This Privacy Policy is issued in compliance with Regulation (EU) 2016/679 («GDPR»), Italian Legislative Decree 196/2003 as amended, and Directive 2002/58/EC («ePrivacy»), describing how personal data of NEXO IP users is processed.
The Data Controller is [NEXO IP — LEGAL ENTITY PLACEHOLDER].
| Name | [PLACEHOLDER] |
|---|---|
| Registered office | [ADDRESS PLACEHOLDER] |
| VAT / Tax ID | [PLACEHOLDER] |
| privacy@nexoip.it | |
| Certified email (PEC) | [PEC PLACEHOLDER] |
Pursuant to Art. 37 GDPR, the Controller has assessed the obligation to appoint a DPO. [Select one option — PLACEHOLDER]:
| Category | Examples |
|---|---|
| Account data | Username, email, password hash, role, creation date, registration and login IP |
| Notification recipient contacts | Name, email, phone number of contacts configured by the user. Encrypted at rest (AES-128 Fernet). |
| SIA-IP events | Event code, timestamp, partition, zone, description, control panel IP. Do not directly identify natural persons. |
| Notification logs | Send tracking (timestamp, channel, outcome) for service accountability. |
| Technical and security logs | IP, user-agent, access timestamps, failed attempts, IP bans. |
| Payment data | Amount, method, outcome. Card data does NOT transit our servers: it is collected directly by Stripe. |
| Consents | Accepted policy version, timestamp, IP, user-agent (Art. 7 GDPR — accountability). |
| Push subscriptions / WebAuthn credentials | Browser push endpoint, biometric/passkey credentials when activated by the user. |
| Purpose | Legal basis | Categories |
|---|---|---|
| Providing the SIA-IP reception service and multi-channel notifications | Contract performance (Art. 6.1.b) | Account, contacts, events, logs |
| Authentication, session management, fraud/abuse prevention | Contract + legitimate interest (Art. 6.1.f) for security | Account, technical logs |
| Payment processing and top-ups | Contract performance (Art. 6.1.b) | Payment data |
| Accounting, tax and administrative obligations | Legal obligation (Art. 6.1.c) | Payment data, invoicing |
| Defense in legal proceedings | Legitimate interest (Art. 6.1.f) | All relevant categories |
| Service improvement (anonymous/aggregate analytics) | Legitimate interest (Art. 6.1.f) | Aggregated technical logs |
The service does NOT perform direct marketing, profiling or automated decision-making under Art. 22 GDPR.
| Sub-processor | Service | Data | Location | Safeguards |
|---|---|---|---|---|
| Twilio Inc. | SMS, WhatsApp, voice calls | Recipient phone number, alert content | USA (EU regions available) | EU Standard Contractual Clauses (2021/914) + Twilio DPA |
| Stripe Inc. / Stripe Payments Europe Ltd. | Payment processing, billing | Customer email, transaction ID, amounts (card data NOT transiting our servers) | USA / Ireland (EU) | EU SCC + Stripe DPA + PCI-DSS |
| SMTP provider (authsmtp.securemail.pro) | Transactional email (OTP, notifications, alerts) | Recipient email, message content | European Union | TLS connections, DPA with vendor |
| Hosting infrastructure | Server hosting, database storage | All application data | European Union — [PROVIDER PLACEHOLDER] | DPA with provider, encryption in transit and at rest (disk) |
| Web Push (self-hosted VAPID) | Browser push notifications | Encrypted browser endpoint, notification payload | Endpoints managed by user's browser (Google FCM / Mozilla / Apple) | Endpoints encrypted with locally generated VAPID keys |
| Category | Retention |
|---|---|
| Account data (active) | Duration of contractual relationship |
| Account data after deletion | Immediate anonymization on data subject request |
| Recipient contacts | User-controlled, editable / deletable anytime |
| SIA-IP events | 7 days (automatic deletion) |
| Notification logs | 7 days (automatic deletion) |
| Technical security logs | 90 days |
| GDPR audit log (Art. 5(2) accountability) | 5 years |
| Completed DSAR requests | 3 years |
| Tax/invoicing documents | 10 years (Italian Civil Code Art. 2220) |
| Push subscriptions | 90 days from last activity |
| Pending registrations (unverified OTP) | 30 days |
Application data is hosted on infrastructure located in the European Union. Transfers to third countries occur only towards:
You may exercise the following rights anytime (Arts. 15-22 GDPR):
Self-service: registered users can directly exercise access (data export), rectification and erasure via the Privacy Dashboard. For more complex requests (portability, restriction, objection) contact privacy@nexoip.it. We respond within 30 days (extendable to 60 in complex cases, Art. 12 GDPR).
The service uses strictly necessary technical cookies only (authenticated session, CSRF protection, language preference). These cookies are exempt from prior consent under Art. 122 D.lgs 196/2003 and Art. 5.3 of the ePrivacy Directive. See the Cookie Policy for details.
The Controller performed a preliminary impact assessment under Art. 35 GDPR, classifying processing as low/medium risk: no special categories (Art. 9), no large-scale systematic monitoring, no automated decision-making. A DPIA summary is available upon reasoned request at privacy@nexoip.it.
The Controller maintains a Record of Processing Activities pursuant to Art. 30 GDPR. It is available to the supervisory authority and, upon reasoned request, to data subjects.
This notice may be updated to reflect legal, organizational or technological changes. Material changes will be notified to registered users and require renewed explicit acceptance at next login. Previous versions are available at /legal/versions/.
By accepting this Privacy Policy, you confirm having read, understood and consented to processing for the purposes set out, within the limits of the legal bases indicated.