Privacy Policy

1. Data Controller

The Data Controller of personal data and the party responsible for the website leoflag.com and the services connected to it is:

• Controller: Flag di Bua Giuseppe (sole proprietorship)
• Registered office: Via Umberto 101, 95033 Biancavilla (CT), Italy
• VAT number: 05888700878
• Email: [email protected]
• Website: leoflag.com

2. Types of data collected

Leoflag collects, directly or through third parties, the following categories of personal data:

• Identification data: first name, last name, business name
• Contact data: email address, phone number
• Browsing data: IP address, browser type, pages visited, date and time of access, time spent on the site
• Payment data: handled entirely by Paddle (we do not store credit card data)
• Cookies and tracking technologies: technical, analytics and third-party cookies (see our Cookie Policy)

Some business contact data (business name, phone number, address) may be collected from publicly available sources, in particular Google Maps / Google Places and public directories, prior to any initial contact. In such cases we process only the data necessary to offer our services; the data subject receives this notice upon first contact and may object to the processing at any time by writing to [email protected] (Articles 14 and 21 GDPR).

3. Purposes of processing

Personal data is processed for the following purposes:

• Service provision: creation and management of the website, domain registration, hosting, technical support
• Account management: registration, authentication, dashboard access
• Service communications: notifications about site status, renewals, technical updates
• Billing: issuing invoices, managing payments and renewals
• Marketing (with explicit consent): sending promotional offers, newsletters, commercial communications
• Service improvement: usage analytics in aggregated and pseudonymised form to improve the platform

4. Legal basis for processing

Data processing is based on the following legal grounds:

• Performance of a contract (Art. 6.1.b GDPR): processing is necessary to provide the service requested by the customer
• Consent (Art. 6.1.a GDPR): for marketing communications and non-essential cookies
• Legitimate interest (Art. 6.1.f GDPR): for platform security, fraud prevention and service improvement
• Legal obligation (Art. 6.1.c GDPR): for tax and accounting compliance

Providing identification, contact and billing data is necessary to enter into and perform the contract and to comply with legal obligations: failure to provide it makes it impossible to deliver the service. Providing data for marketing purposes is optional and refusal does not affect the use of the service (Art. 13.2.e GDPR).

5. Data retention

Personal data is retained only for as long as strictly necessary:

• Account data: for the entire duration of the contractual relationship and until the account is deleted
• Billing data: 10 years from the date of issue, as required by Italian tax law
• Browsing data: maximum 26 months
• Marketing data: until consent is withdrawn

At the end of the retention period, data is deleted or irreversibly anonymised.

6. Your rights (Arts. 15-22 GDPR)

As a data subject, you have the right to:

• Access (Art. 15): obtain confirmation that processing is taking place and access your data
• Rectification (Art. 16): obtain the correction of inaccurate data or the completion of incomplete data
• Erasure (Art. 17): obtain the deletion of your personal data ("right to be forgotten")
• Restriction (Art. 18): obtain the restriction of processing
• Portability (Art. 20): receive your data in a structured, machine-readable format
• Objection (Art. 21): object to the processing of your data
• Withdrawal of consent (Art. 7): withdraw your consent at any time

To exercise your rights, write to [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Italian Data Protection Authority, the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it).

7. Disclosure to third parties

Personal data may be disclosed to the following categories of recipients:

• Supabase Inc. — database, authentication and storage, acting as a data processor (data hosted in an EU region)
• Hetzner Online GmbH (Germany) — server hosting, acting as a data processor
• OVH SAS (France) — domain registration and management, acting as a data processor
• Cloudflare Inc. — CDN, DNS and DDoS protection, acting as a data processor
• Twilio Inc. / SendGrid — transactional and service emails, acting as a data processor
• Google LLC — Google Places/Maps API for public business data, acting as an independent controller
• Paddle.com Market Ltd. — payment processing as Merchant of Record and independent controller of payment data
• Klarna Bank AB (Sweden) — management of instalment payments, where chosen by the user, as an independent controller

Data is never sold to third parties. Some of these recipients are located outside the EEA: see the following section on international transfers.

8. Transfer of data outside the European Union

Some of the providers we rely on are based in, or may process data in, countries outside the European Economic Area (EEA), in particular the United States of America and the United Kingdom. In such cases, personal data is transferred only where appropriate safeguards are in place pursuant to Articles 44-49 GDPR:

• United States (e.g. Google LLC, Cloudflare Inc., Twilio Inc. / SendGrid and the parent company of Supabase Inc.): the transfer is governed by the Standard Contractual Clauses approved by the European Commission and, where the importer is certified, by the EU-U.S. Data Privacy Framework (Commission adequacy decision of 10 July 2023)
• United Kingdom (Paddle.com Market Ltd.): the transfer is based on the adequacy decision adopted by the European Commission on 28 June 2021 for the United Kingdom
• European Union / EEA (e.g. Hetzner Online GmbH – Germany, OVH SAS – France): data remains within the EEA and does not involve transfers to third countries

You may request a copy of the safeguards in place by writing to [email protected].

9. Cookies

For detailed information about the cookies used on this site, please see our Cookie Policy.

10. Data security

Leoflag adopts appropriate technical and organisational measures to protect personal data from unauthorised access, loss, destruction or disclosure. All data is transmitted over HTTPS with TLS encryption. Passwords are stored in encrypted form and are never accessible in plain text.

11. Automated decision-making and profiling

The platform uses automated systems and artificial intelligence to create websites, provide support and send communications. These systems do not make decisions that produce legal effects concerning the data subject or that similarly significantly affect them within the meaning of Article 22 GDPR: any relevant decision is subject to human oversight. Any profiling for marketing purposes is carried out only with prior consent and can be withdrawn at any time.