Privacy Policy

Categories of personal data processed

When you use the site and purchase software licences, we may process the following categories of personal data:

• Identification and contact data: first name, last name, company name, email, phone number.
• Billing and tax data: company name, billing address, VAT number, tax code, electronic invoicing code / PEC.
• Payment data: handled directly by the payment service provider (e.g. Stripe). We do not receive or store full credit card data.
• Order data: products purchased, amount, date, order status, licence key issued.
• Communication data: content of messages sent through the contact, withdrawal or support forms.
• Technical and browsing data: IP address, browser type, device, operating system, pages visited, interaction events with the site.
• Visitor identifier: anonymous visitor ID, stored in localStorage for ecommerce functionality and anti-fraud purposes.
• Cookie preferences: status of consent for each cookie category.
• Marketing communications: only with explicit consent (e.g. newsletter sign-up).

Purposes of processing

Personal data is processed for the following purposes:

• Performance of the contract of sale: order management, issuance and delivery of licences, invoicing, after-sales support, handling of withdrawals, refunds and complaints.
• Compliance with tax, accounting and legal obligations: invoice issuance, document retention, communications to competent authorities.
• Handling of requests submitted through the site forms (contact, quotes, training, support, withdrawal).
• Site security, fraud prevention, protection of systems and users.
• Statistical analysis and improvement of the site, by means of analytics tools and technical/analytical cookies within the limits of the consent provided.
• Notification to the seller of abandoned carts in order to follow up with the user, only if they have provided their contact details.
• Direct marketing, newsletters and promotional communications, only with explicit consent that may be revoked at any time.

Legal bases

Processing of personal data is based on one or more of the following legal bases under Article 6 of the GDPR:

• Performance of a contract or pre-contractual measures at the data subject's request (Art. 6.1.b): for the management of orders, licences, withdrawals, refunds and support.
• Compliance with legal obligations (Art. 6.1.c): for tax, accounting, civil law and consumer protection obligations.
• Legitimate interest of the Controller (Art. 6.1.f): for site security, fraud prevention, aggregate statistical analysis, follow-up of abandoned carts for users who have provided their data, and request handling.
• Consent of the data subject (Art. 6.1.a): for non-technical cookies, marketing communications and any further processing not covered by the bases above.

Recipients and data processors

To deliver the ecommerce services we rely on carefully selected external providers acting as data processors (Art. 28 GDPR). The main categories of recipients are:

• Payment provider (e.g. Stripe): processes payments made by card or other methods offered at checkout.
• ERP and CRM system (Holded): invoice issuance, contact management and customer master data.
• Hosting and database provider (Firebase, MongoDB Atlas): storage and accessibility of site and order data.
• Email service provider (SMTP / Gmail Workspace): sending of transactional emails (order confirmations, auto-replies, withdrawal communications) and customer support communications.
• Analytics and measurement tools (Google Analytics): aggregate analysis of site usage, activated only with consent.
• Security and infrastructure services (Cloudflare): protection of the site against attacks and abuse.
• Professional advisors (accountants, lawyers) and public authorities, in cases provided by law.

Transfers of data outside the EU

Some of the providers indicated above may involve the transfer of data outside the European Economic Area. In such cases, transfers are carried out in compliance with the GDPR, in the presence of an adequacy decision by the European Commission or appropriate safeguards such as Standard Contractual Clauses. A copy of the safeguards applied may be obtained on request.

Data retention

Personal data is retained for the time strictly necessary for the purposes for which it was collected, and in particular:

• Order and billing data: for the period required by applicable tax and civil law (typically 10 years).
• Contact data and form requests: for the time needed to handle the request and for any subsequent periods required by law or by the legitimate interest of the Controller.
• Marketing and newsletter data: until the data subject withdraws consent.
• Tracking and analytics data: for the period indicated in the Cookie Policy and in any case no longer than necessary for statistical purposes.
• Withdrawal request data: for the time needed to handle them and for the periods required by consumer protection law.

Security measures

We adopt technical and organisational measures appropriate to ensure the security of personal data, in accordance with Article 32 of the GDPR, including encryption of communications (HTTPS), access control, environment segregation, backups and incident management procedures.

Rights of the data subject

As a data subject, you may exercise at any time the rights provided by Articles 15-22 of the GDPR, in particular:

• Right of access to personal data and to obtain a copy of it.
• Right to rectification of inaccurate or incomplete data.
• Right to erasure (right to be forgotten), in the cases provided by law.
• Right to restriction of processing.
• Right to data portability of the data provided, in a structured and machine-readable format.
• Right to object to processing based on legitimate interest or for direct marketing purposes.
• Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Right not to be subject to decisions based solely on automated processing producing significant legal effects.

How to exercise your rights

To exercise the rights indicated above you may write to the email address of the Data Controller indicated on this page, attaching an identification document where necessary for verification. We will reply without undue delay and in any case within the time limits set by the GDPR.

Complaint to the supervisory authority

If you believe that the processing of your personal data is in breach of the GDPR, you have the right to lodge a complaint with the competent supervisory authority: in Italy, the Garante per la protezione dei dati personali (https://www.garanteprivacy.it); in Spain, the Agencia Española de Protección de Datos (https://www.aepd.es); or with the supervisory authority of your habitual residence, place of work or place of the alleged infringement.

Changes to this notice

We reserve the right to update this notice at any time, in particular to adapt it to regulatory changes or to changes in the services offered. Any changes will be published on this page with the date of the last update.