Privacy Policy

Information on the processing of personal data pursuant to Articles 13-14 of Regulation (EU) 2016/679 (GDPR).

Last revision: 3 June 2026 — Version 1.4.5

1. Data Controller

Tune Mates di Olivari Marco (sole proprietorship) — VAT IT03340720212
Registered office: Via Aurelio Nicolodi, 5 — 39100 Bolzano (BZ), Italy
Email: support@easybordero.it

2. Categories of data processed and purposes

2.1 Account data

Name, email, password hash (bcrypt), registration date, subscription plan, preferred language.
Purpose: service delivery, authentication, technical communications.
Legal basis: Art. 6(1)(b) GDPR — performance of the contract.

2.2 Tax and billing data

Tax code, VAT number, business name, address (street, postal code, city, province, country), legal form, SDI recipient code, PEC, REA number. Tax code and VAT number are encrypted at-rest with AES-256-GCM (server-side managed key, key rotation supported).
Purpose: mandatory electronic invoicing via SDI for each payment and tax compliance pursuant to Italian Presidential Decree (D.P.R.) 633/72.
Legal basis: Art. 6(1)(c) GDPR — legal obligation + Art. 6(1)(b) — performance of the contract.

2.3 SIAE credentials

SIAE portal username and password, encrypted with AES-256-GCM (key rotation and per-user AAD). The SIAE session token is stored only in Redis with a maximum TTL of 45 minutes and is not persisted to the database.
Purpose: automated submission of music reports (subject of the contract).
Legal basis: Art. 6(1)(b) GDPR.

2.4 SIAE email hash (anti-abuse)

Deterministic SHA-256 of the normalized SIAE email, stored in siae_accounts.email_hash and users.first_siae_email_hash. It allows pseudonymized identification of the user↔SIAE binding uniqueness without decrypting the plaintext email. Retention: contract duration + audit retention (see §5).
Purpose: prevention of trial period abuse and 1 user = 1 SIAE account binding.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest (LIA documented) + Art. 6(1)(b) — performance of the contract.

2.5 Anti-abuse audit and application logs

Logs of blocked SIAE connection attempts (collision, unauthorized change), consumed/recovered Stripe trial, admin transfers, login events, account status changes. Includes: request IP/User-Agent, masked hash, masked user_ids. Retention 365 days (configurable via audit_log_retention_days).
Purpose: security, fraud prevention, GDPR Art. 32 accountability.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest.

2.6 Usage data

Playlist imports, music programs, imported tracks, generated reports, SIAE submission outcomes.
Purpose: service delivery; aggregated anonymous statistics.
Legal basis: Art. 6(1)(b) GDPR.

2.7 AI-assisted matching (Google Gemini)

To improve the accuracy of matching imported tracks with the SIAE catalog, EasyBorderò uses Google Gemini (model gemini-2.5-flash). Data sent to Gemini is limited to: artist, title, duration of the track. No personal data of the user is sent. No audio file is transmitted. Requests go through Google in "no-training API" mode: Gemini does not use this data to train its models (cf. Google AI Terms of Service for API). Feature can be enabled/disabled by admin (ai_search_enabled).
Purpose: improving SIAE match quality.
Legal basis: Art. 6(1)(b) GDPR — performance of the contract. US transfer via SCC (see §6).

2.8 Automated support email triage (Anthropic Claude)

Emails sent to support@easybordero.it are read by the automated Support Agent, which performs local pre-scrubbing to remove/replace the following sensitive data from the email body before sending to Claude: email addresses (replaced with placeholders), tax codes, VAT numbers, IBAN, Stripe identifiers (cus_…, sub_…, pi_…, in_…), credit card numbers, passwords. Only the "scrubbed" text is sent to Anthropic Claude for ticket classification and response draft generation. The draft is saved locally in IMAP under the "Drafts" folder and is not automatically published. No data is sent to Claude for fine-tuning (cf. Anthropic DPA).
Purpose: operational efficiency of customer support.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest. US transfer via SCC (see §6).

2.9 Payment data

Payments are processed by Stripe Inc. — EasyBorderò does not store credit card data. We retain: Stripe customer ID, subscription ID, subscription status, amount, VAT. The metadata Customer.metadata.eb_used_trial = "true" is sent to Stripe to ensure free trial uniqueness even in case of database disaster recovery.
Purpose: subscription management, billing, and trial abuse prevention.
Legal basis: Art. 6(1)(b) GDPR + Art. 6(1)(f) — legitimate interest (anti-abuse). US transfer via SCC.

2.10 SDI electronic invoicing

Tax data (tax code, VAT, business name, address, SDI/PEC, REA) is transmitted via Stripe to ACube S.r.l. (registered in Italy, EU), which acts as the issuer of electronic invoices to the Italian Revenue Agency's Interchange System (SDI).
Purpose: tax obligations under D.P.R. 633/72 and Ministerial Decree 30/04/2018.
Legal basis: Art. 6(1)(c) GDPR — legal obligation.

2.11 Cookies and analytics

Technical JWT cookies for authentication. Microsoft Clarity behavioral analytics (anonymized, only with explicit consent). Plausible Analytics traffic analytics (privacy-friendly, no cookies, legitimate interest). Marketing/retargeting cookies and pixel Meta Pixel (Facebook/Instagram), activated only upon explicit consent to the "marketing" category of the cookie banner. More details in §8.

2.12 Anti-bot verification (Cloudflare Turnstile)

After a limited number of failed login attempts, the platform requires the completion of a Cloudflare Turnstile challenge (invisible CAPTCHA). Cloudflare receives: IP, user-agent, a session token, and browser anti-fraud signals. Feature can be enabled/disabled by admin.
Purpose: protection against automated credential stuffing attacks.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in infrastructure security. US transfer via SCC.

2.13 Compromised password verification (HIBP — k-anonymity)

During registration and password reset, the platform checks whether the password chosen by the user appears in public databases of leaked credentials, consulting the "Have I Been Pwned" Pwned Passwords API in k-anonymity mode: SHA-1 of the password is calculated and only the first 5 characters of the hash are sent to HIBP, which returns all hashes starting with that prefix; the comparison then happens locally. The plaintext password never leaves our servers.
Purpose: protection of the user's account.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest.

2.14 Referral analytics (links /r/<code>)

When a visitor clicks a referral link distributed by one of our users, we log: timestamp, hash of IP truncated to /24 (IPv4) or /64 (IPv6) with secret salt (never plaintext IP), user-agent, referer (stripped of query string and fragment). No cookies are set. Automatic deletion after 180 days.
Purpose: measurement of referral campaign effectiveness and fraud prevention.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest (LIA documented).

2.15 Publication on social channels (optional)

At the user's initiative, EasyBorderò may publish content (report artwork, images, text) on social pages owned by the user and connected to the platform (e.g. Meta — Facebook and Instagram). Publication occurs only with explicit user authorization and through official Meta Graph APIs. EasyBorderò does not publish anything without the user's explicit command.
Purpose: facilitating the promotion of the user's professional activities.
Legal basis: Art. 6(1)(a) GDPR — explicit consent + Art. 6(1)(b) — performance of the contract.

2.16 Registration consent

At the time of registration, explicit consent to the Terms of Service and Privacy Policy is required via checkbox. Timestamp and version of consent are recorded in the database.
Legal basis: Art. 7 GDPR — verifiable consent.

2.17 Email communications and legal bases (NEW in v1.4)

EasyBorderò sends several categories of emails to its users, each with a specific legal basis and distinct preference management mechanisms.

2.17.1 Transactional and service emails (SYSTEM)

Includes: account verification (registration confirmation), password reset, payment confirmations and receipts, payment status notifications (e.g. failed payment), plan change notifications, account security alerts, technical notifications essential to service operation.
Purpose: performance of the service contract.
Legal basis: Art. 6(1)(b) GDPR — performance of the contract. As these are communications strictly necessary for the delivery of the purchased service, they are not subject to opt-out; the only way to stop receiving them is to delete the account.

2.17.2 Product updates (PRODUCT_UPDATE)

Includes: announcements of new features, significant UX improvements, operational tips on correct service usage, deprecation notices, changes in pricing or policy. Does not include commercial offers, discounts, promotions, or third-party advertising content (those fall under §2.17.3 MARKETING).
Purpose: keeping the user informed about the evolution of the purchased service (contract value continuity, supplier's duty to inform).
Legal basis: Art. 6(1)(f) GDPR — legitimate interest of the data controller, recognized by GDPR Recital 47 for product communications to existing customers. Default active for all registered users. The Legitimate Interest Assessment (LIA) is documented in docs/GDPR_LIA_EMAIL_PRODUCT_UPDATE.md and available on request.
Opt-out: guaranteed immediately, free of charge, and in technically compliant manner (RFC 8058 one-click) via the Unsubscribe link in the footer of every PRODUCT_UPDATE email, as well as from the preference center (§9bis). Opt-out takes immediate effect; no "we are processing your request" emails are sent.
Typical frequency: at most 2-3 sends per month, with automatically applied anti-fatigue system.

2.17.3 Direct marketing (MARKETING)

Includes: commercial offers, seasonal promotions, educational content with purchase/upgrade calls-to-action, partnership announcements, editorial content for re-engagement purposes.
Purpose: commercial acquisition and retention.
Legal basis: Art. 6(1)(a) GDPR — explicit consent of the data subject + Art. 130 of Italian Legislative Decree 196/2003 (Italian Privacy Code). Default inactive: no MARKETING email is sent in the absence of explicit consent collected via the preference center or a dedicated checkbox (not pre-ticked) at the time of registration.
Burden of proof of consent: each change in consent status (opt-in, opt-out, modification) is tracked immutably with UTC timestamp, version of the Privacy Policy active at the time, text of the checkbox shown, and cited legal basis, in compliance with Art. 7 GDPR.
Revocation: consent can be revoked at any time with the same ease with which it was granted (Art. 7(3) GDPR), via the Unsubscribe link in each email or from the preference center.

2.17.4 Email sub-processor

Emails are actually delivered through Brevo SAS (France, EU) — email processor. Delivery traceability (delivered, bounce, complaint) occurs via signed Brevo webhook. The Brevo platform is configured with global anonymization of open pixels and click tracking: such events are aggregated but not traceable to a specific user in Brevo logs. For users only who have provided explicit consent to engagement tracking (default off), a custom EasyBorderò link tracker mechanism allows recording clicks in personal form for the sole purpose of aggregate engagement analysis. More details in §8.

2.18 Email IP hash retention (anti-fraud unsubscribe) (NEW in v1.4)

For each email send, the IP address of interaction with unsubscribe and preference center links is recorded in pseudonymized form as a SHA-256 hash with a secret salt rotated annually. The purpose is to prevent automated abuse of opt-out mechanisms (e.g. bots that unsubscribe other users' emails) and identify fraudulent abuse rate patterns. The plaintext IP address is never stored; the annually rotated salt prevents inter-temporal correlations. Retention: 90 days for IP hash, aligned with email send log (see §5bis).
Purpose: integrity of the unsubscribe mechanism, prevention of automated fraud.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in security of the opt-out mechanism.

3. Legal basis of processing (summary)

• Art. 6(1)(b) — Performance of the contract: account data, SIAE credentials, usage data, AI track matching, payments, authorized social publication, SYSTEM transactional emails.
• Art. 6(1)(c) — Legal obligation: billing data and SDI electronic invoices, retained for 10 years (D.P.R. 633/72).
• Art. 6(1)(f) — Legitimate interest: access and audit logs, SIAE anti-abuse, Support Agent AI, Cloudflare Turnstile, compromised password check, referral analytics, Plausible, PRODUCT_UPDATE emails (with documented LIA), anti-fraud unsubscribe IP hash.
• Art. 6(1)(a) — Consent: Microsoft Clarity, Meta Pixel (conversion measurement and marketing/retargeting, "marketing" category of the cookie banner), social publication, acceptance of Terms and Privacy at registration, MARKETING emails (explicit consent + Art. 130 of Italian Legislative Decree 196/2003).

4. Data processors (Sub-processors)

Entity	Role	Location	DPA / Privacy
Stripe Payments Europe Ltd	EU Merchant of Record for checkout/subscriptions (controller entity for EU customers)	Ireland (EU)	stripe.com/legal/dpa
↳ Stripe Inc.	Technical payment processing (sub-processor of Stripe Payments Europe Ltd, PCI/DSS processor)	USA (SCC + EU-US DPF)	stripe.com/legal/dpa
ACube S.r.l.	SDI electronic invoice issuance (Stripe App integration)	Italy (EU)	acubeapi.com
Brevo SAS	Delivery of transactional, PRODUCT_UPDATE and MARKETING emails. Global pixel/click anonymization active. Brevo sub-processors detailed below.	France (EU)	brevo.com/legal/termsofuse (DPA in Appendix 3)
↳ OVH	Brevo infrastructure hosting (Brevo sub-processor)	France (EU)	ovhcloud.com/personal-data-protection
↳ Google Cloud Platform	Brevo infrastructure hosting (servers in Belgium)	Servers BE (EU) — vendor USA (SCC + EU-US DPF)	cloud.google.com/terms/dpa
↳ Cloudflare	Brevo infrastructure CDN and WAF (Data Localization Suite active)	USA (SCC + EU-US DPF)	cloudflare.com/cloudflare-customer-dpa
↳ Zendesk	Brevo internal ticketing/support tool	USA (SCC + BCR)	zendesk.com/dpa
↳ Omni	Brevo internal dashboards	USA (SCC + EU-US DPF) — EU servers	Brevo sub-processor, see Brevo DPA Appendix 3 Annex 2
↳ Brevo GmbH	Customer Experience & Maintenance (Brevo group company)	Germany (EU)	See Brevo DPA Appendix 3 Annex 2
↳ Brevo CRM Solution	Customer Experience & Maintenance (Brevo group company, India)	India (SCC + additional measures)	See Brevo DPA Appendix 3 Annex 2
↳ Sendinblue Inc.	Customer Experience & Maintenance (Brevo group company, USA)	USA (SCC + EU-US DPF)	See Brevo DPA Appendix 3 Annex 2
Aruba S.p.A.	IMAP mailbox support@easybordero.it (reading emails for triage). IMAP mailbox dmarc@easybordero.it (DMARC report reception). SMTP for manual emails of the data controller.	Italy (EU)	aruba.it/informativa-privacy
Hetzner Online GmbH	Server hosting and cloud infrastructure	Germany (EU)	hetzner.com/legal/privacy-policy
Google LLC — Gemini API	SIAE track AI matching + automated translation of editorial content	USA (SCC)	cloud.google.com/terms/dpa
Google LLC — OAuth	"Sign in with Google" authentication (optional)	USA (SCC)	policies.google.com/privacy
Google LLC — Fonts	Typographic font loading (self-hosted via Next.js)	USA	policies.google.com/privacy
Anthropic PBC	AI triage of support emails (Claude). Local pre-scrubbing of IBAN/tax code/VAT/Stripe IDs/cards/passwords before sending.	USA (SCC)	anthropic.com/legal/dpa
Cloudflare, Inc. — Turnstile	Anti-bot CAPTCHA in case of suspicious login attempts	USA (SCC)	cloudflare.com/cloudflare-customer-dpa
Microsoft Corporation	Clarity analytics (user behavior, by consent)	USA (SCC)	aka.ms/DPAClarity
Plausible Analytics	Web traffic analysis (privacy-friendly, no cookies)	EU	plausible.io/data-policy
Have I Been Pwned (Pwned Passwords API)	Compromised password check in k-anonymity mode (5 SHA-1 characters)	UK / Cloudflare	haveibeenpwned.com/Privacy
Meta Platforms, Inc.	Content publication on Facebook/Instagram (only if the user connects an account and authorizes publication)	USA (SCC)	facebook.com/legal/dataprocessingterms
Meta Platforms Ireland Limited	Meta Pixel — conversion measurement (free-trial registrations) + marketing/retargeting (Meta advertising audiences), on consent. Onward transfer to Meta Platforms, Inc. (USA)	Ireland (EU); onward USA (EU-US DPF + SCC)	facebook.com/legal/dataprocessingterms

Notes v1.4: Brevo sub-processors highlighted with the "↳" prefix are indirect suppliers on which Brevo relies for delivering its service. The list is derived from Annex 2 of the Brevo DPA (Appendix 3 of the Brevo Terms of Service) and is subject to autonomous updating by Brevo, which undertakes to notify us of any changes; in such case, we will update this table and apply any changes at most 30 days after notification. Brevo optional sub-processors (SMS routing, AI providers, Salesforce plugin, Convrrt, Integry) are not activated on our account and therefore do not receive personal data of our users.

5. Retention periods

• Active accounts: contract duration + 30 days.
• Inactive accounts: notice after 12 months; deletion after a further 30 days.
• Access logs and application audit: 365 days (admin configurable), then automatic deletion.
• Billing data and SDI invoices: 10 years (D.P.R. 633/72).
• SIAE session token: 45 minutes (Redis TTL).
• Referral click logs: 180 days, then automatic deletion.
• Support Agent response drafts: no retention on Claude/Anthropic side; drafts remain in the IMAP mailbox until sending/manual deletion.

5bis Email log and tracking retention (NEW in v1.4)

• Email send log (email_send_log): 90 days, aligned with application audit log. Contains: user_id, campaign_id, send timestamp, aggregate delivery status (sent/bounced/spam/unsubscribed). Automatic deletion.
• Provider delivery events (email_event): 18 months for compliance audit and fraud monitoring purposes. Contains: timestamp, event type (delivered, bounce, complaint), email reference. Automatic deletion.
• Click events (email_link_event): 18 months, recorded only for users who have provided explicit consent to engagement tracking (default off for privacy-by-default). For users without consent: only anonymous aggregate (campaign + link position).
• Email consent history (email_consent_history): permanent retention pursuant to Art. 7 GDPR (burden of proof of consent). Contains: event type (opt-in/opt-out), UTC timestamp, active Privacy version, active T&C version, text of the checkbox shown, cited legal basis. Append-only, immutable, preserved even after account deletion (via email hash for RTBF).
• Campaign recipient snapshots (email_campaign_recipient): 6 months after send completion, then anonymization (user_id removal, only aggregates kept).
• Suppression list (email_suppression): permanent retention to prevent post-unsubscribe sends. Bidirectionally synchronized with Brevo.
• Email anti-fraud unsubscribe IP hash: 90 days, aligned with send log (see §2.18).

6. Extra-EU data transfers

Sub-processors based in the USA (Stripe, Google, Anthropic, Microsoft, Cloudflare, Meta, Brevo USA sub-processors such as Cloudflare, Sendinblue Inc., Zendesk, Omni) operate on the basis of Standard Contractual Clauses (SCC — EU Decision 2021/914) and, where applicable, the adequacy granted by the European Commission under the EU-US Data Privacy Framework (Adequacy Decision of 10/07/2023). In particular, the data collected by the Meta Pixel is processed by Meta Platforms Ireland Limited (Ireland, EU) and further transferred (onward transfer) to Meta Platforms, Inc. (USA), which is certified under the EU-US Data Privacy Framework; as an additional safeguard, the Standard Contractual Clauses (SCC) apply. Brevo sub-processors in India (Brevo CRM Solution) operate on the basis of SCC + additional measures documented by Brevo. ACube, Brevo SAS, Aruba, Hetzner, OVH, Plausible are EU — no additional transfer measures are required. The full Brevo DPA review is documented in docs/legal/brevo_dpa_review_notes.md and is available on request.

7. Your rights

As a data subject, you have the right to:

• Access (Art. 15): obtain a copy of the data concerning you, including email consent history and send logs (for consenting users).
• Rectification (Art. 16): correct inaccurate or incomplete data, including email communication preferences (preference center).
• Erasure (Art. 17): request the deletion of your data ("right to be forgotten"), within the limits compatible with tax obligations and with the burden of proof of consent (Art. 7 GDPR — consent history is preserved in pseudonymized form via email hash).
• Portability (Art. 20): receive data in a structured, machine-readable format.
• Objection (Art. 21): object to processing for legitimate interest, including PRODUCT_UPDATE emails via the Unsubscribe link in each email or preference center.
• Restriction (Art. 18): restrict processing in certain circumstances, including temporary suspension of email preferences.
• Withdrawal of consent (Art. 7(3)): withdraw consents granted (e.g. MARKETING, Microsoft Clarity, Meta Pixel, social publication) at any time, with the same ease with which they were granted. For the Meta Pixel, withdrawal is exercised via the "Cookie Preferences" link in the footer: upon withdrawal the pixel is stopped and the _fbp/_fbc cookies are deleted.

From the Account > Privacy section you can export all your data (Art. 20) and delete your account (Art. 17) autonomously. From the Account > Email Preferences section you can manage your communication preferences (see §9bis). For other requests, write to support@easybordero.it. We will respond within 30 days. You may also lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali).

8. Cookie policy and email tracking

• Technical cookies (necessary): JWT token for authentication. Do not require consent.
• Analytical cookies (Microsoft Clarity): anonymous data on behavior. Activated only with explicit consent via banner. You can revoke consent at any time via the "Cookie Preferences" link in the footer.
• Plausible Analytics: privacy-friendly traffic analysis, no cookies. Used on the basis of legitimate interest (Art. 6(1)(f)).
• Marketing cookies and pixel (Meta Pixel) (NEW in v1.4.5): we integrate the Meta Pixel (script fbevents.js loaded from connect.facebook.net) of Meta Platforms Ireland Limited for conversion measurement (free-trial registrations) and for marketing/retargeting purposes (creation of Meta advertising audiences). The pixel sets the following first-party cookies: _fbp (pseudonymous browser identifier, lifetime ~90 days) and _fbc (click-id, set only when the fbclid parameter is present in the URL, lifetime ~90 days). Meta processes: pseudonymous identifiers (_fbp/_fbc), standard events (PageView, CompleteRegistration), the page URL, the IP address (collected by Meta), browser/device information. We do not use advanced matching: we do not transmit email, name, phone number or other direct identifying data to Meta. The pixel loads exclusively upon consent to the "marketing" category of the cookie banner (Art. 6(1)(a) GDPR) and is never loaded on pages that contain single-use tokens in the URL (password reset, email verification, Google registration completion, email unsubscribe), in order to avoid transmitting such tokens to third parties. You can withdraw consent at any time via the "Cookie Preferences" link in the footer: upon withdrawal the pixel is stopped and the _fbp/_fbc cookies are deleted. US transfer (onward to Meta Platforms, Inc.) covered by EU-US DPF + SCC (see §6).
• Brevo email tracking pixel (NEW in v1.4): Brevo (our email processor) automatically inserts a tracking pixel in emails to detect opens and clicks. On our account we have activated global anonymization: such events are aggregated but not traceable to a specific user in Brevo logs. This applies to all email categories (SYSTEM, PRODUCT_UPDATE, MARKETING).
• Custom EasyBorderò link tracker (NEW in v1.4): for PRODUCT_UPDATE and MARKETING emails only, links in the email body are rewritten to pass through a custom redirect (/api/v1/email/r/{token}). This redirect records the click in personal form (traceable to a specific user) only if the user has provided explicit consent to engagement tracking; otherwise records only anonymous aggregate. The token is HMAC multi-kid signed to prevent tampering. The presence of the redirect does not alter the final destination of the link.

9. Security

We adopt technical and organizational measures appropriate pursuant to Art. 32 GDPR: at-rest encryption of tax data and SIAE credentials (AES-256-GCM with key rotation), bcrypt hashing of user passwords, TLS 1.2+ for all communications, network segregation, 365-day audit log, encrypted backups to remote destinations, automatic monitoring of security anomalies, compromised password verification, rate-limiting and CAPTCHA to prevent automated attacks. (v1.4) For email communications we additionally apply: DKIM aligned with the sender domain (Aruba selector a1 and Brevo brevo1/brevo2), DMARC p=quarantine for anti-spoofing/phishing protection, HMAC multi-kid link tracker for link integrity, daily DMARC aggregator monitoring.

(v1.4.4) Fallback channel for service continuity: to ensure service continuity in case of transient unavailability of the primary email provider (Brevo) — limited to critical service communications only (SYSTEM and internal technical ADMIN_OPS notifications) — the system may send a technical alert to the data controller via an alternative messaging channel (Telegram FZ-LLC, United Arab Emirates — Bot API). Such alerts do not contain personal data of data subjects and are protected by the following by-design technical measures: (i) no email address, no user identifiers (user_id, Stripe customer_id, subscription identifiers), no user payload content is carried over the channel; (ii) any internal campaign identifiers (campaign_id) are truncated or pseudonymized before sending; (iii) the channel is subject to rate-limiting and dedup to prevent side-channel re-identification via temporal patterns. Telegram is therefore not a recipient of users' emails, but exclusively a technical monitoring channel directed to the controller, activated only in operational emergency scenarios. The configuration and rate-limiting / dedup mechanisms of this channel are documented in internal technical runbooks and subject to periodic review. Update reservation: should this channel in the future carry personal data — even indirectly — of data subjects, Telegram FZ-LLC will be added as a processor in §4 and this notice will be updated pursuant to Art. 14(3)(c) GDPR.

9bis Email preference center (NEW in v1.4)

From the Account > Email Preferences section (also reachable via the Manage preferences link in the footer of every PRODUCT_UPDATE or MARKETING email) you can:

• View and modify the status of your email consents per category:
  • SYSTEM (transactional emails): always active, cannot be disabled (requires account deletion).
  • PRODUCT_UPDATE (product updates): active by default on a legitimate interest basis, can be disabled at any time.
  • MARKETING (offers and promotions): inactive by default, requires explicit opt-in.
• View the history of the last 20 emails received (visible only to those with engagement tracking consent).
• Exercise the right to object (Art. 21 GDPR) with one click — the effect is immediate and free, compliant with the RFC 8058 standard (one-click unsubscribe).
• Exercise the right to withdraw consent (Art. 7(3) GDPR) for the categories with explicit consent (MARKETING).

The history of consents (opt-in/opt-out) is kept immutably to fulfill the burden of proof of consent pursuant to Art. 7 GDPR (see §5bis).

10. Contact

Tune Mates di Olivari Marco (sole proprietorship) — VAT IT03340720212
Via Aurelio Nicolodi, 5 — 39100 Bolzano (BZ), Italy
Email: support@easybordero.it

11. Changes to this notice

In case of material changes, registered users will be informed via email with at least 14 days' notice and — where required by the nature of the change — a new explicit consent will be requested at the time of the next access to the platform.

The legally binding version of this notice is the Italian-language one. Any translations into other languages (German, English) are provided as a courtesy and do not constitute an autonomous source of informational obligation: material changes to the Italian text trigger the informational obligations of Art. 13-14 GDPR and, where the change concerns the legal bases or purposes of processing, a new expression of consent pursuant to Art. 6 and 7 GDPR. In case of discrepancy between versions, the Italian one prevails.

Change-log v1.4.4 → v1.4.5 (3 June 2026)

• Introduced the Meta Pixel (fbevents.js from connect.facebook.net) of Meta Platforms Ireland Limited for conversion measurement (free-trial registrations) and marketing/retargeting purposes. The pixel is activated exclusively upon consent to the "marketing" category of the cookie banner (Art. 6(1)(a) GDPR) and sets the first-party cookies _fbp and _fbc (lifetime ~90 days).
• Updated §2.11 (mention of the Meta Pixel on consent), §3 (Meta Pixel under Art. 6(1)(a) Consent), §7 (Meta Pixel among the withdrawable consents pursuant to Art. 7(3), with withdrawal via "Cookie Preferences") and §8 (dedicated Meta Pixel entry in place of the former "Third-party advertising cookies: not used" wording, which is no longer truthful).
• Added in §4 the sub-processor row Meta Platforms Ireland Limited (Ireland, EU) for the Meta Pixel, with onward transfer to Meta Platforms, Inc. (USA). Updated §6 with the extra-EU transfer safeguard EU-US Data Privacy Framework (Meta certified) + SCC.
• Documented the pixel's minimization and by-design measures: no advanced matching (we do not transmit email/name/phone to Meta) and exclusion of loading on pages with single-use tokens in the URL (password reset, email verification, Google registration completion, email unsubscribe).
• Material change pursuant to Articles 13-14 GDPR limited to the introduction of a new consent-based processing activity (Art. 6(1)(a)) and a new extra-EU recipient: no MARKETING email or marketing cookie is activated without the data subject's explicit opt-in.

Change-log v1.4.3 → v1.4.4 (2 June 2026)

• Reworded the operational notice at the top of the document to reflect the progressive cutover status of the Email Campaigns module: the Foundation components (SYSTEM, preference center §9bis, RFC 8058 one-click unsubscribe, EasyBorderò custom link tracker, anti-fraud unsubscribe IP hash §2.18) are operational as of 31 May 2026, while the actual sending of the PRODUCT_UPDATE and MARKETING categories remains subject to subsequent explicit enablement by the controller, with explicit notification to users at go-live.
• Added in §9 Security a paragraph dedicated to the Telegram FZ-LLC fallback channel (Bot API) used exclusively for technical operational notifications to the controller in case of unavailability of the primary email provider, with explicit declaration of by-design technical measures (no email address, no user identifier, no user payload, campaign_id truncated/pseudonymized, rate-limiting + dedup) and an update reservation pursuant to Art. 14(3)(c) GDPR should this channel in the future carry personal data, even indirectly, of data subjects.
• Non-substantive change pursuant to Art. 14(4) GDPR (informative alignment with the operational status of the system and formalization of a service-continuity measure already technically envisaged): does not affect legal bases, purposes, data categories, user-side sub-processors or data subjects' rights. No new consent or prior notification to users is required.

Change-log v1.4.2 → v1.4.3 (30 May 2026)

• Updated §1 Data Controller and §10 Contact with the full denomination of the controller: Tune Mates di Olivari Marco (sole proprietorship). The previous wording "Tune Mates", while identifying the same entity, omitted the legal form and the actual owner's surname; the current formulation complies with the transparency principle under Art. 5(1)(a) and the obligation to indicate the "identity of the data controller" under Art. 13(1)(a) GDPR.
• Added country prefix "IT" to the VAT number (IT03340720212) for consistency with the VIES representation and with all B2B documentation (SDI, e-invoices, DPA). No substantive change: it is the same Italian VAT number.
• Non-substantive amendment pursuant to Art. 14(4) GDPR (editorial clarification): does not affect legal bases, purposes, data categories, sub-processors or data subject rights. Does not entail new consent or prior notice to users.

Change-log v1.4.1 → v1.4.2 (26 May 2026)

• Updated email anti-fraud IP hash retention from 30 days to 90 days (§2.18 and §5bis). Alignment with the technical implementation of the email send log (email_send_log), which adopts a 90-day retention to remain coherent with the analysis window for delivery anomalies, bounce patterns and unsubscribe automation abuse. The pseudonymization (SHA-256 with annually rotated salt) and the inability to derive the plaintext IP remain unchanged.

Change-log v1.3 → v1.4 (25 May 2026)

• Added §2.17 Email communications and legal bases with 4 sub-sections (SYSTEM, PRODUCT_UPDATE, MARKETING, email sub-processor).
• Added §2.18 Email IP hash retention anti-fraud unsubscribe.
• Updated §3 legal basis summary with references to new email categories.
• Updated §4 Sub-processors: Brevo detail + list of Brevo indirect sub-processors (OVH, GCP, Cloudflare, Zendesk, Omni, Brevo group). Updated Aruba use (added IMAP dmarc@ and SMTP for manual emails).
• Added §5bis Email log and tracking retention.
• Updated §6 Extra-EU transfers with reference to Brevo DPA + India sub-processor.
• Updated §7 Your rights with explicit references to email preferences + consent history.
• Updated §8 Cookies with dedicated section on Brevo email tracking pixel + custom EasyBorderò link tracker.
• Updated §9 Security with email-specific DKIM/DMARC/HMAC measures.
• Added §9bis Email preference center.
• No material changes to legal bases or purposes of existing processing — the new items concern the formalization of email processing activities that were already operational (transactional) or are being extended through the new internal Email Campaigns module. Continuity of processing is guaranteed; the right to object Art. 21 GDPR is extended and made more granular through the new preference center.

Last revision: 3 June 2026 — Version 1.4.5