Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

2. Types of Data Collected

We collect and process the following categories of personal data, depending on how you interact with our website and services.

2.1 Account Data

When you create an account on aura-ui.com, we collect your name, email address, and a password (stored in hashed form). If you authenticate through a third-party service, we may receive your name and email from that provider.

2.2 Billing and Payment Data

When you purchase Aura UI Pro, we collect billing information necessary to process your payment and issue invoices, including your full name or company name, billing address, VAT number (if applicable), and country. Payment card details are collected and processed exclusively by our payment processor, Stripe. We do not store, access, or handle your credit card numbers or bank account details on our servers.

2.3 Usage and Analytics Data

We collect anonymized usage data through analytics services to understand how visitors interact with our website. This may include your IP address (anonymized), browser type and version, operating system, referring URL, pages visited, time spent on pages, and general geographic location (country/region level). This data is collected through cookies and similar technologies.

2.4 Technical Data

Our servers automatically log certain technical information when you visit our website, including your IP address, request timestamps, HTTP status codes, and user agent string. This data is necessary for the operation and security of our infrastructure.

2.5 Communication Data

When you contact us via email or through support channels, we collect the content of your messages, your email address, and any attachments you provide. This data is used solely to respond to your inquiry and provide support.

3. Legal Bases for Processing

We process your personal data only when we have a valid legal basis to do so under the GDPR. The specific legal basis depends on the purpose of the processing:

• Performance of a contract (Art. 6(1)(b) GDPR): Processing your account and billing data is necessary to deliver the services you have purchased, manage your license, and provide customer support related to your purchase.
• Legitimate interest (Art. 6(1)(f) GDPR): We rely on our legitimate interest to process usage and technical data for website analytics, improving our services, ensuring security, and preventing fraud. We have conducted a balancing test and concluded that these interests do not override your fundamental rights and freedoms.
• Consent (Art. 6(1)(a) GDPR): Where required by law, we obtain your prior consent before placing non-essential cookies on your device or sending you marketing communications. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legal obligation (Art. 6(1)(c) GDPR): We may process certain data to comply with legal obligations, such as tax and accounting requirements under Italian law.

4. How Your Data Is Used

We use the personal data we collect for the following purposes:

• Service delivery: Creating and managing your account, delivering license keys, providing access to Aura UI Pro downloads and updates.
• Payment processing: Processing purchases through Stripe, generating invoices, managing refunds, and complying with tax obligations.
• Customer support: Responding to your questions, troubleshooting issues, and communicating important service updates (such as security patches or breaking changes).
• Analytics and improvement: Understanding how our website is used, identifying popular content, and improving the user experience.
• Security: Detecting and preventing unauthorized access, abuse, fraud, or other harmful activities.
• Legal compliance: Meeting our obligations under applicable law, including tax, accounting, and record-keeping requirements.

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

5. Third-Party Processors

We share your personal data only with trusted third parties who process it on our behalf, under written data processing agreements that ensure GDPR compliance. We do not sell your personal data to anyone.

5.1 Stripe

We use Stripe (Stripe, Inc.) to process payments. Stripe collects and processes your payment card details directly. Stripe acts as an independent data controller for the payment data it collects. Please refer to Stripe's Privacy Policy for details on how they handle your data.

5.2 Google Analytics

We use Google Analytics 4 (Google LLC) to collect anonymized website usage statistics. IP anonymization is enabled, meaning your full IP address is never stored by Google. Google Analytics uses cookies to distinguish unique users and sessions. Google acts as a data processor for the analytics data collected on our behalf. For more information, see Google's Privacy Policy. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

5.3 Hosting Provider

Our website is hosted on servers located within the European Union. The hosting provider processes technical data (such as IP addresses and server logs) on our behalf as a data processor, solely for the purpose of delivering and securing the website.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods are:

• Account data: Retained for the duration of your account. If you delete your account, your personal data will be erased within 30 days, except where retention is required by law.
• Billing and invoice data: Retained for 10 years after the transaction, as required by Italian tax and accounting legislation (D.P.R. 600/1973 and D.P.R. 633/1972).
• Usage and analytics data: Anonymized analytics data is retained for up to 26 months.
• Server logs: Retained for up to 90 days for security and debugging purposes.
• Support correspondence: Retained for up to 3 years after the last interaction, or longer if related to an active license.

When retention periods expire, your personal data will be securely deleted or anonymized.

7. Your Rights Under GDPR

As a data subject, you have the following rights under the GDPR. These rights apply regardless of your location, though certain rights may be limited where we have an overriding legitimate interest or legal obligation.

• Right of access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about how it is processed.
• Right to rectification (Art. 16): You have the right to request correction of inaccurate personal data or completion of incomplete data.
• Right to erasure (Art. 17): You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when you object to processing. This right is subject to legal retention obligations.
• Right to restriction of processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.
• Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
• Right to object (Art. 21): You have the right to object to the processing of your personal data based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

8. How to Exercise Your Rights

You can exercise any of the rights described above by contacting us through one of the following channels:

• Email: [email protected]
• PEC (certified email): [email protected]
• Post: BLUESTARSYSTEM DI MONTICO JURI, Dorsoduro 2408/D, 30123 Venezia (VE), Italy

We will respond to your request within 30 days, as required by the GDPR. In complex cases, this period may be extended by an additional 60 days, in which case we will notify you of the extension and the reasons for the delay. We may ask you to verify your identity before fulfilling your request to ensure we do not disclose personal data to unauthorized persons.

9. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority in Italy is:

If you reside in another EU/EEA member state, you may also lodge a complaint with the supervisory authority in your country of residence.

10. Cookies

Our website uses cookies and similar tracking technologies to ensure proper functionality, analyze traffic, and enhance your experience. We use strictly necessary cookies (which do not require consent) to operate the website, and analytics cookies (which require your consent) to collect anonymized usage statistics.

For a detailed description of the cookies we use, their purposes, durations, and how to manage your cookie preferences, please refer to our Cookie Policy.

11. Data Security

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of all data in transit using TLS/HTTPS.
• Secure hashing of passwords using modern cryptographic algorithms (bcrypt).
• Access controls that limit data access to authorized personnel only.
• Regular security updates and patching of server software and dependencies.
• Automated backups with secure, encrypted storage.
• Use of CSRF tokens and other standard web application security practices.

While we take every reasonable precaution to protect your data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security, but we commit to promptly notifying affected users and the relevant supervisory authority in the event of a personal data breach, in accordance with Articles 33 and 34 of the GDPR.

12. International Data Transfers

Our primary servers are located in the European Union. However, some of the third-party processors we use (such as Stripe and Google) may transfer your data to servers located in the United States or other countries outside the EU/EEA.

Where personal data is transferred outside the EU/EEA, we ensure that appropriate safeguards are in place, including the EU-U.S. Data Privacy Framework, Standard Contractual Clauses approved by the European Commission, or an adequacy decision by the European Commission. These safeguards ensure that your data receives a level of protection equivalent to that provided within the EU/EEA.

13. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify registered users by email.

We encourage you to review this page periodically to stay informed about how we protect your personal data. Your continued use of our website and services after any changes constitutes your acceptance of the updated Privacy Policy.