
  • Referring URL
  • Approximate country (derived from the masked IP)

If you decline cookies, Matomo is not loaded and no cookie-based tracking takes place.

2.3.2 Server-side first-party analytics (no consent required)

Independently of cookie consent, the platform records server-side interaction events — specifically page views, CTA clicks, shares, searches, and contact-link clicks on published case studies. This data is processed exclusively to provide aggregated performance statistics to case study owners (e.g. "your case study received 120 views this month from Italy"). The legal basis is legitimate interests (Art. 6(1)(f) GDPR): the case study owner has a legitimate interest in understanding how their published content performs, and this interest is balanced by the privacy-preserving measures described below.

For each event, the following data points are recorded server-side:

  • Event type (view, click, share, search, or contact click)
  • SHA-256 hash of the visitor IP address — the raw IP is never stored; only its one-way hash, which cannot be reversed to recover the original address.
  • Country code (2-letter ISO 3166-1 code, e.g. IT, DE) — derived from the IP before hashing and stored as an aggregate geographic indicator only.
  • Referring URL — the HTTP Referer header, if present.
  • User-Agent string — the full browser/OS identifier string sent by your browser with every HTTP request (e.g. Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)…). This string is stored as-is and used to classify visits by device type and browser for aggregate statistics. Although the User-Agent string is not by itself uniquely identifying, in combination with the IP hash and referrer it constitutes pseudonymous data under GDPR. We retain it for 24 months, after which it is deleted.

This processing does not use cookies or any client-side storage mechanism and is therefore outside the scope of the ePrivacy Directive cookie consent requirement. You may object to this processing at any time under Art. 21 GDPR by contacting us at support@casestories.works.

We do not use Google Analytics, Meta Pixel, or any third-party tracking scripts on the platform or in our emails.

2.4 Payment Data

Payment processing is handled entirely by Paddle, which acts as Merchant of Record. Paddle is an independent data controller for payment data under its own privacy policy. We do not store credit card numbers, CVV codes, or bank details. We receive and store only Paddle's customer ID, subscription ID, transaction ID, and payment status.

2.5 AI-Generated Content

When you use the AI writing or translation features, the project-related text you provide (challenges, solutions, results) is transmitted to Anthropic's API for processing. We do not transmit personal identifiers (name, email, company name) to Anthropic. Text is processed transiently and is not used to train Anthropic's models under our API Data Processing Agreement.

2.6 OAuth Login Data

If you sign in via Google, LinkedIn, or Facebook, we receive only the email address and display name provided by the OAuth provider. We store the provider name and provider user ID to enable future logins. We do not receive or store OAuth tokens, passwords, or other data from these providers beyond what is listed above.

2.7 Transactional Email Metadata

When we send you transactional emails (account verification, password reset, subscription receipts), we process your email address and delivery status. We do not embed tracking pixels or click-tracking links in our emails.

3. How We Use Your Data

  • Service delivery: Creating and managing your account, publishing case studies, processing payments, AI-assisted writing and translation.
  • Service improvement: Analysing aggregate, anonymised usage patterns to prioritise features.
  • Communication: Sending transactional emails (account verification, password resets, subscription receipts, platform alerts). We do not send marketing emails without your explicit prior opt-in consent.
  • Security: Detecting and preventing fraudulent access, rate limiting, abuse prevention.
  • Legal compliance and accounting: Retaining billing records as required by EU and Italian VAT and accounting law.
  • Disclosure to public authorities: Where required by applicable law, court order, or a legally binding request from a competent authority, we may disclose personal data to law enforcement or regulatory bodies. We will notify you unless legally prohibited from doing so.
  • Support: Responding to your requests and resolving disputes.
  • Platform administration and maintenance: As the platform operator, we may access user account data and content strictly when required for technical maintenance, system diagnostics, security incident response, and abuse investigation. Such access is limited to what is necessary for the specific activity, is logged, and is never used for any commercial purpose.

We never sell, rent, lease, or otherwise commercialise your personal data to third parties, and we do not use it for advertising targeting or share it with data brokers.

4. Legal Bases for Processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): Processing necessary to deliver the service you subscribed to — account management, case study publishing, payment processing, AI writing.
  • Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and first-party analytics to improve the platform. We have conducted a Legitimate Interests Assessment (LIA): our interest in keeping the platform secure and improving its features is balanced against data subjects' interests; we use privacy-preserving techniques (IP hashing, anonymisation) to minimise any privacy impact. You may object at any time (see §8).
  • Legal obligation (Art. 6(1)(c)): Retaining invoicing and billing records as required by EU and Italian VAT and accounting law (10-year retention).
  • Consent (Art. 6(1)(a)): Currently no consent-based processing beyond account registration (confirmed by verifying your email). Any future optional features (e.g. marketing emails) will be clearly opt-in, with the right to withdraw consent at any time without penalty.

5. Third-Party Processors and Service Providers

5.1 Paddle (Payments — Independent Controller)

Paddle.com Market Ltd (UK / Ireland). Acts as Merchant of Record for all transactions — meaning Paddle is an independent data controller for payment and billing data, not a sub-processor of ours. Paddle handles PCI-DSS-compliant card processing under its own privacy policy: paddle.com/legal/privacy. We receive only the non-sensitive transaction metadata listed in §2.4.

5.2 Anthropic (AI Writing & Translation — Processor)

Anthropic, PBC (San Francisco, US). Used to generate and translate case study content under a signed Data Processing Agreement (DPA). Only project-related text is transmitted — no personal identifiers. Transfer to the US is covered by Standard Contractual Clauses (SCCs, GDPR Art. 46(2)(c)) and supplementary measures. We have conducted a Transfer Impact Assessment (TIA). Privacy policy: anthropic.com/privacy.

5.3 OAuth Providers — Google, LinkedIn (Identity — Independent Controllers)

Google LLC and LinkedIn Corporation — only if you choose to sign in via their services. Each provider acts as an independent controller for the OAuth authentication process. Their privacy policies govern their own data handling. We receive only the name and email address (§2.6); we do not receive OAuth tokens, passwords, or any other profile data. Sign-in via Facebook is also available as an alternative option. Transfers to the US are covered by the EU–US Data Privacy Framework adequacy decision (Commission Decision of 10 July 2023) or, where applicable, Standard Contractual Clauses.

5.4 Hosting Infrastructure — Amazon Web Services EU (Processor)

All application servers and databases are hosted on Amazon Web Services (AWS), European Union region (eu-west-1 — Ireland or eu-central-1 — Frankfurt). No primary data is stored outside the European Union. AWS has signed a Data Processing Agreement (DPA) with us and is bound by GDPR Art. 28 obligations. AWS EU regions are certified under ISO 27001, SOC 2, and maintain contractual EU data residency guarantees.

5.5 Transactional Email Delivery (Processor)

Outbound transactional emails are transmitted over TLS-encrypted SMTP. Our mail infrastructure is hosted within the EU, operates under a signed DPA, and is bound by GDPR Art. 28. Your email address is used solely to deliver the requested system notification and is not used for any other purpose by the delivery provider.

5.6 Analytics — Matomo (Operated by Us, EU Infrastructure)

We self-host Matomo, an open-source web analytics platform, on our own infrastructure within the European Union. Matomo is not a third-party service — it runs entirely on servers we control, and no analytics data is transmitted to any external party. Matomo processes only the anonymised data described in §2.3. As our own tool, Matomo is subject to this privacy policy in its entirety.

6. Cookies and Similar Technologies

CaseStories uses cookies in two categories:

Strictly Necessary Cookies (no consent required)

These cookies are essential for the platform to function and cannot be disabled.

  • Session cookie (PHPSESSID): Keeps you authenticated. Expires when you close your browser or after 30 minutes of inactivity. Flags: HttpOnly, Secure, SameSite=Strict.
  • CSRF token cookie: Prevents cross-site request forgery. Does not identify or track you. Flags: HttpOnly, Secure, SameSite=Strict.
  • Language preference cookie: Stores your chosen interface language. Contains no personal data. Expires after 1 year.
  • Cookie consent preference: Records your accept/decline choice for analytics cookies. Expires after 1 year.

Analytics Cookies (consent required)

These cookies are set only after you accept them via our cookie banner. They are used exclusively for the aggregated, anonymised analytics described in §2.3 (Matomo, self-hosted on our EU infrastructure).

  • _pk_id.*: Identifies a browser session for Matomo analytics. Expires after 13 months. No personally identifiable information is stored.
  • _pk_ses.*: Short-lived session cookie for Matomo. Expires after 30 minutes.

You may withdraw your consent to analytics cookies at any time by clicking the cookie settings link in the page footer. Matomo is operated by us on our own EU servers — no analytics data is shared with external parties.

We do not use advertising cookies, tracking pixels, fingerprinting scripts, or any third-party cookies.

7. Data Retention

  • Account data: Retained while the account is active. Deleted within 30 days of a verified erasure request (§8), subject to legal retention obligations below.
  • Published case studies: Retained until you delete them or close your account. Removed from public view immediately upon deletion; purged from backups within 90 days.
  • Analytics data (hashed IP + usage statistics): Aggregate, anonymised statistics retained for 24 months. The hashed IP address cannot be reversed to recover the original IP.
  • Billing records (invoices, payment confirmations): 10 years — mandatory under EU VAT Directive and Italian D.P.R. 600/1973 tax law. We cannot delete these records earlier regardless of an erasure request.
  • Support messages: 3 years after the last interaction.
  • Email delivery logs: 30 days, used solely for delivery troubleshooting.
  • Deleted data in backups: Backups are overwritten within 90 days; deleted data cannot be restored after that point.

8. Your Rights Under GDPR and Applicable Law

If you are in the EEA, UK, or Switzerland, you have the following rights:

  • Access (Art. 15): Request a copy of all personal data we hold about you, including information about how it is processed.
  • Rectification (Art. 16): Correct inaccurate or incomplete data. Most profile fields can be edited directly in your account settings.
  • Erasure — "right to be forgotten" (Art. 17): Request deletion of your data within 30 days. Exceptions apply to data we are legally required to retain (e.g. billing records — see §7).
  • Portability (Art. 20): Receive your account and content data in a structured, machine-readable format (JSON). Email us to request an export.
  • Restriction (Art. 18): Request that processing be restricted while a dispute is pending or accuracy is verified.
  • Object (Art. 21): Object at any time to processing based on legitimate interests (Art. 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Not to be subject to solely automated decisions (Art. 22): We do not make decisions based solely on automated processing that produce legal or similarly significant effects. All material decisions involve human review. See §15.

Provision of data — mandatory vs. voluntary (Art. 13(2)(e)): Email address and name are required to create an account. Without them, the service cannot be provided. All other profile fields (company details, phone, logo, etc.) are optional and their omission has no effect on access to core features.

How to exercise your rights: Email support@casestories.com with subject line "GDPR Request", or write by post to: Vento Digitale di Marco Forlani, Via Pietro Mascagni, 119 - 24033 Calusco d'Adda (BG) - Italy. We will verify your identity before processing the request and respond within 30 days (extendable to 60 days for complex requests, per GDPR Art. 12(3)). No fee is charged for standard requests.

Right to lodge a complaint: You have the right to lodge a complaint with any competent supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement. The lead supervisory authority for this controller is:
Garante per la protezione dei dati personali
www.garanteprivacy.it — Piazza Venezia 11, 00187 Roma — Tel. +39 06.696771
UK residents may also contact the Information Commissioner's Office (ICO): ico.org.uk.

9. Data Security

We implement appropriate technical and organisational measures (TOMs) in accordance with GDPR Art. 32 and the principle of data protection by design and by default (Art. 25), including:

  • HTTPS with TLS 1.2+ for all connections; HTTP requests are redirected to HTTPS
  • Passwords hashed with Argon2id (one-way, salted, not reversible or retrievable)
  • IP anonymisation via SHA-256 + salt hashing (raw IP never stored)
  • CSRF protection tokens on all state-changing requests
  • Rate limiting on authentication, registration, password reset, and API endpoints
  • HttpOnly, Secure, and SameSite=Strict flags on all session cookies
  • SQL injection prevention via prepared statements throughout the codebase
  • Uploaded file validation, MIME-type checking, and storage outside the web root
  • Role-based access control (admin / user separation) with least-privilege principles
  • Regular security reviews and third-party dependency audits
  • Encrypted backup storage within the EU

No system is 100% secure. In the event of a personal data breach, we will notify the Garante within 72 hours of becoming aware (GDPR Art. 33) and affected users without undue delay where the breach is likely to result in a high risk (GDPR Art. 34).

10. International Data Transfers

All primary data — accounts, content, analytics — is stored and processed exclusively on Amazon Web Services (AWS), European Union region. We do not transfer your data outside the EU for any storage or primary processing purpose.

The only transfers outside the EU/EEA are strictly limited to the following:

  • Anthropic (US) — AI text generation only: Transfer covered by Standard Contractual Clauses (GDPR Art. 46(2)(c)) under a signed DPA, supplemented by a Transfer Impact Assessment (TIA). Only project text is transmitted; no personal identifiers are included.
  • OAuth providers (US) — Google, LinkedIn: Transfer covered by the EU–US Data Privacy Framework adequacy decision (Commission Decision of 10 July 2023) or, where applicable, SCCs. This applies only when you actively choose to sign in via these providers.

We do not sell, share, or transfer personal data to any other party outside the EU for marketing, commercial, or technical purposes.

UK GDPR: Users in the United Kingdom are covered by the UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018). Transfers to the UK benefit from the EU adequacy decision for the UK. Rights and contact details under §8 apply equally to UK data subjects.

You may request details of the specific safeguards in place by contacting us at support@casestories.com.

11. Children's Privacy

CaseStories is a professional B2B platform not directed to persons under 16 years of age (the GDPR default age of digital consent). We do not knowingly collect personal data from minors under 16. If you believe a child has provided us with personal data, please contact us immediately at support@casestories.com and we will delete it promptly. Note: Italy sets the minimum age for digital services consent at 14 years (D.Lgs. 101/2018 Art. 2-quinquies); we apply the more protective GDPR default of 16 across all jurisdictions.

12. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the Garante (Italian supervisory authority) within 72 hours of becoming aware (GDPR Art. 33), unless the breach is unlikely to result in a risk to individuals' rights and freedoms
  • Notify affected users without undue delay (GDPR Art. 34) where the breach is likely to result in a high risk, unless the data was rendered unintelligible (e.g. encrypted)
  • Include in the notification: nature and scope of the breach, categories and approximate number of affected individuals and records, likely consequences, and measures taken or proposed to address the breach and mitigate its effects
  • Maintain an internal breach register (GDPR Art. 33(5))

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Material changes (changes to the purposes of processing, types of data collected, new processors, or material changes to data subject rights) will be communicated to account holders by email at least 30 days before taking effect, and by a prominent notice on the platform. Continued use of the platform after the effective date constitutes acceptance of non-material updates only.

Non-material changes (e.g. clarifications, formatting, updated contact details) may take effect immediately and will be reflected in the "Last updated" date above.

We recommend reviewing this policy periodically. Previous versions are available upon request.

14. Contact

For any privacy-related inquiry, data subject request, or complaint:

  • Email: support@casestories.com — subject line "Privacy / GDPR" for faster routing
  • Postal address: Vento Digitale di Marco Forlani, Via Pietro Mascagni, 119 - 24033 Calusco d'Adda (BG) - Italy, Italy
  • Response time: Within 30 days of receipt (extendable to 60 days for complex requests, per GDPR Art. 12(3)). We will acknowledge receipt within 5 business days.

We will verify your identity before processing any data subject request. No fee is charged for standard requests; we may charge a reasonable fee only if requests are manifestly unfounded or excessive (GDPR Art. 12(5)).

15. Automated Decision-Making and Profiling

In compliance with GDPR Art. 13(2)(f) and Art. 22, we confirm the following:

  • We do not engage in any form of automated individual decision-making that produces legal effects or other similarly significant effects on data subjects.
  • We do not engage in profiling as defined in GDPR Art. 4(4) — i.e. any automated processing of personal data to evaluate personal aspects relating to a person, in particular to analyse or predict their behaviour, preferences, interests, or other characteristics.
  • First-party analytics (§2.3) are used solely to produce aggregate, anonymised platform statistics and do not involve individual profiling.
  • AI features (§2.5) generate editorial text based on project descriptions provided by the user. This process does not evaluate, score, classify, or make decisions about any individual.
  • Rate limiting and fraud detection (§3 — Security) involve automated checks, but any account restriction resulting from these checks is subject to human review before enforcement.

If this policy changes to include any profiling or automated decision-making with significant effects, we will update this section and notify users in advance as required by Art. 13(2)(f) and, where applicable, seek consent or offer a meaningful opt-out.

16. No Sale or Commercialisation of Personal Data

We explicitly confirm that:

  • We never sell, rent, lease, barter, or otherwise exchange your personal data for monetary or non-monetary consideration to any third party.
  • We do not share personal data with data brokers, advertisers, or advertising networks.
  • We do not use your personal data for behavioural advertising, interest-based targeting, or cross-context behavioural tracking.
  • We do not use your published case study content to train AI models or for any purpose other than delivering the platform service to you.

This commitment applies regardless of your jurisdiction. California residents: this policy satisfies the "Do Not Sell or Share My Personal Information" right under CCPA/CPRA because we do not sell or share personal information as defined by those laws.

17. Additional Jurisdictions

17.1 UK GDPR

UK residents are protected under the UK GDPR (retained EU law) and the Data Protection Act 2018. The rights set out in §8 apply fully. The lead supervisory authority for UK residents is the Information Commissioner's Office (ICO): ico.org.uk — 0303 123 1113. We do not have a dedicated UK representative; contact details in §14 apply.

17.2 Brazil — LGPD

Brazilian data subjects are protected by the Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018). LGPD rights (confirmation of processing, access, correction, anonymisation, portability, elimination, information about sharing, revocation of consent, and review of automated decisions) can be exercised via the contact details in §14. The supervisory authority is the Autoridade Nacional de Proteção de Dados (ANPD): gov.br/anpd.

17.3 Switzerland

Swiss residents are protected by the revised Federal Act on Data Protection (revFADP, in force 1 September 2023). The supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC): edoeb.admin.ch.

17.4 California — CCPA/CPRA

California residents have rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA. As stated in §16, we do not sell or share personal information. California residents may exercise their rights (know, delete, correct, opt-out of sale/sharing, non-discrimination) via the contact details in §14.