Privacy Policy

Last updated: [DATE]

This privacy policy describes how [COMPANY NAME / FULL NAME] ("we", "the Controller") collects, uses, and protects the personal data of users of the Replay service (hereinafter "the Service"), accessible at [SERVICE URL].

Personal data is processed in compliance with EU Regulation 2016/679 (GDPR) and applicable Italian data protection legislation.

1. Data Controller

• Name: [COMPANY NAME / FULL NAME]
• Registered address: [ADDRESS]
• Email: [EMAIL]
• PEC: [PEC, if applicable]
• VAT number: [VAT NUMBER, if applicable]

2. Personal data collected

The Service collects the following categories of personal data:

a) Data provided by the user

• Email address — used for registration and authentication.
• Password — stored exclusively in encrypted form (BCrypt hash). We never have access to the plaintext password.

b) Data generated through use of the Service

• Uploaded files — CSV and XLSX files uploaded for comparison. Files are automatically deleted after the diff calculation; they are not permanently stored.
• Project metadata — project name, column schema, comparison results (diff JSON), counters, timestamps.

c) Technical data

• Session cookie (ReplayAuth) — required for authentication.
• System logs — IP address, browser type, request timestamps (retained for security and debugging purposes).
• Analytics data — only with prior consent, via Azure Application Insights (load times, errors, performance).

3. Purposes and legal basis

Purpose	Data processed	Legal basis
Service provision (registration, login, file comparison)	Email, password hash, files, project metadata	Performance of a contract (Art. 6.1.b GDPR)
Security and abuse prevention	System logs, IP	Legitimate interest (Art. 6.1.f GDPR)
Service analysis and improvement	Anonymous analytics data	Consent (Art. 6.1.a GDPR)
Service communications	Email	Performance of a contract (Art. 6.1.b GDPR)

4. Data retention

• User account — retained until the account is deleted by the user or until the Service ceases.
• Uploaded files — automatically deleted after diff calculation (within 24 hours of upload).
• Comparison results (diffs) — retained for the lifetime of the account.
• System logs — retained for a maximum of 90 days.

5. Data recipients

Personal data may be shared with:

• Microsoft Azure — application hosting, database and storage (EU datacenter).
• Law enforcement — only upon request from judicial authorities.

We do not sell, rent, or share your data with third parties for marketing purposes.

6. Data transfers

Data is hosted on Microsoft Azure servers located in the European Union. No transfers are made outside the European Economic Area (EEA).

7. Cookies

The Service uses the following cookies:

Cookie	Type	Purpose	Duration
ReplayAuth	Technical (essential)	User authentication	30 days
replay_cookie_consent	Technical (essential)	Cookie preference storage (localStorage)	Indefinite
ai_session / ai_user	Analytics (with consent)	Azure Application Insights — performance monitoring	30 min / 1 year

Essential technical cookies do not require consent as they are necessary for the Service to function. Analytics cookies are only activated after explicit user consent via the dedicated banner.

You can revoke analytics cookie consent at any time from the "Account" page or by clearing your browser data.

8. Your rights

Under Articles 15-22 of the GDPR, you have the right to:

• Access — obtain confirmation of processing and access your data.
• Rectification — correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — request deletion of your data.
• Restriction — restrict processing in certain cases.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interest.
• Withdrawal of consent — withdraw consent at any time, without affecting the lawfulness of prior processing.

To exercise your rights, contact the Controller at: [EMAIL].

9. Right to lodge a complaint

You have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali):

• Website: www.garanteprivacy.it
• Email: protocollo@gpdp.it

10. Security

We adopt appropriate technical and organizational measures to protect personal data, including:

• HTTPS encryption for all communications
• BCrypt password hashing
• HttpOnly and Secure cookie attributes
• Anti-spam protection (rate limiting)
• Automatic deletion of uploaded files after processing

11. Changes to this policy

The Controller reserves the right to modify this policy at any time. Changes will be published on this page with an updated date. Continued use of the Service after publication of changes constitutes acceptance thereof.

---

© [YEAR] [COMPANY NAME / FULL NAME] — Replay