Privacy Policy

This Privacy Policy describes how Nic Software di Niccolò Banti ("Suggesto," "we," "us," or "our") collects, uses, and protects your personal information when you use our website and services (collectively, the "Service").

We are committed to protecting your privacy and ensuring transparency about our data practices in full compliance with the General Data Protection Regulation (GDPR) and Italian privacy law.

1. Company Information and Data Controller

Data Controller

Company Name:Nic Software di Niccolò Banti

Data Controller:Niccolò Banti

Address:Piazza Amilcare Donnini 45, 50054 Fucecchio FI, Italy

Email:suggestohq@gmail.com

For any questions about this Privacy Policy or to exercise your data protection rights, please contact us at the email address above.

2. Information We Collect

2.1 Account Information

When you create an account with Suggesto, we collect:

Email address (required for authentication)
Full name (optional, up to 20 characters)
Profile picture (optional, if you use social login)
Biography (optional, up to 500 characters)

2.2 Board and Feedback Data

When you create boards and manage feedback, we collect:

Board information: name (3-50 characters), slug (3-20 characters), description (3-300 characters), icon image (max 1MB)
Feedback text: up to 1,000 characters submitted by you or your users
Feedback metadata: category (bug, idea, improvement, thank you), status (open, in progress, resolved, closed), creation date
Voting data: upvotes and downvotes on feedback items

2.3 Technical and Usage Data

We automatically collect certain technical information to operate and secure our Service:

IP addresses: Used temporarily for rate limiting and anti-spam protection (anonymized immediately after verification)
Browser information: User agent, browser type and version
Device information: Device type, operating system
Usage data: Pages visited, features used, timestamps

2.4 Cookies and Tracking Technologies

We use the following cookies:

Authentication cookies: Session management for logged-in users (HTTP-only, secure)
Fingerprint cookie (suggesto_fp): Anonymous identifier for voting system (1 year duration, HTTP-only)
Preference cookies: Store your theme preference (light/dark mode) and language selection

✓ We do NOT use analytics cookies, advertising cookies, or third-party tracking pixels without your explicit consent.

2.5 Payment Information

When you upgrade to the Pro plan, payment processing is handled entirely by our payment processor, Polar. We do NOT store your credit card information, billing address, or other payment details on our servers. Polar is PCI-DSS compliant and handles all payment data securely.

We only receive and store: your email address associated with the payment, payment status (successful/failed), and transaction ID for record-keeping purposes.

2.6 Social Login Data

If you choose to authenticate using social login providers (GitHub, Google, etc.), we receive:

Email address
Name (if publicly available)
Profile picture (if publicly available)

We do NOT access any other data from your social media accounts. You can revoke Suggesto's access at any time through your social media account settings.

3. How We Use Your Information

We use your personal data for the following purposes, based on the legal grounds specified:

3.1 Service Delivery (Legal Basis: Contract - GDPR Art. 6(1)(b))

Create and manage your user account
Provide access to feedback boards and widget functionality
Process and display feedback submissions
Enable voting on feedback items
Send magic-link authentication emails

3.2 Security and Anti-Spam (Legal Basis: Legitimate Interest - GDPR Art. 6(1)(f))

Prevent spam, abuse, and fraudulent activities
Implement rate limiting (max 1 feedback per 10 minutes per IP)
Detect and prevent security threats
Maintain the integrity and availability of our Service

3.3 Communication (Legal Basis: Contract or Consent)

Transactional emails (Contract): Magic-link authentication, password reset, account changes, payment confirmations
Service updates (Contract): Important changes to our Service or Terms
Pro plan notifications (Consent): New comments on your feedback (opt-in required, Pro feature only)

3.4 Legal Obligations (Legal Basis: Legal Obligation - GDPR Art. 6(1)(c))

Comply with applicable laws and regulations
Retain financial records for tax purposes (7 years as required by Italian law)
Respond to lawful requests from authorities

3.5 Service Improvement (Legal Basis: Legitimate Interest)

Analyze usage patterns to improve features
Fix bugs and technical issues
Develop new features based on feedback

We process data using aggregated and anonymized information whenever possible. De-identified data cannot be linked back to you and is not considered personal data under GDPR.

5. Data Retention

We retain your personal data for different periods depending on the type of data and purpose:

Data Type	Retention Period
Active account data	Retained while your account is active
Inactive accounts	3 years of inactivity, then deleted (with 6-month advance email notice)
Deleted accounts	30 days grace period, then permanently deleted
Public feedback (after account deletion)	Anonymized and retained up to 5 years for community value
Votes	Deleted with account or feedback item
IP addresses (rate limiting)	10 minutes, then anonymized
Security logs	90 days
Transactional emails	90 days
Payment records (Pro plan)	7 years (required by Italian tax law)
Database backups	30 days (deleted data removed from backups)

When your account is deleted, we remove all personal data within 30 days, including from backups. Public feedback you created will be anonymized (your name and email removed, but content preserved for community benefit).

6. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights regarding your personal data:

6.1 Right of Access (Art. 15 GDPR)

You can request a copy of all personal data we hold about you. We will provide this information in a structured, commonly used, and machine-readable format (JSON or CSV) within 30 days.

6.2 Right to Rectification (Art. 16 GDPR)

You can update or correct inaccurate personal data through your account settings. If you cannot update the information yourself, contact us for assistance.

6.3 Right to Erasure / "Right to Be Forgotten" (Art. 17 GDPR)

You can request deletion of your personal data by deleting your account through the dashboard. We will permanently delete your data within 30 days, except where we have a legal obligation to retain certain records (e.g., financial records for 7 years).

6.4 Right to Restriction of Processing (Art. 18 GDPR)

You can request that we temporarily suspend processing of your personal data in certain circumstances (e.g., while we verify the accuracy of disputed data).

6.5 Right to Data Portability (Art. 20 GDPR)

You can export your data (account information, boards, feedback) in JSON or CSV format through your account settings. This allows you to transfer your data to another service.

6.6 Right to Object (Art. 21 GDPR)

You can object to data processing based on legitimate interests (e.g., security measures, service improvements). We will cease processing unless we have compelling legitimate grounds that override your interests.

6.7 Right to Withdraw Consent

Where we process data based on your consent (e.g., email notifications), you can withdraw consent at any time by updating your preferences in account settings or clicking "unsubscribe" in emails.

6.8 Right to Lodge a Complaint

If you believe we have violated your privacy rights, you have the right to lodge a complaint with your local data protection authority:

Italy: Garante per la Protezione dei Dati Personali
Website: www.garanteprivacy.it
Email: garante@gpdp.it

How to Exercise Your Rights

To exercise any of these rights, please contact us at suggestohq@gmail.com with your request. We will respond within 30 days (may be extended to 60 days for complex requests, with notification).

To verify your identity, we may ask you to confirm your email address or provide additional information before fulfilling your request.

7. Security Measures

We implement industry-standard security measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction:

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS protocols
Encryption at Rest: Database and file storage are encrypted
Row-Level Security (RLS): Database access controls ensure users can only access their own data
HTTP-only Cookies: Authentication cookies are marked HTTP-only and secure to prevent client-side access
Rate Limiting: Protection against brute force attacks and spam (max 1 feedback per 10 minutes, max 100 votes per hour)
Regular Backups: Daily automated backups with 30-day retention
Access Controls: Strict internal access policies, minimal privilege principle
Security Monitoring: Automated monitoring for suspicious activities and vulnerabilities

While we strive to protect your data using best practices, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

Your Responsibility

You are responsible for:

Keeping your email account secure (magic-link authentication relies on email security)
Not sharing magic-links with others
Logging out from shared devices
Reporting any suspected unauthorized access immediately

8. Children's Privacy

Suggesto is intended for users who are at least 16 years old. In accordance with GDPR requirements:

We do NOT knowingly collect personal data from children under 13 years of age
Users between 13 and 15 years old may use the Service only with verifiable parental or guardian consent
Users 16 years and older can use the Service without parental consent

If we discover that we have inadvertently collected personal data from a child under 13 without proper consent, we will delete that information immediately.

Parents and Guardians: If you believe your child has provided personal information to Suggesto without your consent, please contact us at suggestohq@gmail.com, and we will promptly delete the information.

9. Public Boards and User-Generated Content

9.1 Public Nature of Feedback

⚠️ Important: Feedback boards on Suggesto are publicly accessible. Any feedback you or your users submit will be visible to anyone who visits the board URL.

When submitting feedback:

Do NOT include personal, sensitive, or confidential information (Social Security numbers, payment details, health information, etc.)
Assume that anything you post can be seen by the public
Be aware that even deleted feedback may have been viewed or copied by others before deletion

9.2 Voting Privacy

Your individual votes (upvotes/downvotes) are NOT publicly visible. Only the aggregated vote count is displayed. However, you can see your own voting history in your account dashboard.

9.3 Account Deletion and Feedback

When you delete your account:

Your feedback will be anonymized (your name and email removed)
The feedback text will remain visible to preserve community value
If you want specific feedback deleted before anonymization, please delete it manually before closing your account

10. Cookies and Tracking Technologies

10.1 Essential Cookies (No Consent Required)

We use essential cookies that are strictly necessary for the Service to function:

Authentication cookies: Manage your login session and keep you logged in
Fingerprint cookie (suggesto_fp): Anonymous identifier for the voting system to prevent duplicate votes
Preference cookies: Remember your theme (light/dark) and language preferences

10.2 Optional Cookies (Consent Required)

We do NOT currently use analytics, advertising, or third-party tracking cookies. If we introduce these in the future, we will:

Update this Privacy Policy
Display a cookie consent banner before setting any non-essential cookies
Provide granular controls to accept or reject cookie categories
Honor your "Do Not Track" browser settings

10.3 Managing Cookies

You can control cookies through your browser settings. However, disabling essential cookies may prevent you from using certain features of the Service (e.g., authentication).

Note: In compliance with Italian Garante Privacy guidelines, scrolling or continuing to browse does NOT constitute consent for non-essential cookies.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features. When we make material changes:

We will update the "Last Updated" date at the top of this page
We will notify you via email at least 30 days before the changes take effect
We will display a prominent notice in your dashboard
You will have the option to review and accept the new policy, or delete your account if you disagree

Continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Nic Software di Niccolò Banti

Attn: Privacy Team / Niccolò Banti (Data Controller)

Piazza Amilcare Donnini 45

50054 Fucecchio FI, Italy

Email: suggestohq@gmail.com

We will respond to all legitimate requests within 30 days (or 60 days for complex requests, with notification).

13. Additional Resources

For more information about your privacy rights and data protection:

European Data Protection Board: edpb.europa.eu
Italian Data Protection Authority (Garante): www.garanteprivacy.it
GDPR Official Text: gdpr-info.eu

This Privacy Policy was last updated on October 15, 2025 and is effective immediately.