Privacy Policy

Last updated: February 9, 2026

This Privacy Policy explains how VOTELIO collects, uses, stores, and protects personal data when you use our website and platform. We process personal data in line with Regulation (EU) 2016/679 (GDPR), national data protection laws, and the ePrivacy rules on cookies and similar technologies.

1. Controller and Contact

VOTELIO is operated by CREBISO (www.crebiso.com).

If you need full corporate identification details for legal documentation, DPA execution, or procurement checks, contact us by email and we will provide them without delay.

2. Roles in Processing

• Controller: for account management, billing, support, service communications, and website analytics/consent operations.
• Processor: for organization content processed in the service on behalf of the customer organization (the customer is the controller for that content).

3. Categories of Data

Depending on your usage, we process the following categories:

Account Data

• Full name
• Email address
• Organization name and affiliation
• Account credentials (passwords are stored in hashed form only)

Usage Data

• Interactions with the platform (features used, actions taken)
• Timestamps of activity
• Session duration and frequency of use

Device & Technical Data

• IP address
• Browser type and version
• Operating system
• Device type and screen resolution
• Referring URLs

Organization Data

• Votes, polls, and ballot configurations created by users
• Issues, proposals, and agenda items
• Documents uploaded to the platform
• Comments and discussion content

Payment Data

• Billing name and address
• Payment method details (processed and stored by payment providers; we do not store full card numbers)
• Transaction history and invoicing records

4. Purposes and Legal Bases (GDPR Art. 6)

• Service delivery and account administration — contract performance (Art. 6(1)(b)).
• Payments, invoicing, and tax/accounting obligations — legal obligation (Art. 6(1)(c)) and contract performance (Art. 6(1)(b)).
• Security, abuse prevention, and core service reliability — legitimate interests (Art. 6(1)(f)).
• Website analytics and marketing cookies or tags — consent (Art. 6(1)(a) and ePrivacy rules).
• Service notifications (non-marketing) — contract performance and legitimate interests.

Where processing is based on consent, you can withdraw consent at any time. Withdrawal does not affect processing that occurred before withdrawal.

5. Data Retention

• Account data: for as long as the account is active and up to 30 days after account deletion.
• Usage/analytics data: retained in analytics systems up to 26 months (or shorter if configured).
• Organization content: for the duration of the subscription; backups are retained on a rolling 30-day basis.
• Payment records: retained as required by applicable accounting and tax law (typically up to 10 years).
• Cookie consent record: stored for up to 180 days, then re-requested.

6. Your Rights

If GDPR applies to your data, you may request access, rectification, erasure, restriction, portability, objection, and consent withdrawal where relevant.

7. Security Measures

• Encryption in transit (TLS)
• Encryption at rest for production storage
• Role-based access control and access logging
• Operational monitoring and backup procedures
• EU-based primary hosting for core systems

8. Recipients and Third-Party Services

We share data only where needed to provide the service or meet legal obligations, including:

• Google Analytics 4 (Google LLC) — website analytics, activated only after consent.
• Google Tag Manager — tag deployment based on your consent choices.
• Payment providers (e.g., Stripe) — payment processing and anti-fraud controls.
• Hosting and infrastructure providers — secure operation of the platform.

9. International Transfers

Some providers may process data outside the EEA (for example in the United States). Where this happens, we use GDPR-compliant safeguards such as:

• European Commission adequacy decisions (where available)
• Standard Contractual Clauses (SCCs)
• Supplementary transfer safeguards when required
• EU-U.S. Data Privacy Framework participation checks where applicable

Cookie Policy

Effective: February 9, 2026

10. Cookies and Similar Technologies

We use cookies and similar storage technologies (including browser local storage) to run the site, remember your consent settings, and, only with consent, run analytics or marketing tools.

11. Categories of Technologies

Strictly Necessary

Required to provide core functionality, security, and consent preference management. These are enabled by default.

• Session and security support
• Language or interface preferences
• Consent preference record

Analytics

Used only if you opt in. They help us understand aggregate usage patterns and improve performance.

Marketing

Used only if you opt in. They can be used to measure campaign performance and advertising relevance.

12. How to Manage Consent

• Consent banner: displayed on first visit with Accept all, Reject all, and granular customization options.
• Anytime withdrawal: click the persistent Cookie settings control shown on the site and update your preferences at any time.
• Browser controls: you can also block or delete cookies via browser settings.
• Google Analytics opt-out: available at Google Analytics Opt-out Browser Add-on.

13. Cookie and Storage Details

14. Changes to This Policy

We may update this policy to reflect legal, operational, or product changes. The date at the top of this page is updated when we publish changes.

Where required by law, we will request fresh consent before applying changes to consent-based processing.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, our Cookie Policy, or the way we handle your personal data, please contact us: