Controller
The data controller for this website is [YOUR FULL NAME], [YOUR ADDRESS], Italy, VAT: [PARTITA IVA], email: [YOUR EMAIL] ("we", "us", "StructAuto").
For any privacy-related enquiries or to exercise your rights, contact us directly at the email address above. We will respond within 30 days.
Data We Collect
We collect only the minimum data necessary to provide our services:
| Category | Data collected |
|---|---|
| Account registration | Full name, work email, company / firm name, hashed password |
| License requests | Name, email, company, reason for request |
| Contact form | First name, last name, email, company, inquiry type, message |
| Purchase | Email transmitted to Stripe — we do not store card data |
| Session cookie | HTTP-only session identifier (sid), valid for 8 hours after login |
No tracking. We do not collect IP addresses beyond what is automatically logged by our hosting infrastructure. We do not use analytics cookies, advertising cookies, or any third-party tracking pixels.
Legal Basis GDPR Art. 6
Every processing activity is based on one of the following legal grounds:
- Art. 6(1)(b) — contract performance: processing your name and email to deliver your license and manage your account.
- Art. 6(1)(c) — legal obligation: retaining payment records for 10 years (Art. 2220 Codice Civile; D.P.R. 633/72; D.P.R. 600/73).
- Art. 6(1)(f) — legitimate interests: keeping contact-form messages in order to answer your enquiries.
Data Processors (Sub-Processors)
We engage the following sub-processors. Each has agreed to process data only as instructed by us and in compliance with the GDPR:
| Processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing. stripe.com/privacy | USA — EU-US Data Privacy Framework |
| Render Services, Inc. | Backend API hosting. render.com/privacy | USA |
| Neon / Supabase | Database hosting | EU region where available |
| Resend | Transactional email delivery (verification, password reset, license delivery) | USA |
Data Retention
| Data type | Retention period |
|---|---|
| Account data (name, email, company) | While account is active. After 3 years of inactivity we send a 30-day notice before deletion. Deletable on demand via My Account → Privacy & Account Data. |
| Payment records (email, amount, plan, Stripe session ID) | 10 years from transaction date — required by Italian accounting law Art. 2220 CCD.P.R. 633/72D.P.R. 600/73. Retained even after account deletion. Email field anonymised after 10 years. |
| License records | Retained indefinitely in anonymised form; link to your account severed on deletion. |
| Contact-form messages | Deleted immediately on account deletion, or after 2 years from submission, or on written request — whichever is earliest. |
| License requests (free-license form) | Anonymised on account deletion. Fully deleted after 1 year, or on written request. |
| Password-reset tokens | Immediately after use, or after 1 hour if unused. |
Session cookie (sid) |
Expires 8 hours after login; destroyed immediately on logout. |
Your Rights GDPR Art. 15–22
As a data subject under the GDPR you have the following rights. To exercise any of them, email [YOUR EMAIL]. We will respond within 30 days.
- Right of access Art. 15: Request a copy of all personal data we hold about you, the purposes of processing, and who we share it with.
- Right to rectification Art. 16: Ask us to correct inaccurate or incomplete data. You can also update your name and company directly in your account.
- Right to erasure Art. 17: Delete your account and data anytime via My Account → Privacy & Account Data → Delete My Account. Payment transaction records cannot be erased before 10 years due to legal obligation under Art. 17(3)(b) GDPR and Art. 2220 Codice Civile.
- Right to restriction of processing Art. 18: Ask us to pause processing of your data without deleting it.
- Right to data portability Art. 20: Request a machine-readable copy (JSON/CSV) of personal data you provided and that we process by automated means.
- Right to object Art. 21: Object at any time to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.
- Right not to be subject to automated decision-making Art. 22: We do not make any automated decisions that produce legal or similarly significant effects about you.
- Right to lodge a complaint Art. 77: You may complain to the Italian Data Protection Authority (Garante per la protezione dei dati personali): garanteprivacy.it, or to the supervisory authority in your country of residence.
International Transfers
Some processors (Stripe, Render, Resend) are based in the United States. Transfers are covered by Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework as applicable.
Changes to This Policy
We will post any material changes on this page and, where appropriate, notify you by email. The "last updated" date at the top of this page will reflect the most recent revision.