WingGrow
Last updated: April 15, 2026

GDPR Compliance

WingGrow Technologies is committed to protecting personal data in line with the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK GDPR. This page summarizes how we support compliance for insurance agencies operating in the European Economic Area and the United Kingdom.

1. Roles: Controller vs. Processor

When your agency uses WingGrow to handle customer leads, claims, or communications, you act as the data controller and WingGrow acts as the data processor. For our own business operations (billing, account management, marketing), WingGrow is the controller.

2. Lawful Bases for Processing

We rely on the following lawful bases: performance of a contract (to deliver the Services), legitimate interests (security, analytics, product improvement), consent (for marketing communications and optional cookies), and legal obligations (tax, accounting, regulatory).

3. Data Subject Rights

Under GDPR, data subjects have the right to:

  • access their personal data,
  • rectify inaccurate data,
  • erase data (“right to be forgotten”),
  • restrict or object to processing,
  • data portability,
  • withdraw consent at any time,
  • lodge a complaint with a supervisory authority.

If you are an end customer of a WingGrow-powered agency, please contact that agency directly. WingGrow will support the agency in fulfilling your request.

4. Data Processing Agreement (DPA)

We offer a GDPR-compliant Data Processing Agreement that incorporates the EU Standard Contractual Clauses. Request a copy at dpa@wingrow.io. The DPA is automatically applicable to all paid plans.

5. Sub-processors

We maintain a current list of sub-processors, including the services they provide and the regions they operate from. We notify customers before adding new sub-processors and allow reasonable objection windows.

6. International Data Transfers

When personal data is transferred outside the EEA/UK, we rely on adequacy decisions where available and on the EU Standard Contractual Clauses (2021/914) combined with supplementary measures such as encryption in transit and at rest.

7. Security Measures

Our technical and organizational measures include TLS 1.2+ in transit, AES-256 at rest, role-based access control, SSO and MFA, continuous monitoring, audit logs, vulnerability scanning, regular penetration testing, and an incident response process.

8. Data Breach Notification

In the event of a personal data breach affecting customer data, WingGrow will notify affected controllers without undue delay and in any case within 72 hours of becoming aware, in accordance with Article 33 GDPR.

9. Data Retention and Deletion

Customer content is retained per your workspace configuration and deleted within 90 days of account closure. Backups are cycled out within an additional 35 days.

10. Data Protection Officer & EU Representative

Data Protection Officer: dpo@wingrow.io. EU Representative under Article 27 GDPR: eu-rep@wingrow.io.

11. Supervisory Authorities

You may lodge a complaint with your local data protection authority. A full list is maintained by the European Data Protection Board.