AFFLU WEBAPP PRIVACY POLICY

Last updated: 26/03/2025

1. DATA CONTROLLER

AFFLU S.r.l., Piazza Santiago del Cile No. 8, 00197 Rome (RM), Italy, VAT No. 18294811007.

Contact: privacy@afflu.eu

2. SCOPE OF APPLICATION

This notice governs processing of personal data through the web application at app.afflu.eu.

Applies to users who: create an account; request Dashboard access; access the restricted area; interact with WebApp functionalities; where applicable, enter into an agreement with Afflu.

The WebApp is intended exclusively for subjects acting for professional purposes and may only be used by users who have reached the age of majority.

Account creation does not entail automatic conclusion of any contract.

Where services governed by an Agreement are used, Afflu may also act as data processor pursuant to Article 28 GDPR.

3. CATEGORIES OF DATA PROCESSED

3.1 Data provided during registration

First name, last name, email address, password (stored in encrypted form via hashing), organization indication.

3.2 Data processed during WebApp use

Authentication logs (successful or failed), account status, operation timestamps, internal technical identifiers. The WebApp does not store payment instrument data, complete tax data, or financial information.

3.3 Technical data

IP address (at infrastructure level), device and browser information, metadata necessary for system security and stability.

4. PURPOSES AND LEGAL BASES

  • 4.1 Account creation and management — legal basis: Article 6(1)(b) GDPR.
  • 4.2 Pre-contractual phase management and user contact — legal basis: Article 6(1)(b) GDPR. These communications do not constitute marketing and do not require consent.
  • 4.3 Contract performance — legal basis: Article 6(1)(b) GDPR.
  • 4.4 Compliance with legal obligations — legal basis: Article 6(1)(c) GDPR.
  • 4.5 Security and system protection — legal basis: Article 6(1)(f) GDPR.
  • 4.6 Promotional communications — legal basis: Article 6(1)(a) GDPR. The WebApp does not provide for automatic subscription to newsletters or promotional communications.

5. METHODS OF PROCESSING AND SECURITY MEASURES

Data are processed by electronic and telematic tools in compliance with lawfulness, fairness, and transparency.

Data are processed mainly on cloud infrastructures within the EEA. Certain providers may entail transfers outside the EEA in compliance with GDPR safeguards.

Technical and organizational measures pursuant to Article 32 GDPR: encryption in transit, encryption at rest, credential protection via hashing, access control, backup systems.

Technical credentials (API tokens, access keys) are processed through encryption and are not accessible in plain text.

6. DATA RETENTION

Without an agreement: account data retained for maximum 24 months from registration.

With a contractual relationship: data retained for the duration of the relationship and thereafter for the time necessary to comply with legal obligations.

Deleted data may remain in backup systems for generally no more than 30 days.

In the event of account deletion, data may be anonymized in accordance with internal technical procedures.

7. RECIPIENTS OF THE DATA

Third parties acting on behalf of the Controller: cloud service providers, hosting providers, database management providers, technical infrastructure providers, transactional email service providers, communication service providers, professional advisers. Appointed as data processors pursuant to Article 28 GDPR where required.

8. DATA TRANSFERS OUTSIDE THE EEA

Transfers take place in compliance with Articles 44 et seq. GDPR, through Standard Contractual Clauses or other applicable instruments. Certain providers may entail transfers to countries outside the EEA (e.g. the United States).

9. RIGHTS OF THE DATA SUBJECT

The data subject may exercise rights under Articles 15-22 GDPR: access, rectification, erasure, restriction, portability, objection.

Requests to: privacy@afflu.eu.

Right to lodge a complaint with the Italian Data Protection Authority.

10. AUTOMATED DECISION-MAKING

The WebApp does not use automated decision-making processes pursuant to Article 22 GDPR.

11. AMENDMENTS TO THIS NOTICE

The Controller reserves the right to update this notice for legal or technical changes. Amendments shall be published on the WebApp with the relevant update date.