Privacy Policy

Last update: 2026-06-23 — version 1.0

This policy describes how T.D.E. S.R.L. ("DigyPay" or "Controller") processes personal data of users of the DigyPay / FacilePay platform, in accordance with EU Regulation 2016/679 ("GDPR") and Legislative Decree 196/2003 (Italian Privacy Code).

1. Data Controller

• Legal name: T.D.E. S.R.L.
• VAT: IT[XXXXXXXXXX] (placeholder)
• Registered office: [Street, ZIP, City], Italy (placeholder)
• Certified email (PEC): [pec@tde.legalmail.it] (placeholder)
• Controller email: privacy@digypay.it
• Data Protection Officer: dpo@digypay.it

2. Categories of personal data

• Identification and contact data: first name, last name, email, phone, tax code, VAT number (for merchants).
• Payment data: processed by PCI-DSS compliant providers (Stripe, CardTalento). DigyPay does not store card numbers in plain text.
• Behavioural data: access logs, IP address, user agent, technical and analytics cookies, pages visited.
• Social OAuth data: access tokens for Meta/Facebook, Instagram, TikTok, LinkedIn, YouTube, Pinterest, X/Twitter, Google Business — limited to merchants who authorise automated content publishing.
• Geolocation data: approximate coordinates of the public storefront for nearby-merchant search (with merchant consent).
• User-generated content: contact messages, reservations, reviews, photos uploaded on the storefront.

3. Purposes of processing

1. Service delivery (registration, login, storefront management, payments).
2. Contractual and tax obligations (e-invoicing, AML, document retention).
3. Direct marketing via email/SMS/push (only with explicit opt-in consent).
4. Customer support and complaint management.
5. Security: fraud prevention, abuse monitoring, security logs.
6. Legal obligations and cooperation with judicial authorities.

4. Legal basis

• Performance of contract (Art. 6.1.b GDPR) for service provision.
• Consent (Art. 6.1.a GDPR) for direct marketing, non-technical cookies, social publishing.
• Legal obligation (Art. 6.1.c GDPR) for invoicing and AML.
• Legitimate interest (Art. 6.1.f GDPR) for platform security and fraud prevention.

5. Retention periods

• Tax and accounting data: 10 years (Art. 2220 Italian Civil Code).
• Application and security logs: 24 months.
• Account data: until user-requested deletion, subject to legal obligations.
• Social OAuth tokens: until revocation or account deletion.
• Backups: 30-day rotation; deletion from backups guaranteed within the next cycle after request.

6. Data subject rights

Users may exercise GDPR rights (Art. 15-22) at any time:

• Access (Art. 15)
• Rectification (Art. 16)
• Erasure / right to be forgotten (Art. 17) — see deletion instructions
• Restriction of processing (Art. 18)
• Data portability (Art. 20)
• Objection (Art. 21)
• Withdraw consent at any time
• Lodge a complaint with the Italian Data Protection Authority

To exercise rights: privacy@digypay.it

7. Transfers outside the EU

Some providers are based outside the EU. Transfers occur with adequate safeguards (EU SCCs 2021/914, EU-US Data Privacy Framework):

• Stripe Inc. (USA) — payments — DPF certified.
• Google / Firebase (USA) — push notifications, analytics — DPF certified.
• Meta Platforms Inc. (USA) — Facebook/Instagram OAuth — DPF certified.
• TikTok Ltd. (Ireland/USA/China) — content publishing — SCC + TIA.
• LinkedIn / Microsoft (USA) — DPF certified.
• Pinterest Inc. (USA) — DPF certified.
• X Corp. (USA) — SCC.

8. Cookies

Cookie usage is described in the dedicated Cookie Policy.

9. Changes to this policy

DigyPay reserves the right to amend this policy. In case of substantial changes, registered users will be notified by email at least 15 days before the changes take effect. The current version is always available at this URL.

10. Contacts

• Controller email: privacy@digypay.it
• DPO: dpo@digypay.it
• Italian version: Versione italiana