// PRIVACY

Privacy Policy

Last updated: May 19, 2026 · GDPR-compliant (EU Reg. 2016/679).

1. Data Controller

Smart Solutions S.r.l.s., registered office at Via San Giovanni Bosco 40, 56127 Pisa (PI), Italy — VAT / Tax ID IT02410300509. Privacy contact: privacy@roastmy.store.

2. Categories of data processed

  • Account data: email, password (hashed), name (optional).
  • Usage data: analysed URLs, generated reports, technical logs.
  • Payment data: handled entirely by Stripe; we only store transaction identifiers and subscription status.
  • Technical data: IP address (anonymised after 30 days), user-agent, session cookies.
  • Communications: transactional emails (report ready, receipts) and — only with consent — newsletter.

3. Purposes and legal basis

PurposeLegal basis (GDPR art. 6)
Service deliveryContract performance — art. 6(1)(b)
Invoicing and tax complianceLegal obligation — art. 6(1)(c)
Security, fraud preventionLegitimate interest — art. 6(1)(f)
Newsletter / marketingConsent — art. 6(1)(a)
Third-party analytics cookiesConsent — art. 6(1)(a)

4. Retention period

  • Accounts and reports: duration of the relationship + 12 months after closure.
  • Tax records: 10 years (statutory).
  • Technical logs: max 12 months.
  • Marketing emails: until consent is withdrawn.

5. Recipients (Processors)

  • Supabase (database, auth) — EU / USA under SCCs.
  • Stripe (payments) — Ireland / USA under SCCs.
  • Cloudflare (hosting/edge) — EU / USA under SCCs.
  • AI providers (Google, OpenAI via Lovable AI Gateway) for report generation.
  • Resend / email provider for transactional emails.

6. Non-EU transfers

Some processors operate in the USA. Transfers rely on the EU Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.

7. Your rights

You have the right to: access (art. 15), rectification (16), erasure (17), restriction (18), portability (20), objection (21), and to withdraw consent at any time. To exercise these rights: privacy@roastmy.store. You may also lodge a complaint with your national supervisory authority.

8. Automated decision-making

Reports are generated by AI models. These are automated processes that do not produce legal effects nor similarly significant impact on you: outputs are informational recommendations. You may request explanations from the Controller.

9. Cookies

We only use strictly necessary session cookies (authentication, language). We do not use third-party profiling cookies without explicit consent. Any aggregate analytics tooling will be introduced only behind a consent banner.

10. Security

We apply appropriate technical and organisational measures: TLS in transit, encryption at rest, least-privilege role-based access, database-level RLS, access monitoring.

11. Minors

The Service is not directed to children under 16 and we do not knowingly collect their data.

12. Changes

Material changes will be notified by email or in-Service notice at least 15 days before they take effect.